FAQ

Who is Open Kernel Labs?

Open Kernel Labs products and services enable companies who are creating embedded systems to deliver more complex and trustworthy devices in less time and at lower cost.

When OEMs, Service Providers, and others create embedded systems, they need off-the-shelf software capabilities and tools to overcome the challenges resulting from ever-increasing system and software complexity. We supply software products and related professional services that address these needs.

As an innovator, we are committed to providing an evolutionary path to dramatic improvement in embedded systems software. We deliver on our commitment by enabling incremental migration from existing software systems to a new architecture, which is based on the composition of complex embedded systems software from simpler components.

We are enabled by our uniquely structured collaboration with a leading embedded systems software research organization, NICTA, to commercialize research results and rapidly bring to market the new capabilities required to enable the transition to this improved architecture.

Stay Informed with OK Alerts

▲ Back to Top

What does Open Kernel Labs provide?

Today, OK Labs provides a trustworthy and flexible device software integration framework for embedded systems, called OKL4. With its ability to partition complex software securely, OKL4 improves reliability, security, and development efficiency. At the same time, it provides centralized management of shared hardware resources, including the CPU and high performance communication between isolated partitions, maintaining required levels of performance.

OK Labs also offers services, training, and support to help its clients realize maximum value from their adoption of OKL4.

In the future, our investment in research and our collaboration with NICTA will provide new products, new services, and enhancements to OKL4. Derived from cutting-edge embedded system software research, OK Labs products and services will provide further reliability, security, and productivity benefits for companies developing embedded systems. The OK Labs product line allows for ever-increasing complexity without resorting to the brute force application of more and more development resources.

▲ Back to Top

What needs, challenges, or problems does OKL4 specifically address?

Adding Linux to a device to provide an open application environment

It is important to note that virtualization is only one capability of OKL4; however, one of its best applications is virtualization in embedded application. OKL4 enables the addition of an open application environment, such as linux, to a previously closed device. Virtualization allows the existing proven software to run in one virtual machine and the open Linux environment to run in another. In this case, it is essential that the virtual machines be isolated from one another to prevent added risks to reliability and security. If the virtual machine is not isolated, the proven reliability and security of the legacy software environment is compromised. For Linux and other GPL licensed operating systems, some development projects require that certain software IP be kept in an execution environment isolated from the Linux OS environment. This is frequently a part of company IP management policy. OKL4 satisfies this requirement when used as a hypervisor.

OKL4 support for Linux virtual machines is available today. Support for additional operating systems within a virtual machine is also available, through either the OKL4 product roadmap or OK Labs professional services.

Improving Security

Today's developers face stringent security requirements, that can be costly, time consuming, and introduce risk. OKL4 supports device security, thereby reducing cost, time, and risk by:

  • Adding fine grained partitioning/isolation
  • Controlling information flow
  • Securing resource management
  • Running security critical software in an execution environment with a much smaller trusted computing base which can be made more trustworthy more easily than a full operating system environment

Partitioning for Reliability and Reduced Development Cost/Time/Risk

OKL4 allows for the decomposition of a complex software system into a number of less complex sub-systems. With OKL4, each subsystem becomes isolated in its own protected execution domain. This strengthens fault isolation and makes each subsystem less complex, both of which contribute to a more reliable system. Changing the complexity and fault isolation profile of the design not only makes it more reliable as shipped but also makes it easier to debug during the development process.

Design Using Complimentary Operating Systems (Real-Time and Rich Ecosystem)

Real-time operating systems offer a level of hard real-time capability that some applications require and that is difficult to achieve when using more general-purpose application operating systems. Application operating systems (Linux and Windows in particular) enable access to a rich ecosystem of complementary capabilities, flexible GUIs, and connectivity support for enterprise systems that far exceeds what is available with a real-time operating system. For many applications, combining a hard real-time capable RTOS and an application OS on the same processor is the most cost-effective way to satisfy device requirements.

Software Reuse Enablement

OKL4 increases software reuse by making it easier to combine software developed for different operating systems, or operating system versions, together safely in the same device. By allocating a virtual machine for each OS or OS version, OKL4 eliminates the need to port the legacy code in order to reuse it.

