Summarize
- The role of a device driver is providing mechanism, not policy
- Almost everything in Unix can be treated as a file
- When possible, driver writers should avoid encoding security policy in their code
Outline
- The Role of the Device Driver
- Splitting the Kernel
- Loadable Modules
- Classes of Devices and Modules
- Security Issues
Intro
- Device drivers
- They are distinct “black boxes” that make a particular piece of hardware respond to a well-defined internal programming interface
- They hide completely the details of how the device works
- User activities are performed by means of a set of standardized calls that are independent of the specific driver
- Each driver is different; as a driver writer, you need to understand your specific device well
The Role of the Device Driver
the role of a device driver is providing mechanism, not policy
Unix 的設計哲學之一是將「機制」( Mechanism )和「策略」( Policy )分開,這樣軟體更易於開發和適應不同需求。驅動程式應該專注於提供機制,而不應強加特定的使用策略
驅動程式應該盡可能保持「無策略」( Policy-Free ),提供硬體能力的訪問而不增加額外的約束。例如,同步與非同步操作、支持多次開啟等都是無策略驅動程式的典型特徵
Most programming problems can indeed be split into two parts:
- “what capabilities are to be provided” (the mechanism)
- “how those capabilities can be used” (the policy)
Since different environments usually need to use hardware in different ways, it’s important to be as policy free as possible
- A driver, then, is flexible if it offers access to the hardware capabilities without adding constraints
- Being policy-free is actually a common target for software designers
Splitting the Kernel
Linux 核心的角色可以分為幾個部分:進程管理( Process Management )、記憶體管理( Memory Management )、檔案系統( Filesystems )、裝置控制( Device Control )和網路管理( Networking )。驅動程式在其中負責裝置控制
- In a Unix system, several concurrent processes attend to different tasks. Each process
asks for system resources
- The kernel is the big chunk of executable code in charge of handling all such requests
The kernel’s role can be split:
-
Process management
- creating & destroying processes and handling their connection (I/O)
- communication among different processes (through signals, pipes, or interprocess communication primitives)
- scheduler, which controls how processes share the CPU
-
Memory management
- builds up a virtual addressing space for any and all processes
- different parts of the kernel interact with the memory-management subsystem through a set of function calls(e.g., malloc/free...)
-
Filesystems
- Unix is heavily based on the filesystem concept;
-
almost everything in Unix can be treated as a file
- The kernel builds a structured filesystem on top of unstructured hardware
- Linux supports multiple filesystem types, that is, different ways of organizing data on the physical medium (e.g., EXT3...)
-
Device control
- The kernel must have embedded in it a device driver for every peripheral present on a system
- This aspect of the kernel’s functions is our primary interest in this book.
-
Networking
- Networking must be managed by the operating system, because most network
operations are not specific to a process
- Incoming packets are asynchronous events. The packets must be collected, identified, and dispatched before a process takes care of them.
- The system is in charge of delivering data packets across program and network interfaces
- Additionally, all the routing and address resolution issues are implemented within the kernel
Loadable Modules
Linux 支持在運行時動態加載和卸載功能模組( Loadable Modules ),這使得核心功能可以擴展而不需重啟系統。驅動程式通常作為這些模組的一部分
- Each piece of code that can be added to the kernel at runtime is called a module
- Each module is made up of object code (not linked into a complete executable) that can be dynamically linked/unlinked to the running kernel by the program:
- A module is said to belong to a specific class according to the functionality it offers
Classes of Devices and Modules
Linux 將裝置分為三大類:字元裝置( Character Devices )、區塊裝置( Block Devices )和網路介面( Network Interfaces )。每類裝置都有不同的驅動程式介面
Each module usually implements one of these types, and thus is classifiable as a
char module, a block module, or a network module
-
Character Devices
- A character (char) device is one that can be accessed as a stream of bytes (like a
file)
- Char devices are accessed by means of filesystem nodes, such as /dev/tty1 and /dev/lp0
-
Block Devices
- Block devices are accessed by filesystem nodes in the /dev directory
- In most Unix systems, a block device can only handle I/O operations that transfer
one or more whole blocks, which are usually 512 bytes (or a larger power of two) bytes in length
- Block drivers have a completely different interface to the kernel than char drivers
-
Network Interfaces
- A network interface is in charge of sending and receiving data packets, driven by
the network subsystem of the kernel
- Communication between the kernel and a network device driver is completely different from that used with char and block drivers
Security Issues
驅動程式編寫者應該避免在程式碼中編寫安全策略,而是將這些問題留給更高層次的管理。儘管如此,有些操作如設定中斷線或加載韌體,仍然需要在驅動程式中進行特權檢查
- Any security check in the system is enforced by kernel code. If the kernel has security holes, then the system as a whole has holes
- The system call "init_module" checks if the invoking process is authorized to load a module into the kernel
When possible, driver writers should avoid encoding security policy in their code
- Security is a policy issue that is often best handled at higher levels within the kernel, under the control of the system administrator
As a device driver writer, you should be aware of some situations:
- device operations that affect global resources (such as
setting an interrupt line)
- device operations could damage the hardware (such as loading firmware...)
- device operations could affect other users (such as setting a default block size on a
tape drive)
- These check must be made in the driver itself
you should avoid running kernels compiled by an untrusted friend
- A maliciously modified kernel could allow anyone to load a module, thus opening an unexpected back door via "init_module".
Reference
-
Device Driver Tutorial
-
Linux Device Drivers — Chapter One
-
Linux Device Driver – Introduction
- ChatGPT4o: 翻譯中文兼總結