Future Directions Future Directions For The Windows CE For The Windows CE Device Driver Device Driver Architecture Architecture Juggs Ravalia Juggs Ravalia Program Manager Program Manager Windows Devices Core OS Windows Devices Core OS Microsoft Corporation Microsoft Corporation
43
Embed
Future Directions For The Windows CE Device Driver Architecture Juggs Ravalia Program Manager Windows Devices Core OS Microsoft Corporation.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Future Directions For The Future Directions For The Windows CE Device Windows CE Device Driver ArchitectureDriver Architecture
The Windows CE 6.0 Beta Driver ArchitectureThe Windows CE 6.0 Beta Driver Architecture
Windows CE User Mode Driver FrameworkWindows CE User Mode Driver Framework
Desktop versus Windows CE Desktop versus Windows CE Drivers ComparisonDrivers Comparison
Porting Drivers from Porting Drivers from ←← Windows CE 5.0 Windows CE 5.0New Kernel Memory ModelNew Kernel Memory Model
Porting AspectsPorting Aspects
PQD/Secure CopingPQD/Secure Coping
Quick Reference GuideQuick Reference Guide
Porting Code SnippetPorting Code Snippet
Drivers ArchitectureDrivers Architecture
Drivers will be split into kernel mode and user modeDrivers will be split into kernel mode and user modeKernel ModeKernel Mode
Performance criticalPerformance critical
Fully trusted with full access to kernel memoryFully trusted with full access to kernel memory
User ModeUser ModeLess critical and lower privilegeLess critical and lower privilege
Still need to be trustedStill need to be trusted
OEM can choose where to load its driver OEM can choose where to load its driver (in kernel or in user mode)(in kernel or in user mode)
Drivers that access k-mode address directly need to be in kernelDrivers that access k-mode address directly need to be in kernel
Except for some block drivers used by FS and NDIS based Except for some block drivers used by FS and NDIS based Networking driversNetworking drivers
The overall structure of the drivers remain the sameThe overall structure of the drivers remain the sameMain changes are in how the drivers access client memoryMain changes are in how the drivers access client memory
Kernel Mode DriversKernel Mode Drivers
Will be loaded in the kernel space by Will be loaded in the kernel space by device.dll/gwes.dlldevice.dll/gwes.dll
Will have full access to the kernel’s data Will have full access to the kernel’s data structures and memorystructures and memory
APIs do not change, will use the same APIs do not change, will use the same APIs as user mode driversAPIs as user mode drivers
Link to a kernel version of coredll.dll Link to a kernel version of coredll.dll called kcoredll.dllcalled kcoredll.dll
Thin layer for API compatibilityThin layer for API compatibility
Directly links the services together without Directly links the services together without thunk layerthunk layer
The DDI Interface of Native Drivers is defined by Microsoftfor each device class
Graphics, Windowing, and Events Subsystem (GWES)
MDD
Device Driver Service Provider
Interface (DDSI)
Layered Native Driver
PDD
Device Driver Interface (DDI)
User Mode DriversUser Mode Drivers
Also managed by Device ManagerAlso managed by Device Manager
Hosted in udevice.exeHosted in udevice.exe
Mostly the same APIs as Kernel Mode Mostly the same APIs as Kernel Mode
UM Drivers lose Kernel privilegesUM Drivers lose Kernel privilegesNo access to kernel structures or memoryNo access to kernel structures or memory
Cannot call certain kernel only APIs like VirtualCopyExCannot call certain kernel only APIs like VirtualCopyEx
Kernel will marshal first level parameters Kernel will marshal first level parameters during system callsduring system calls
Must be trusted – signedMust be trusted – signed
ExamplesExamplesExpansion buses like USB and SDIOExpansion buses like USB and SDIO
Improved stabilityImproved stabilityUser-Mode Drivers are isolated from other User-Mode Drivers are isolated from other driversdrivers
Kernel is isolated from user-mode driversKernel is isolated from user-mode drivers
Increased securityIncreased securityCompromised driver does not crash the systemCompromised driver does not crash the system
Lower privileges restrain a compromised driverLower privileges restrain a compromised driver
RecoverabilityRecoverabilitySystem can recover after a driver crash – System can recover after a driver crash – no “blue-screens” (Device-Hangs in CE)no “blue-screens” (Device-Hangs in CE)
The driver can be restarted without rebootingThe driver can be restarted without rebooting
CorrectCorrect PrivilegesPrivileges
IncreasedIncreasedSecuritySecurity
Why Use UMDF?Why Use UMDF?