Multiple Processor Consolidation to Reduce Cost

Although they are safely isolated, there is increased cost associated with running multiple applications on physically separate processors. OKL4 allows a single processor to support multiple isolated virtual machines, which reduces cost without compromising safety.

▲ Back to Top

How does OKL4 compare to other alternatives when used as a hypervisor to provide system virtualization in an embedded system?

Since every hypervisor (aka virtual machine monitor) solution is a unique combination of characteristics and capabilities, the best way to answer this is to identify the things that differentiate OKL4 from one or more of the alternatives.

Isolation with Performance

OKL4 completely isolates each virtual machine (VM) in a separate address space. For additional reliability and security, it runs the guest operating system for that VM entirely at a user privilege level. At the same time, OKL4 allows applications running in those VMs to achieve a level of performance that is within a few percent of the performance level when run on the same processor and OS without virtualization. Highly optimized inter-process communication (IPC) is the key to OKL4's ability to deliver high levels of system performance with fully isolated virtual machines.

Minimum Privileged Code

OKL4 is implemented using microkernel architecture, which means a core focus of the design and implementation is minimizing the amount of code that runs at a privileged level of execution (sometimes called kernel mode, supervisor mode, etc.). The benefits of this approach are increased security and reliability. Since code that runs in a privileged mode of execution has access to all system resources, the trustworthiness of that code is a key to the reliability and security of the system. By keeping this critical code small in an OKL4 system, it is much easier to insure that it is trustworthy.

Virtualization and Direct Execution

More than just a hypervisor, OKL4 provides the option of running software directly in a lightweight execution environment that enjoys the same level of isolation as a virtual machine. By providing only those services required by the application running in an OKL4 execution environment, instead of the full services of a rich embedded operating system, the application gains the security and reliability benefits of a much smaller trusted computing base (more on trusted computing base later).

Flexible Granularity of Partition

Traditional virtualization solutions only allow you to divide the system at the level that includes both operating systems and their applications within each partition. OKL4 allows you to decompose software systems at an arbitrarily fine level of granularity, allowing greater flexibility in optimizing that decomposition for the specific requirements of your application.

Unmatched Support for Security

The virtualization provided by OKL4 is very secure. The OKL4 roadmap enhances support for secure systems with a number of new features that significantly extend the basic support for security beyond what most hypervisors provide. The majority of virtualization solutions either allow a VM to communicate freely with other VMs, or not at all. Some solutions might go a step further and allow you to only restrict which the communitation between VMs and another specific VM. .In contrast, OKL4 will allow you to control communication privileges at a much lower level of granularity. For example, you could allow communication between a specific Linux Daemon and a specific service of a real-time operating system (RTOS) running in another VM, but otherwise prevent communication between the Linux VM and the RTOS VM.

Openness of Source Code

The source code for OKL4 is freely available for inspection and use under an open source license. Use of OKL4 under the open source license requires that the source code for the software using OKL4 also be made freely available. In the event you do not want to make your source code freely available, you can purchase a proprietary use license for OKL4.

▲ Back to Top

What is the "trusted computing base" and why should I care about it?

Wikipedia defines the trusted computing base as follows:

The trusted computing base (TCB) of a computer system is the set of all hardware, firmware, and software components that are critical to its security. Bugs occurring inside the TCB might jeopardize the security properties of the entire system.

Reducing the size of the TCB, which reduces the likelihood of bugs within the TCB, improves the overall security of a computer system.All code that runs in the privileged mode of the underlying processor is part of the TCB; however, the TCB almost always includes other software as well. For example, in a Linux system, any daemon running as root would be part of the TCB.

The TCB is always relative to a particular program since different programs depend on different things. The TCB of a system generally refers to the total combination of TCBs from all of its programs. Developers looking to provide more secure environments for particular programs should strive to place those programs in an environment with a small TCB. OKL4 offers exactly that capability. It allows such programs to exist in a small TCB execution environment alongside a full operating system environment with a much larger TCB.

▲ Back to Top

What specific device types or applications benefit from using Open Kernel Labs products?

The solutions provided by Open Kernel Labs are important in just about every type of embedded system and embedded system application.

The addition of Linux as an open application environment is of particular interest in many applications today, including mobile phones, home and mobile media players, mobile Internet devices, and digital TV. The addition of Linux needs to be in a manner that allows core device functions to remain 100% reliable and secure. OKL4 is an excellent framework for satisfying this requirement.

