kernel enhancements for windows server longhorn mike tricker program manager windows core platform...
TRANSCRIPT
Kernel Enhancements Kernel Enhancements For Windows Server For Windows Server Longhorn Longhorn
Mike TrickerMike TrickerProgram ManagerProgram ManagerWindows Core Platform ArchitectureWindows Core Platform ArchitectureMicrosoft CorporationMicrosoft Corporation
AgendaAgenda
Kernel enhancements for Windows Kernel enhancements for Windows Server Codename “Longhorn”Server Codename “Longhorn”
Pointers to other relevant Pointers to other relevant sessions and materialsessions and material
Future ideas we’re consideringFuture ideas we’re considering
Call to actionCall to action
Moving To 64-bit OnlyMoving To 64-bit OnlyFuture releases of Windows ServerFuture releases of Windows Server
Windows Server Longhorn is planned toWindows Server Longhorn is planned tobe the last 32-bit release of Windows Serverbe the last 32-bit release of Windows Server
Except for Service Packs and QFEs of courseExcept for Service Packs and QFEs of course
Windows Server Longhorn R2 is planned Windows Server Longhorn R2 is planned to be 64-bit onlyto be 64-bit only
We expect that all Enterprise Server-class We expect that all Enterprise Server-class processors on sale in 2007/8 will be processors on sale in 2007/8 will be 64-bit capable64-bit capable
This will affect your drivers and This will affect your drivers and your hardwareyour hardware
Kernel Driver SigningKernel Driver Signing
Unsigned 64-bit kernel drivers will not loadUnsigned 64-bit kernel drivers will not loadon Windows Vista or Windows Server Longhornon Windows Vista or Windows Server Longhorn
The unsigned driver pop-up is no longer a The unsigned driver pop-up is no longer a “get out of jail free” card“get out of jail free” card
From now on they must be signed by a From now on they must be signed by a recognized signing authorityrecognized signing authority
See this link for more detailsSee this link for more details
http://www.microsoft.com/whdc/system/platform/64bit/http://www.microsoft.com/whdc/system/platform/64bit/kmsigningFAQ.mspxkmsigningFAQ.mspx
For more details please see the slides for the sessionFor more details please see the slides for the sessionIntroduction to the WDK: A Comprehensive Driver Development Introduction to the WDK: A Comprehensive Driver Development Solution in the Device Driver Fundamentals trackSolution in the Device Driver Fundamentals track
PatchGuardPatchGuard
64-bit on x6464-bit on x64
Targeting root kits and other malwareTargeting root kits and other malware
If critical system structures get changed the system will If critical system structures get changed the system will bugcheck, for examplebugcheck, for example
System service tablesSystem service tables
IDTIDT
GDTGDT
Kernel stacks not allocated by the kernelKernel stacks not allocated by the kernel
Patching any part of the kernelPatching any part of the kernel
So if you have drivers that modify (or create) such kernel So if you have drivers that modify (or create) such kernel structures they will cause the system to bugcheckstructures they will cause the system to bugcheck
Together with Windows Defender it’s increasing Together with Windows Defender it’s increasing Windows robustnessWindows robustness
The HALThe HAL
No more uni-processor (UP) HALs No more uni-processor (UP) HALs And thus no UP kernel eitherAnd thus no UP kernel either
Single threaded (versus single processor) server Single threaded (versus single processor) server systems are becoming increasingly raresystems are becoming increasingly rare
No support for non-ACPI HALsNo support for non-ACPI HALsACPI has been required for logo since 1998ACPI has been required for logo since 1998
Now Windows Vista and Windows Server Longhorn Now Windows Vista and Windows Server Longhorn will fail to install on a non-ACPI BIOSwill fail to install on a non-ACPI BIOS
No HAL kitNo HAL kitRelatively low impact Relatively low impact
The New Boot EnvironmentThe New Boot EnvironmentIncluding UEFI supportIncluding UEFI support
Say goodbye to boot.ini, ARC paths and using Say goodbye to boot.ini, ARC paths and using Notepad to make boot option changes!Notepad to make boot option changes!
