Microkernels vs hypervisors
I get asked this question a lot: what is the difference between a hypervisor and a microkernel? Frequently the question is accompanied by competitor-planted bullshit such as: isn’t it better to use a hypervsior for virtualization, as it is secifically designed for that, while a microkernel isn’t? But the question also pops up at scientific meetings, such as this week’s IIES workshop.
The short answer is that a microkernel is a possible implementation of a hypervsior (the right implementation, IMHO), but can do much more than just providing virtual machines.
For the long answer we have to dig a bit deeper, as the two have different motivations:
- A hypervisor, also called a virtual-machine monitor, is the software that implements virtual machines. It is designed for the sole purpose of running de-privileged “guest” operating systems on top (except for the deceptive pseudo-virtualizers). As such it is (or contains) a kernel (defined as software running in the most privileged mode of the hardware).
- A microkernel is a minmal base for building arbitrary systems (including virtual machines). It is characterised as containing the minmal amount of code that must run in the most privileged mode of the hardware in order to build arbitrary (yet secure) systems.
So the primary difference between the two is purpose, and that has implications on structure and APIs.
By definition (the generality requirement), a microkernel can be used to implement a hypervisor. This is what we are doing with OKL4, and has been done with verious members of the L4 microkernel family for over ten years. In fact, the 1997 SOSP paper by Härtig et al was the first to demonstrate a high-performance para-virtualized main-stream OS (Linux), and there are no published data on a para-virtualized Linux on ARM processors that out-performs OK Linux. Obviously, (well-designed) microkernels are an excellent base for hypervisors.
How about the other way round? Can a hypervisor be used to implement a microkernel?
In general not. As said above, a hypervisor is designed for a single purpose, and that is to run guest OSes. It could be used to virtualize a microkernel, but that isn’t the same (and would certainly result in sucking performance).
The reason is that a hypervisor generally lacks the minimality of a microkernel. While less powerful (in the sense that it doesn’t have the generality of a microkernel) it typically has a much larger trusted computing base (TCB) than a microkernel. It contains all the virtualization logic, and all physical device drivers needed to support the virtual machines. For example, the Xen hypervisor itself is about 5–10 times the size (in LOC) of the OKL4 microkernel. In addition, it has the privileged special virtual machine “Dom0”, which contains a complete Linux system, all part of the TCB (which is therefore of the order of a MLOC). Compare this to OKL4 which lets you run security-critical code with a TCB as small as 15kLOC. A small TCB is important for safety, security and reliability (it’s a consequence of the security principle of least authority, POLA), and as such especially important in mission-critical embedded systems.
So, what about the people who claim “virtual machine monitors are microkernels done right?” as (Xen co-inventor) Steven Hand did tounge-in-cheek at HotOS’05? Steven essentially claims that the microkernel folks have been focussing on the wrong things, such as fast IPC. I debunked his arguments in a follow-up paper. At that HotOS workshop I also predicted that the VMM folks only pretended that IPC didn’t matter, and that within two years they would be writing papers about fast communication between VMs (a problem microkernels solved 15 years ago). I was right, of course.
And the reality is that hypervisors are starting to become more like microkernels. People are starting to discover that virtualization by itself doesn’t solve many problems, particularly the security and reliability issures resulting from mushrooming complexity. (For an overview of those issues see my recent paper on the role of virtualization in embedded systems.) Anyone who has recently heard a talk by VMware founder Mendel Rosenblum knows what I mean. In fact, when he gave his keynote at last year’s Usenix conference, he was asked (not by a microkernel guy!) “aren’t you re-inventing microkernels?” Touché…
If even the “memory is cheap” server folks are discovering the importance of a small TCB, people who want to use virtualization in embedded systems should certainy take notice.
In summary, microkernels have demonstrated that they can do what hypervisors can. But hypervisors are far away from doing what microkernels can. And the most powerful of those is to make your TCB truly trustworthy. For the foreseeable future, this is only possible with microkernels.
The conclusion seems obvious: microkernels are virtual-machine monitors done right, and more.
To learn more, see some of my recent white papers:
- Secure embedded systems need microkernels
- Your system is secure? Prove it!
- Towards trustworthy computing systems: taking microkernels to the next level
as well as my recent blogs, specifically
- Trusted vs trustworthy computer systems
- Who is hacking your pacemaker? Or your brakes?
- Dreamliner security issue highlights need for bullet-proof OS technology