Professional Documents
Culture Documents
X Technical session(s)
! Keynotes session(s)
Introduction
Modern processor architectures have dramatically simplify the design of operating
systems and provide efficient mechanisms to build advanced software abstractions.
High-frequency CPUs, large low-latency memories, Memory Management Units,
protection mechanisms, register windows, enhanced pipeline of RISC architecture,
large address spaces of 64 bits architecture, and more complex and efficient
communication devices are such features that make today's applications possible.
However, until recently, smart card-oriented processors (like ATMEL6464, ST22 or
Infineon 66) had very limited features. Memory was very scarce, especially RAM,
most processors are 8-bit architectures without pipeline, the communication interface
is reduced to its simplest form, timers rarely exist, no memory management support
are provided, etc. The main explanation of this situation is the fact that up to now
smart card applications are very limited: check a pin code, manage a small address
book, keep last banking transactions, ciphering. To keep the system small and
efficient, applications are generally integrated within a very simple operating system.
Moreover, the application model is also very limited: application are actually set of
commands that can be sequentially executed on demand by the terminal. The smart
card device is rarely addressed and real-time constraints are not a concern. For all
these reasons, hardware requirements was not very strong and the features of the
processor was mostly driven by its price.
So as to gain portability of applications, smart card actors turned to JavaCard
operating systems. When changing hardware, only the operating system need to be
ported. Applications stay the same, which greatly improve the time to market.
JavaCard also comes with a enhanced protection model, i.e sandboxing, which greatly
facilitates the design of multi-applicative smart cards. Hence, this new approach gives
new perspectives to the utilization of smart cards. For this reason and because the
operating system is getting more complex, hardware requirements are getting bigger
and bigger.
The Gemplus research Lab goes one step further. It aims at proposing a new Java
environment for smart card applications. Rather that trying to enhance today's
JavaCard operating systems, it makes a real breakthrough by getting quite close to
Java specifications. Class files (instead of the very specific CAP format) could be
dynamically loaded, different execution models could be defined, sockets could be
used to communicate, etc. This new vision make of course hardware requirements
even more critical, which makes in turn advanced hardware support even more
necessary.
In this paper, we discuss maybe the most popular hardware support of modern
processor: the Memory Management Unit (MMU). This feature has greatly simplify
the management of memory and protection of modern operating system. However,
implemented MMU-based software techniques generally induce a cost in term of
memory space that make them not necessarily adapted to the smart card context. The
intention of the present work is to show that the MMU can however be of interest in
this context, by proposing software mechanisms that take into account this memory
space constraint.
The remaining of the paper is as follows. The next section introduce the issues that
must be tackled in smart card operating systems (SCOS). Section 3 details the
principles of managing a cache or a swap in this context, why these mechanisms are
interesting and what are the implementation issues. The principles, benefits and issues
are then presented in section 4 before e describe the SmartMips architecture in section
5 and show of its MMU can be used to implement a cache / swap mechanism that fits
the memory space constraint. Finally, section 6 concludes and gives some open issues.
MMU-based software cache and swap mechanisms for smart card operating systems 3
Note that caching and swapping are mechanisms, not abstractions. Here we mean
that an application can cache persistent data by itself or swap volatile data in a file or a
pre-allocated non-volatile memory region. But then, all the complexity must be handle
by the application itself. The abstraction behind caching is a fast non-volatile memory
(a bit like coming Feram or MRAM memories). The one behind swapping being the
illusion of a large RAM. In both cases the applications does not care about how these
abstractions are implemented. They execute as if they actually had a fast NVM and a
large memory. Even if it is not completely true, the way they are structured, organized
is not impacted and all the complexity is handle by the operating system.
Caching and swapping, even though they do not serve the same objectives, have the
following issues is common:
Mapping: since a same (logical) data can resides in different physical memory
locations, they must be able to manage a dynamic mapping between the logical
identifiers of data and the physical identifiers of memory areas;
Access detection: since the physical location may change depending on how data
are accessed, both need to know when and how data are (or are going to be)
accessed;
Copying: in both cases, data must be transferred between volatile and nonvolatile memories;
Replacement: since the cache is smaller than the persistent area and the available
RAM smaller than the emulated extended volatile memory, both techniques need
to choose, when RAM is saturated, an in-RAM victim when bringing data from
NVM;
Grouping: when the unit of transfer is bigger that the unit of allocation, data must
be grouped according to their access properties so as to minimize the number of
NVM programming processes.