64-bit x64 Windows Server Longhorn will support 64-bit x64 Windows Server Longhorn will support booting via UEFI 2.0booting via UEFI 2.0
IA-64 supports both EFI 1.1 and UEFI 2.0IA-64 supports both EFI 1.1 and UEFI 2.0
For more details please see the slides For more details please see the slides for the session:for the session:
Inside the Windows Pre-Boot and Boot Inside the Windows Pre-Boot and Boot EnvironmentEnvironment in the System Fundamentals – Core in the System Fundamentals – Core Platform Architecture and Security trackPlatform Architecture and Security track
Native PCI Express SupportNative PCI Express Support
Windows Vista and Windows Server Longhorn have Windows Vista and Windows Server Longhorn have native support fornative support for
MSI and MSI-XMSI and MSI-XExtended configuration space Extended configuration space SegmentsSegmentsCustom propertiesCustom propertiesAdvanced error reporting Advanced error reporting Native hot plugNative hot plugActive state power managementActive state power managementNative power management eventsNative power management events
For more details please see the slides for the sessionFor more details please see the slides for the sessionPCI Express in Depth for Windows Vista and BeyondPCI Express in Depth for Windows Vista and Beyond in the in the System Fundamentals – Core Platform Architecture and System Fundamentals – Core Platform Architecture and Security trackSecurity track
Dynamic PartitioningDynamic PartitioningReliability, Availability, ServiceabilityReliability, Availability, Serviceability
Support for Hot Add of processorsSupport for Hot Add of processorsContinued support for Hot Add memoryContinued support for Hot Add memory
And the planned addition of Hot Add I/O APIC support And the planned addition of Hot Add I/O APIC support
Hot Add Processor is available for test todayHot Add Processor is available for test today
Support for Hot Replace of processors and memorySupport for Hot Replace of processors and memoryAvailable in a later Beta of Windows Server LonghornAvailable in a later Beta of Windows Server Longhorn
No support for Hot Remove of processors or memory in No support for Hot Remove of processors or memory in Windows Server LonghornWindows Server Longhorn
Native hot plug of PCI Express devicesNative hot plug of PCI Express devices
Dynamic PartitioningDynamic Partitioning
1.1. Partition Manager provides Partition Manager provides the UI for partition creation the UI for partition creation and managementand management
2. 2. Service Processor controls Service Processor controls the inter processor and the inter processor and IO connectionsIO connections
3. 3. Platforms partitionable to the Platforms partitionable to the socket level; virtualization used for socket level; virtualization used for sub socket partitioningsub socket partitioning
4. 4. Support for dynamic partitioning Support for dynamic partitioning and socket replacementand socket replacement
Memory
Memory Memory
Memory
IO Bridge
Service Processor
Partition ManagerPartition ManagerPCI ExpressPCI Express
Core Core
Cache
…… Core Core
Cache
……
Core Core
Cache
……Core Core
Cache
……
. . .. . .
IO Bridge
. . .. . .
IO Bridge
. . .. . .
IO Bridge
. . .. . .