Driver IsolationDriver Isolation
ImprovedImprovedStabilityStability
RecoverabilityRecoverability
No “Blue-Screens”No “Blue-Screens”
User Mode Driver LoadingUser Mode Driver Loading
1
Provided by:
Microsoft
IHV
User Application
User Mode Driver Host Process
udevice.exe User Mode DriverUser Mode Driver
Parent Bus Driver
Reflector ServiceDevice Manager
1
2
3 9
8
10
User Mode
Kernel Mode
ActivateDevice(Ex)
CreateProcess(,,Volume Name)
4
5
6
7
XXX_Init(…)
9
Device Context
10
HANDLE Returned
HANDLE Returned
XXX_Init forwarded to UM Driver Host
Registry For User Mode DriverRegistry For User Mode Driver
User Mode Driver Host process is launched and User Mode Driver Host process is launched and managed by certain registry settingsmanaged by certain registry settings
Example of the registry keys for Group ID 2Example of the registry keys for Group ID 2
[HKEY_LOCAL_MACHINE\Drivers\ProcGroup_0002] "ProcName” = "udevice.exe“; Dummy for Service.exe now "ProcVolPrefix” = "$services“ "Privilege” = dword:xxxxxx ; Processor Privilege Bit Setting
One UMD Host can supports Multiple UMDsOne UMD Host can supports Multiple UMDs
UMD Host can be extended for special need UMD Host can be extended for special need like Services.exelike Services.exe
The Privileges of a UMD are determined by the The Privileges of a UMD are determined by the UMD Host ProcessUMD Host Process
UMD Host mounts a Volume Service API, used UMD Host mounts a Volume Service API, used by the Kernel Reflector for communicationby the Kernel Reflector for communication
Parses the Reflectors’ requests and performs the Parses the Reflectors’ requests and performs the required actionrequired action
User Mode Driver I/O Data FlowUser Mode Driver I/O Data Flow
Asynchronous versus Synchronous SupportAsynchronous versus Synchronous Support
Interrupt Model – DPCs versus ISTsInterrupt Model – DPCs versus ISTs
Porting Drivers To CE 6.0Porting Drivers To CE 6.0
Drivers will mostly run in the kernelDrivers will mostly run in the kernel
Driver writers must focus on security and stability Driver writers must focus on security and stability more then ever beforemore then ever before
Maximum backwards-compatibility is maintained, Maximum backwards-compatibility is maintained, but some driver modifications are requiredbut some driver modifications are required
Deprecated APIsDeprecated APIs
Asynchronous buffer access will require Asynchronous buffer access will require driver modificationsdriver modifications
User Interface HandlingUser Interface Handling
Windows CE 5.0 Memory ModelWindows CE 5.0 Memory Model
In <=CE 5.0, In <=CE 5.0, MapCallerPtrMapCallerPtr was used to validate was used to validate memory pointed to by either memory pointed to by either
Pointer parameters orPointer parameters or
Embedded pointersEmbedded pointers
With CE 6.0 Beta, the kernel performs full With CE 6.0 Beta, the kernel performs full access check on pointer parametersaccess check on pointer parameters
Thus, drivers only need to access check Thus, drivers only need to access check embedded pointersembedded pointers
Use kernel access-check APIs - Use kernel access-check APIs - CeOpenCallerBuffer/CeCloseCallerBufferCeOpenCallerBuffer/CeCloseCallerBuffer to to verify embedded pointersverify embedded pointers
Access Check DiagramAccess Check Diagram
KernelNK.EXE
Hello.exe
Driver.dll Kernel Checks Kernel Checks this Bufferthis Buffer
Windows CE 5.0 and prior versions// In XXX_IOControl...
g_pMappedEmbedded = MapCallerPtrMapCallerPtr(p->pEmbedded);// Fail if g_pMappedEmbedded == NULL ...
MarshallingMarshalling
<= Windows CE 5.0, the MapCallerPtr API also <= Windows CE 5.0, the MapCallerPtr API also handled pointer marshalling for both handled pointer marshalling for both
Pointer parameters as well as Pointer parameters as well as
Embedded pointersEmbedded pointers
With the next Windows CE version, Marshalling With the next Windows CE version, Marshalling depends on whether the pointers are used depends on whether the pointers are used
Synchronously or Synchronously or
AsynchronouslyAsynchronously
Important!Important!Synchronous here means accessing the caller’s buffer Synchronous here means accessing the caller’s buffer on the caller’s thread contexton the caller’s thread context
MarshallingMarshalling
When pointers are used synchronouslyWhen pointers are used synchronouslyThe caller’s address space is accessible The caller’s address space is accessible for the lifetime of the call for the lifetime of the call
Eliminates any marshalling needs for both Eliminates any marshalling needs for both embedded and pointer parametersembedded and pointer parameters
Employs Direct Access MarshallingEmploys Direct Access Marshalling
If used asynchronouslyIf used asynchronouslyIt’s critical that the caller buffer is accessible when the It’s critical that the caller buffer is accessible when the caller’s address space is unavailablecaller’s address space is unavailable
Use the new OS marshalling helper APIs Use the new OS marshalling helper APIs CeAllocAsynchronousBuffer/ CeAllocAsynchronousBuffer/ CeFreeAsynchronousBufferCeFreeAsynchronousBuffer
// When done with pointer...hr = CeFreeAsynchronousBufferCeFreeAsynchronousBuffer( (PVOID) g_pMarshalled, g_pMappedEmbedded, pInput->dwSize, ARG_I_PTR);
// Now call CeCloseCallerBuffer as usual...