They may differ however on different points:
Mapping persistency: in the case of a cache, the mapping between logical
identifiers and physical memory location in NVM must stay the same between
two card sessions and fault-tolerant while the mapping between volatile data and
their representation in NVM need not to be persistent and even less fault-tolerant;
Number of mappings: Since there is a priori more persistent than volatile data,
the number of mappings to maintain should be more important for caching than
for swapping;
Replacement & grouping strategies: the way data are accessed may be different
whether they are persistent or not and some non-functional properties such as
reactivity or anti-stress may differently guide these strategies;
Redundancy and coherency: whereas in a cache a logical data may have
different copies of which coherency must be addressed, the swap manages only
one copy for each data.
Yet, due to the issues they have in common, most techniques used for caching may
be used for swapping. Actually, one could see in the merging of both mechanisms the
implementation of the abstraction of a large fast memory which could be equally used
for manipulating short or long living data. Consequently, most of the effort and
conclusions that could be made for one mechanism may be applied to the other. In the
next section we show how their common issues, notably mapping and access
detection, can be addressed using an MMU while taking into consideration the
memory constraints of the smart card context.
MMU-based software cache and swap mechanisms for smart card operating systems 5
the context of a smart card, one could legitimately ask oneself whether this swap need
to be big, or even exist.
The way we use the MMU for caching and swapping is illustrated by Figure 1. The
principle is relatively simple. Programs are provided the two abstractions mentioned
above through two different regions of the virtual address space. Pages that are not
accessed are not mapped. Once virtual pages are accessed (detected by the TLB with a
TLB_refill exception) and while they are only read, they are mapped to their
corresponding persistent page in the case of the cache, or the corresponding swapped
page in the case of the swap, and write-protected. When modified (detected by the
TLB with a TLB_modify exception)
There is several remarks to make with this implementation. The first one is that as
shown, the MMU can be shared to implement a cache and a swap running in
parallel. The second remark is that while virtual pages are accessed only for reading,
they can be mapped to NVM pages and access rights set to read-only. Remember that
is the case of a cache, the mapping to persistent data must be made persistent and
fault-tolerant. Fortunately, this can be done very easily and efficiently by managing
fixed and calculated mappings.
As shown in the figure, the physical address of a persistent page while it is accessed
for only reading, is equal to the virtual address of the page (obtain from the virtual
address of the access data, i.e. its identifier) plus a relative integer, and this rule never
change. This way, the mapping of these pages need not to be store in volatile nor in
non-volatile memory. Thus, the problem of persistency (durability in term of
transaction properties) and atomicity are just the concern of data, not of their mapping.
RAM
Logical space
Cached persistent memory
RO RO
RW RO RW RW RW RO
Virtual
memory
Persistent data
Swap
MMU-based software cache and swap mechanisms for smart card operating systems 7
Of course, while the MMU simplifies the work of implementing a cache or a swap
and allows to provide our abstractions at the assembly level, this does not mean that
all the cost has been removed. Mappings still have to be established in the TLB,
transfers of data between volatile and non-volatile memories still need to be
performed, durability and atomicity of updates still need to be ensured, replacement
and grouping strategies still need to be implemented, etc. However, this cost is
essentially in term of processing time, not memory consumption (excepted for
atomicity but this is orthogonal to the fact of using an MMU or not).
Conclusion
With the emergence of the Java technology in the smart card context, the
requirements of Smart Card Operating Systems (SCOS) are getting more important
and we believe that this trend will continue. Fortunately, processor designers and
manufacturers are on the way of providing more and more advanced processors. The
new features present in processors like the HiperSmart may let SCOS designers hope
to benefit from techniques and research developed in more classical operating
systems.
In this presentation, we have pointed the fact that while the constraints specific to
smart cards still hold, the fears about the relevance of advanced hardware features is
not necessarily founded. We focused on the use of the MMU to implement software
caching and swapping and propose an implementation that suits the memory space
constraint. One could say that caching and swapping could be implemented all in
software. This is true but not with the same efficiency, compactness and flexibility.
One could also object that the MMU should be used for protection, which may
conflict with the way we propose to used it, but this does not necessarily hold in the
context of Java where protection is ensured another way.
It could be however interesting to see how different utilization may be possible in
parallel and how such a hardware like the MMU could be enhanced to better fit the
smart card context. For example, it could be interesting to see how reducing the size of
pages could help in implementing mechanisms such as locking, logging, patching,
stack overflow detection, and so on.
Anyway, the work done here make us believe that advanced hardware features in
general give new opportunities to SCOS designers and further to application designers
and consequently end consumers.
References
[1] MIPS32 4KSc Processor Core Family Software User's Manual, June 2001
[2] Philips HiperSmart specifications and documentation available at
http://www.semiconductors.philips.com/markets/identification/products/hipersmart/
[3] Liedtke, J., Elphinstone, K.: Guarded Page Tables on Mips R4600 Or An Exercise
in Architecture-Dependent Micro Optimization. ACM Operating Systems Review,
30(1):4-15, January 1996.