Windows Server Windows Server Longhorn dynamic Longhorn dynamic
hardware hardware partitioning features partitioning features
are focused are focused on improving on improving server RASserver RAS
Future Hardware Partitionable ServerFuture Hardware Partitionable Server
Dynamic PartitioningDynamic Partitioning Impact on driversImpact on drivers
Per-processor data structuresPer-processor data structures
Memory high-water mark usageMemory high-water mark usage
ISR and DPC routingISR and DPC routing
User mode IOCTL coordination between applications User mode IOCTL coordination between applications and their associated driversand their associated drivers
Supporting S4 transitionsSupporting S4 transitions
Registering for Hot Add notificationsRegistering for Hot Add notifications
Affinity Mask manipulationAffinity Mask manipulation
Supporting dynamic rebalanceSupporting dynamic rebalance
NUMA behaviorsNUMA behaviors
Memory ManagerMemory Manager EnhancementsEnhancements
Initial non-paged pool now NUMA aware, with separate Initial non-paged pool now NUMA aware, with separate VA ranges for each nodeVA ranges for each node
Per-node look-asides for full pagesPer-node look-asides for full pages
Page table allocation for system PTEs, the system cache, Page table allocation for system PTEs, the system cache, etc., distributed across nodesetc., distributed across nodes
More even localityMore even locality
Avoids exhausting free pages from the boot node Avoids exhausting free pages from the boot node
NUMA-related APIs for device driversNUMA-related APIs for device driversMmAllocateContiguousMemorySpecifyCacheNodeMmAllocateContiguousMemorySpecifyCacheNode
MmAllocatePagesForMdlExMmAllocatePagesForMdlEx
Default if no node is specified has been changedDefault if no node is specified has been changedFrom current processor to the thread’s ideal processor From current processor to the thread’s ideal processor
Memory Manager Memory Manager EnhancementsEnhancements
Win32 APIs that specify nodes for allocations and Win32 APIs that specify nodes for allocations and mapped views on per VAD and per section basismapped views on per VAD and per section basis
VirtualAllocExNumaVirtualAllocExNuma
CreateFileMappingExNumaCreateFileMappingExNuma
MapViewOfFileExNumaMapViewOfFileExNuma
Scalable queryScalable queryQueryWorkingSetExQueryWorkingSetEx
Higher performance for very physically sparse machinesHigher performance for very physically sparse machinesExample: very large IA-64 systemsExample: very large IA-64 systems
1TB gaps between chunks of physical memory1TB gaps between chunks of physical memory
PFN database and initial non-paged pool always mapped with PFN database and initial non-paged pool always mapped with large pages regardless of physical memory sparsenesslarge pages regardless of physical memory sparseness
Memory ManagerMemory Manager EnhancementsEnhancements
Much faster large page allocations Much faster large page allocations in kernel and userin kernel and user
Support for cache-aligned pool Support for cache-aligned pool allocation directivesallocation directives
Data structures describing non-paged pool free Data structures describing non-paged pool free list converted from linked list to bitmaplist converted from linked list to bitmap
Significantly reduced lock contentionSignificantly reduced lock contention
Bitmaps can be searched opportunistically lock-freeBitmaps can be searched opportunistically lock-free
Costly combining of adjacent allocations on free Costly combining of adjacent allocations on free no longer necessaryno longer necessary
Transactional RegistryTransactional Registry
Needed for “all or none” semantics when Needed for “all or none” semantics when changing a group of settingschanging a group of settings
Adds ACID semantics to a group of Adds ACID semantics to a group of registry operations registry operations
Integrates with TxF and any other resource Integrates with TxF and any other resource manager which participates in KTM transactionsmanager which participates in KTM transactions
A transaction can span across file system and A transaction can span across file system and Registry operations Registry operations
Provides easier way for applications to clean Provides easier way for applications to clean up on error pathup on error path
Registry VirtualizationRegistry Virtualization
Enable legacy applications to run as non-adminEnable legacy applications to run as non-adminApplications that want to write to keys that require Applications that want to write to keys that require admin privilegesadmin privileges
Redirect globally impactful registry write Redirect globally impactful registry write to a per-user virtual keyto a per-user virtual key
Only keys under HKLM\Software are virtualizedOnly keys under HKLM\Software are virtualized
Redirection is transparent to callersRedirection is transparent to callers
Applications use the user’s virtual key while runningApplications use the user’s virtual key while running
Is not platform support for sandboxingIs not platform support for sandboxingShould be treated as an assistance technologyShould be treated as an assistance technology
Registry VirtualizationRegistry VirtualizationWhat is not virtualized?What is not virtualized?