The use of OKL4 to provide system virtualization is particularly useful for mobile devices, consumer electronics, industrial automation, medical electronics, and telecom/datacom infrastructure.

With the software content of many embedded systems at, or rapidly approaching, millions of lines of code, reliability and security have become more difficult to achieve. The use of OKL4 to improve reliability and security, based on secure decomposition of complex software, is applicable to a wide range of embedded system applications across a variety of industries.

▲ Back to Top

Is OKL4 an alternative to other commercially provided and open source operating systems available for use in embedded systems development?

OKL4 will almost always be used in a complementary way, alongside more full-featured operating systems. When used purely for system virtualization, OKL4 creates and maintains the virtual machines and provides the high performance communication mechanisms needed between them. The role of other operating systems remains almost the same as if virtualization were not part of the system design.

When OKL4's lightweight execution environment is used to support selective decomposition of a complex system, it complements more full-featured operating systems by providing an additional execution environment with a smaller trusted computing base. Using OKL4 in this way, with select applications residing in lightweight execution environments, improves system reliability and security. The strengths of these operating systems lie in the comprehensive set of services they provide and their ability to support a broad range of applications. The strength of OKL4 is in complementing these capabilities. OKL4 provides support for more secure and reliable system architecture based on selectively partitioning the system and allowing OKL4 to furnish an execution environment for selected subsystems. This is where the reliability and security benefits of a reduced trusted computing base have the biggest payoff.

▲ Back to Top

Is OKL4 Open Source?

OKL4 is dual licensed. The source code for OKL4 is freely available for inspection and use under an open source license. Use of OKL4 under the open source license requires that the source code for the software using OKL4 also be made freely available. In the event you do not want to make your source code freely available, you can purchase a proprietary use license for OKL4.

▲ Back to Top

How big is the memory footprint of OKL4?

As a software solution specifically developed for embedded systems, OKL4 is designed to use as little memory as possible. The minimum memory footprint for an OKL4 system is 112KB plus an additional amount of memory that depends on the scale of the system. As an example, a system with approximately 200 threads spread across 40 protected domains (lightweight execution environments) will use about 400 KB of memory. When used for system virtualization, the memory footprint of any guest operating systems would add to this total.

Two things can be better understood by looking at the original context. First, quantifying the real memory requirements of a hypervisor requires understanding both the fixed (or static) memory requirements and the variable (or dynamic memory requirements). The memory footprint of OKL4 memory footprint is 112Kbytes plus some amount that depends on the parameters of the system in which OKL4 is being used. Without making assumptions about the number of address spaces and other characteristics you cannot calculate the actual memory footprint.

When comparing software options you also need to consider the point at which differences in memory footprint become a secondary concern. Software written in assembly language, for example, will be smaller than the same functionality written in C but a high level language implementation is easier to use, understand, maintain, and extend. Carefully considering the functionality of the options being compared is also important. As a general purpose microkernel with virtualization capability, rather than a hypervisor-only implementation, OKL4 includes the ability to execute native applications directly. This provides flexibility and value to the developer that is well worth a little extra memory consumption in the majority of cases. We should also remember that performance and security/reliability and important characteristics for embedded applications. Using a little more memory in order to boost performance or enhance security is often the right design decision.

▲ Back to Top

How does using OKL4 to provide system virtualization impact the memory requirements of a system?

In general, the memory requirements for each virtual machine running an operating system and a set of applications is very close to the memory requirements for running that same operating system and set of applications directly on the hardware. Virtualization does involve maintaining copies of some operating system structures like page stables and thread control blocks within OKL4. This "virtualization overhead" scales with the number of processes (address spaces) created by the guest operating system as the result of duplication of associated page tables in OKL4. However, in any real system, the memory requirements associated with this "virtualization overhead" are an insignificant contributor to the overall system memory requirements.

▲ Back to Top

What is the overhead of virtualization on an application?

This can vary significantly based on the characteristics of specific systems and the way in which the capabilities of OKL4 are being used. OK Labs has run Linux AIM benchmarks and produced results showing that the performance for an application running on Linux, in an OKL4 virtual machine, is within 4% of native application performance. We recommend evaluating OKL4 with your specific use case to understand how virtualization impacts performance and what can be done to optimize it.