// Windows CE 5.0 and prior versions// In XXX_IOControl...g_pMappedEmbedded = MapCallerPtr( p->pEmbedded );// Fail if g_pMappedEmbedded == NULL ...
Thread PermissionsThread Permissions
<= Windows CE 5.0, <= Windows CE 5.0, PSLs had access to caller buffers as execution took PSLs had access to caller buffers as execution took place in the caller’s thread contextplace in the caller’s thread context
Other threads like ISTs did not have Other threads like ISTs did not have access to the caller’s bufferaccess to the caller’s buffer
Such threads thus called SetProcPermissions API Such threads thus called SetProcPermissions API
With Windows CE 6.0 Beta,With Windows CE 6.0 Beta,SetProcPermissions API is now deprecatedSetProcPermissions API is now deprecated
The CeAllocAsynchronousBuffer API marshals The CeAllocAsynchronousBuffer API marshals the caller’s buffer into the kernel’s VMthe caller’s buffer into the kernel’s VM
Thereby eliminating the need to change the Thereby eliminating the need to change the thread’s permission in any mannerthread’s permission in any manner
Driver inherently employs Driver inherently employs CeOpenCallerBufferCeOpenCallerBuffer for for access checkingaccess checking
To Secure-Copy call the API To Secure-Copy call the API with the with the ForceDuplicate ForceDuplicate parameter set to TRUEparameter set to TRUE
By default – does not By default – does not copy caller’s buffercopy caller’s buffer
Set Set ForceDuplicateForceDuplicate =TRUE=TRUE
This local buffer copy is This local buffer copy is freed upon calling freed upon calling CeCloseCallerBufferCeCloseCallerBuffer
User InterfaceUser Interface
<= Windows CE 5.0 drivers ran in user mode<= Windows CE 5.0 drivers ran in user mode
Hence, could display UI without any restrictionsHence, could display UI without any restrictions
With Windows CE 6.0 Beta, most drivers run in kernelWith Windows CE 6.0 Beta, most drivers run in kernel
CommCtrl.dll is not loaded in the kernelCommCtrl.dll is not loaded in the kernel
Kernel drivers need to forward the UI request to a User Mode DLLKernel drivers need to forward the UI request to a User Mode DLL
Code up User Mode DLL and export a function that implements the Code up User Mode DLL and export a function that implements the required UI displaying required UI displaying
Pass the DLL and function name to Pass the DLL and function name to CeCallUserProcCeCallUserProc Helper API, with Helper API, with in/out buffers to display desired driver UIin/out buffers to display desired driver UI
Restriction on embedded pointersRestriction on embedded pointersNeed to flatten the structureNeed to flatten the structure
Handle the embedded pointers as offsets in your User Mode DLLHandle the embedded pointers as offsets in your User Mode DLL
Porting To User ModePorting To User Mode
User mode drivers do have a Perf impactUser mode drivers do have a Perf impact
The Host/Bus Driver might require The Host/Bus Driver might require changes if the client driver is ported to UMchanges if the client driver is ported to UM
Our goal: Our goal: Kernel drivers should run in user mode Kernel drivers should run in user mode without any modificationswithout any modifications
Though, some security restrictions applyThough, some security restrictions apply
udevice.exeudevice.exe
Drv.dll0101010101010
Embedded Ptr
0000000111111
Embedded PtrHello.exeHello.exe
0101010101010
Embedded Ptr
0000000111111
Embedded Ptr
Ported User Mode Driver Ported User Mode Driver
NK.EXE
Reflector in
Device
Manager
Driver’s Thread Driver’s Thread in udevice.exein udevice.exe
User Mode Driver RestrictionsUser Mode Driver Restrictions
APIs Callable Only in Kernel ModeAPIs Callable Only in Kernel ModeHeap APIs – RemoteLocalAlloc, RemoteLocalFreeHeap APIs – RemoteLocalAlloc, RemoteLocalFree
VM APIs – VirtualCopyEx, VirtualAllocCopyExVM APIs – VirtualCopyEx, VirtualAllocCopyEx
Application Call-backsApplication Call-backsCall-forwarding and Call-backs from a User Mode Call-forwarding and Call-backs from a User Mode server to any process are prohibitedserver to any process are prohibited
Cannot Install IISR directly – Can Install Cannot Install IISR directly – Can Install GIISR via ReflectorGIISR via Reflector