Application is identified as an “admin application”Application is identified as an “admin application”
Key is not changeable by adminsKey is not changeable by adminsKey is Windows Resource ProtectedKey is Windows Resource Protected
Caller is kernel mode Caller is kernel mode
Caller is using ImpersonationCaller is using Impersonation
Any 64-bit applicationAny 64-bit application
Keys marked as ‘Do Not Virtualize’Keys marked as ‘Do Not Virtualize’HKLM\Software\ClassesHKLM\Software\Classes
Registry FilteringRegistry Filtering
Certain classes of applications have the Certain classes of applications have the need for filtering registry callsneed for filtering registry calls
Anti-virus, Management applications etc.Anti-virus, Management applications etc.
Kernel mode callback model to allow for Kernel mode callback model to allow for filtering registry operationsfiltering registry operations
Allows monitoring and blocking of registry Allows monitoring and blocking of registry operationsoperationsMultiple drivers can register callbacksMultiple drivers can register callbacks
LimitationsLimitationsNo support for modifying parameters or No support for modifying parameters or redirecting callsredirecting callsNo concept of No concept of altitudesaltitudes
Windows Vista Windows Vista Enhanced Registry FilteringEnhanced Registry Filtering
Also applies to Windows Server LonghornAlso applies to Windows Server LonghornIntroduces a layered model with altitudes for Introduces a layered model with altitudes for callback registrationcallback registration
Consistent with the file system mini-filter modelConsistent with the file system mini-filter modelAltitudes have to be registered with MicrosoftAltitudes have to be registered with Microsoft
Ability to modify parameters and re-direct callsAbility to modify parameters and re-direct callsSupports three modes of operation – Monitor, Block Supports three modes of operation – Monitor, Block and Modifyand Modify
Compatible with existing registry callbacksCompatible with existing registry callbacksLegacy callbacks will be registered at a default Legacy callbacks will be registered at a default altitudealtitudeFirst come first served registration semantics First come first served registration semantics retained for these legacy callbacksretained for these legacy callbacks
Windows Service HardeningWindows Service Hardening
MotivationMotivationServices are attractive targets for malwareServices are attractive targets for malware
Running on a large number of systemsRunning on a large number of systems
Services typically are higher privileged than usersServices typically are higher privileged than users
Worms target services; e.g., Sasser, Code Red, etc.Worms target services; e.g., Sasser, Code Red, etc.
GoalsGoalsRun with least privilege necessaryRun with least privilege necessary
Use only resources needed by the service Use only resources needed by the service
Reduce the damage potential and number of critical Reduce the damage potential and number of critical vulnerabilities in servicesvulnerabilities in services
Extend existing security model for more Extend existing security model for more granular controlgranular control
Windows Service HardeningWindows Service HardeningRunning with least privilegeRunning with least privilege
Privilege strippingPrivilege strippingEnables a service to run with least privilegeEnables a service to run with least privilege
Use only required privilegesUse only required privilegesExpress required privileges during service configuration Express required privileges during service configuration
SeBackupPrivilege, SeRestorePrivilegeSeBackupPrivilege, SeRestorePrivilege, etc., etc.