▲ Back to Top

What is involved in para-virtualizing an operating system so that it can be run in an OKL4 virtual machine?

A virtualized operating system runs de-privileged and therefore does not have access to physical hardware resources, nor is it able to execute special 'supervisor' instructions. Para-virtualizing an operating system conceptually modifies the operating system source code so that privileged operations are replaced with suitable calls to the OKL4 API. This allows the OKL4 API to perform equivalent functionality on the guest operating system's behalf.

The key subsystems within an operating system that are typically modified during para-virtualization include bootstrap, virtual-memory subsystem, and interrupt & exception entry/exit paths. The most significant part of the engineering effort centers on modifying the virtual-memory subsystem, which includes page-table and cache management.

Note: Typical operating system code bases are structured so that processor architecture-dependent code is separated out from architecture-independent code. As a result, para-virtualizing an operating system often involves modifications only to the processor architecture-dependent code. In effect, the operating system is being ported to the 'OKL4' architecture. One beneficial result is that, because the OKL4 API abstracts most of the peculiarities of a certain hardware platform, once a legacy operating system is para-virtualized to the OKL4 architecture, it automatically becomes much more portable

▲ Back to Top

What operating systems can run in a virtual machine using OKL4?

Linux is supported for use in an OKL4 virtual machine. Other operating systems can be supported after para-virtualization for use with OKL4. Support for additional operating systems within a virtual machine will be made available through additions to the OK Labs product offering over time and via OK Labs professional services.

▲ Back to Top

What Linux distributions and kernel versions can run in an OKL4 virtual machine?

The shortest path to use a particular Linux distribution in an OKL4 virtual machine is by replacing the Linux kernel with an OKL4 para-virtualized kernel, referred to as OK Linux. This means that OKL4 users have the flexibility to choose from a wide range of distributions. Since OK Linux maintains binary compatibility, all the applications installed by a particular Linux distribution will work out of the box with the OK Linux kernel.

If a particular distribution includes Linux kernel modifications maintained by the author of that distribution, some additional work will be required if those modifications are important to the use of that distribution with OKL4.

▲ Back to Top

What processors or SoCs are supported by OKL4?

OKL4 processor support is best described on the bases of supported architectures, supported families, and supported individual devices.

OKL4 architecture support currently includes ARM, x86, and MIPS processor architectures.>

OKL4 processor family support currently includes ARMv4, ARMv5, ARMv6, x86 including Atom, MIPS32, MIPS34 and MIPS R4000.

At the individual device level, support is available for many specific devices including the following: ARM Versatile Board ASIC (ARM 926EJ-S), STMicroelectronics STn8815 (ARM926EJ-S), Samsung S3C2410 (ARM920T), Freescale i.MX31 (ARM1136JS), TI TMS320DM6467, Intel PXA255 (XScale), Intel PXA270 (XScale), Intel Atom. New device support is always being added so checking with Open Kernel Labs when you have a specific requirement is always advised.

OKL4 technology is highly portable at the processor architecture, processor family, and specific device level. The OKL4 SoC SDK allows development of support for specific devices (i.e. SoCs) as an extension to the processor architecture and processor family support provided in the standard OKL4 product. This portability allows Open Kernel Labs to create specific SoC support "on demand" as required by our customers.

▲ Back to Top

Can OKL4 be used with MMU-less processors?

Currently, OKL4 only runs on processors with MMUs. Since security is a first-class requirement and not a configuration option for OKL4, the use of an MMU to enforce boundaries between protected domains has been central to the design of the OKL4 system. However, depending on market demand, OKL4 could be ported to an MMU-less processor in the future.

▲ Back to Top

What happens if I need to use OKL4 on a processor that is not currently supported?

Bring it on! Open Kernel Labs is happy to work with customers to add specific processor support that is required for their project.

▲ Back to Top

How long has Open Kernel Labs been in business?

Open Kernel Labs has been in business since August 2006. However, while still part of National ICT Australia (NICTA), the OK Labs team was commercially supporting users of OKL4 technology prior to the date that OK Labs was spun out as a separate company. It is also important to note that development activity related to OKL4 has been taking place for over 13 years.

▲ Back To Top