Driver Migration SummaryDriver Migration Summary
Drivers move to kernelDrivers move to kernel
Isolate to User Mode if suitableIsolate to User Mode if suitable
Nothing; Kernel checks during trap and uses direct accessNothing; Kernel checks during trap and uses direct accessUse CeAllocDuplicateBuffer to make a local copyUse CeAllocDuplicateBuffer to make a local copy
Parameter – used Parameter – used asynchronouslyasynchronously
Employ CeAllocAsynchronousBuffer/ Employ CeAllocAsynchronousBuffer/ CeFreeAsynchronousBufferCeFreeAsynchronousBuffer – – Prepares for async access Prepares for async access by creating/mapping caller bufferby creating/mapping caller bufferUse CeAllocDuplicateBuffer to make a local copyUse CeAllocDuplicateBuffer to make a local copy
Embedded Embedded pointer – used pointer – used synchronouslysynchronously
Use CeOpenCallerBuffer/CeCloseCallerBufferUse CeOpenCallerBuffer/CeCloseCallerBufferCall CeOpenCallerBuffer with ForceDuplicate parameter Call CeOpenCallerBuffer with ForceDuplicate parameter set to TRUE or Use CeAllocDuplicateBuffer to make a local set to TRUE or Use CeAllocDuplicateBuffer to make a local copy.copy.
Embedded Embedded pointer – used pointer – used asynchronouslyasynchronously
Call CeAllocAsynchronousBuffer after you call Call CeAllocAsynchronousBuffer after you call CeOpenCallerBuffer. CeOpenCallerBuffer. You must call CeFreeAsynchronousBuffer before you call You must call CeFreeAsynchronousBuffer before you call CeCloseCallerBuffer.CeCloseCallerBuffer. Call CeOpenCallerBuffer with ForceDuplicate set to TRUE Call CeOpenCallerBuffer with ForceDuplicate set to TRUE or Call CeAllocDuplicateBuffer for a local copy.or Call CeAllocDuplicateBuffer for a local copy.
For All CasesFor All CasesDeprecated APIsDeprecated APIs
Remove Deprecated Remove Deprecated APIsAPIs
Go through Deprecated APIs list to remove theGo through Deprecated APIs list to remove theExample: CeGetCallerTrust, SetKMode and so onExample: CeGetCallerTrust, SetKMode and so on
For All CasesFor All CasesUI/Dialog boxesUI/Dialog boxes
UI calls in kernel will UI calls in kernel will always return failurealways return failureUse CeCallUserProcUse CeCallUserProc
Code up user mode dll exporting the function that Code up user mode dll exporting the function that implements the required UI displaying. implements the required UI displaying. Then call CeCallUserProc API with dll and function name Then call CeCallUserProc API with dll and function name as input parameters.as input parameters.
Help grow the Mobile and Embedded worldHelp grow the Mobile and Embedded world
Write drivers for Windows CE and sell ChipsWrite drivers for Windows CE and sell Chips
Join the Windows CE Driver Development Program Join the Windows CE Driver Development Program http://msdn.microsoft.com/embedded/usewinemb/ce/http://msdn.microsoft.com/embedded/usewinemb/ce/drivers/driverdev/default.aspxdrivers/driverdev/default.aspx Port your existing drivers to Windows CE 6.0Port your existing drivers to Windows CE 6.0
Post your driver on Windows CE’s Post your driver on Windows CE’s Supported Drivers web site Supported Drivers web site http://msdn.microsoft.com/embedded/usewinemb/ce/http://msdn.microsoft.com/embedded/usewinemb/ce/drivers/supdrivers/default.aspxdrivers/supdrivers/default.aspx
Web ResourcesWeb Resourceshttp://http://msdn.microsoft.com/embedded/windowsce/default.aspxmsdn.microsoft.com/embedded/windowsce/default.aspx
Related WinHEC 2006 SessionsRelated WinHEC 2006 SessionsFuture Directions for the Windows CE Operating Future Directions for the Windows CE Operating System Architecture System Architecture
Future Directions for the Windows CE Test KitFuture Directions for the Windows CE Test Kit
Community SitesCommunity Siteshttp://www.microsoft.com/communities/default.mspxhttp://www.microsoft.com/communities/default.mspx
List of NewsgroupsList of Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/dhttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspxefault.aspx
Attend a free chat or webcastAttend a free chat or webcasthttp://www.microsoft.com/communities/chats/default.mspxhttp://www.microsoft.com/communities/chats/default.mspx
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.