ChangeServiceConfig2ChangeServiceConfig2 API (sc.exe can be used as well) API (sc.exe can be used as well)
SCM computes union of all hosted service required privileges SCM computes union of all hosted service required privileges Permanently removes unnecessary privileges from process token Permanently removes unnecessary privileges from process token when service process startswhen service process starts
No privileges are addedNo privileges are addedTarget account must support required privileges; e.g., a service in Target account must support required privileges; e.g., a service in LocalService account cannot get LocalService account cannot get SeTCBPrivilegeSeTCBPrivilege
Windows Service HardeningWindows Service HardeningService isolationService isolation
Service-specific SIDService-specific SID1:1 mapping between service name and SID1:1 mapping between service name and SID
Use to ACL objects the service needs to allow access Use to ACL objects the service needs to allow access only to service-specific SIDonly to service-specific SID
Use Use ChangeServiceConfig2ChangeServiceConfig2, sc.exe to control service SID, sc.exe to control service SID
Set ServiceSidType to Set ServiceSidType to SERVICE_SID_TYPE_UNRESTRICTEDSERVICE_SID_TYPE_UNRESTRICTED
Service-specific SID assigned at start timeService-specific SID assigned at start timeWhen service process startsWhen service process starts
SCM adds service SIDs to process tokenSCM adds service SIDs to process tokenS-1-5-80-XXXXX-YYYYYS-1-5-80-XXXXX-YYYYY
SID enabled/disabled when service starts/stopsSID enabled/disabled when service starts/stops
Service SIDs are local to the machineService SIDs are local to the machine
Windows Service HardeningWindows Service Hardening Reducing damage potentialReducing damage potential
Restricted servicesRestricted servicesUses service SIDs and restricted tokensUses service SIDs and restricted tokens
Write-restricted service processWrite-restricted service processAllows service process write access only to objects Allows service process write access only to objects allowing WRITE for service SIDsallowing WRITE for service SIDs
Reduces the scope of resources accessed on the systemReduces the scope of resources accessed on the system
When service process startsWhen service process startsSCM adds service SID to both normal and restricted SCM adds service SID to both normal and restricted SID list in process tokenSID list in process token
SID enabled/disabled when service starts/stopsSID enabled/disabled when service starts/stops
All services in a process must be restrictedAll services in a process must be restricted
Hardware WatchdogHardware WatchdogVersion 2.0Version 2.0
The watchdog driver resets the count-down timer The watchdog driver resets the count-down timer periodically or else performs a hard restartperiodically or else performs a hard restart
Initial implementation made certain Initial implementation made certain hardware assumptionshardware assumptions
If your hardware didn’t comply it didn’t workIf your hardware didn’t comply it didn’t work
Version 2.0 increases flexibilityVersion 2.0 increases flexibilityYou can define how your hardware is organizedYou can define how your hardware is organized
Or still use the original modelOr still use the original model
Automatically disabled when necessaryAutomatically disabled when necessaryE.g., when writing out a crashdumpE.g., when writing out a crashdump
Available on both client and server if you have Available on both client and server if you have hardware to support that requirementhardware to support that requirement
We do not support IPMI timers natively in We do not support IPMI timers natively in Windows Server LonghornWindows Server Longhorn
Other TechnologiesOther Technologies
SetupSetupAll new and fully graphicalAll new and fully graphical
No text-mode component any moreNo text-mode component any more
Simplified user experience, and faster via use of WIM files Simplified user experience, and faster via use of WIM files installing via RAMDiskinstalling via RAMDisk
WDS replaces RIS for remote network installationWDS replaces RIS for remote network installation
OPK/WAIKOPK/WAIKOEM and Enterprise Administrator custom configuration kitsOEM and Enterprise Administrator custom configuration kits
WDKWDKKMDF for kernel drivers – v1.1 shippedKMDF for kernel drivers – v1.1 shipped
UMDF for user mode driversUMDF for user mode drivers
BitLocker™ and Full Volume EncryptionBitLocker™ and Full Volume EncryptionUse of TPM v1.2 in Branch Office Server scenariosUse of TPM v1.2 in Branch Office Server scenarios
Future TechnologiesFuture Technologies
ISR And DPC RedirectionISR And DPC Redirection
There are performance benefits from running ISRs and There are performance benefits from running ISRs and DPCs on the thread that initiated an I/O operation DPCs on the thread that initiated an I/O operation
Directing Interrupt/ISRDirecting Interrupt/ISR
Directing DPCDirecting DPC
I/O buffer memory allocationI/O buffer memory allocation
Requires the device driver performing I/O to have Requires the device driver performing I/O to have knowledge of where the I/O was initiated knowledge of where the I/O was initiated
Prototyping using MSI-X messages to attempt to route Prototyping using MSI-X messages to attempt to route the request to the initiating processor, so the I/O happens the request to the initiating processor, so the I/O happens on the initiating threadon the initiating thread
We’re working with a number of OEMs and storage We’re working with a number of OEMs and storage device vendors to develop supportdevice vendors to develop support
ISR And DPC Redirection ISR And DPC Redirection Hypothetical NUMA systemHypothetical NUMA system
Node X
Y Y*
Y* Y*
Node Y
Z Z*
Z* Z*
Node Z
Mem YI/O XMem X Mem ZI/O Y I/O Z
ISR And DPC RedirectionISR And DPC Redirection
Interrupt redirection choices (in order)Interrupt redirection choices (in order)1.1. ISR comes back to core that initiated I/OISR comes back to core that initiated I/O
2.2. ISR comes back to processor that initiated I/OISR comes back to processor that initiated I/O
3.3. ISR comes back to NUMA node that initiated I/OISR comes back to NUMA node that initiated I/O
4.4. ISR comes to node containing the HBAISR comes to node containing the HBA
DPC redirectionDPC redirectionISR must know the core/processor/node that initiated the I/OISR must know the core/processor/node that initiated the I/O
Requires multiple DPCs per adapter Requires multiple DPCs per adapter (one per core/processor/node)(one per core/processor/node)
Memory redirection – where to allocate I/O buffersMemory redirection – where to allocate I/O buffersInitiator’s nodeInitiator’s node
ISR nodeISR node
DPC nodeDPC node
Consumer’s node (for incoming data)Consumer’s node (for incoming data)
64 Logical Threads64 Logical Threads
Multiple cores per processor will make the 64 logical Multiple cores per processor will make the 64 logical thread limit very restrictivethread limit very restrictive
E.g., cores and hyperthreadsE.g., cores and hyperthreads
Prototyping support for more than 64 logical threadsPrototyping support for more than 64 logical threadsProposed mechanism isn’t restricted to a specific numberProposed mechanism isn’t restricted to a specific number
There are many compatibility issues to be resolved There are many compatibility issues to be resolved before this can be releasedbefore this can be released
Both applications and device driversBoth applications and device drivers
The affinity mask is currently limited and we can’t “just” grow itThe affinity mask is currently limited and we can’t “just” grow it
Need to measure scalability beyond 64 threadsNeed to measure scalability beyond 64 threads
This isn’t just a case of changing a This isn’t just a case of changing a #define#define ! !
Call To ActionCall To Action
Prepare for 64-bit-only Server in future releasesPrepare for 64-bit-only Server in future releases
Ensure that your 64-bit kernel drivers are signedEnsure that your 64-bit kernel drivers are signed
Ensure that your drivers don’t change kernel Ensure that your drivers don’t change kernel data structures, or Windows will bugcheckdata structures, or Windows will bugcheck
Learn about the many new features available in Learn about the many new features available in Windows Server Longhorn and Windows VistaWindows Server Longhorn and Windows Vista
And how they may benefit or impact your And how they may benefit or impact your drivers and hardwaredrivers and hardware
Please talk to us if you have questions about Please talk to us if you have questions about the potential impact of these changes on the potential impact of these changes on your productsyour products
Additional ResourcesAdditional Resources
Web resourcesWeb resourcesDynamic Partitioning homepageDynamic Partitioning homepage
http://www.microsoft.com/whdc/system/platform/server/dhp.mspxhttp://www.microsoft.com/whdc/system/platform/server/dhp.mspx
WhitepapersWhitepapers
http://www.microsoft.com/whdc/system/vista/kernel-en.mspxhttp://www.microsoft.com/whdc/system/vista/kernel-en.mspx
Kernel patching FAQKernel patching FAQ
http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx
Related sessionsRelated sessionsIntroduction to the WDK: A Comprehensive Driver Introduction to the WDK: A Comprehensive Driver Development SolutionDevelopment Solution
Inside the Windows Pre-Boot EnvironmentInside the Windows Pre-Boot Environment
PCI Express In Depth For Windows Vista and BeyondPCI Express In Depth For Windows Vista and Beyond
Microsoft BitLocker™ Drive Encryption Hardware Microsoft BitLocker™ Drive Encryption Hardware Enhanced Data ProtectionEnhanced Data Protection
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.