genode as desktop os - fosdem
TRANSCRIPT
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 2
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 3
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode as Desktop OS 4
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode as Desktop OS 5
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode as Desktop OS 5
Problem: Complexity
Today’s commodity OSes Exceedingly complex trusted computingbase (TCB)
TCB of an application on Linux:Kernel + loaded kernel modulesDaemonsX Server + window managerDesktop environmentAll running processes of the user
→ User credentials are exposed to millions of lines of code
Genode as Desktop OS 5
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)
Huge attack surface for directed attacks
Zero-day exploits
Genode as Desktop OS 6
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)
Huge attack surface for directed attacks
Zero-day exploits
Genode as Desktop OS 6
Problem: Complexity (II)
Implications:
High likelihood for bugs (need for frequent security updates)
Huge attack surface for directed attacks
Zero-day exploits
Genode as Desktop OS 6
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode as Desktop OS 7
Problem: Resource management
Pretension of unlimited resourcesLack of accounting
→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode as Desktop OS 8
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior
→ Need for complex heuristics, schedulers
Genode as Desktop OS 8
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode as Desktop OS 8
Problem: Resource management
Pretension of unlimited resourcesLack of accounting→ Largely indeterministic behavior→ Need for complex heuristics, schedulers
Genode as Desktop OS 8
Universal Truths
Ease of useSecurity
Utilization
ScalabilityAssurance
Accountability
Genode as Desktop OS 9
Key technologies
Microkernels
Componentization, kernelization
Capability-based security
Virtualization
...but how to compose those?
Genode as Desktop OS 10
Key technologies
Microkernels
Componentization, kernelization
Capability-based security
Virtualization
...but how to compose those?
Genode as Desktop OS 10
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 11
Idea
→ Application-specific TCB
Genode as Desktop OS 12
Combined with virtualization
Genode as Desktop OS 13
Object capabilities
Delegation of authority between components
Each component lives in a virtual environment
A component that possesses a capability canI Use it (invoke)I Delegate it to acquainted components
Genode as Desktop OS 14
Object capabilities
Delegation of authority between components
Each component lives in a virtual environment
A component that possesses a capability canI Use it (invoke)I Delegate it to acquainted components
Genode as Desktop OS 14
Object capabilities
Delegation of authority between components
Each component lives in a virtual environment
A component that possesses a capability canI Use it (invoke)
I Delegate it to acquainted components
Genode as Desktop OS 14
Object capabilities
Delegation of authority between components
Each component lives in a virtual environment
A component that possesses a capability canI Use it (invoke)I Delegate it to acquainted components
Genode as Desktop OS 14
Recursive system structure
Genode as Desktop OS 15
Resource management
Explicit assignment of physical resources to components
Genode as Desktop OS 16
Resource management (II)
Resources can be attached to sessions
Genode as Desktop OS 17
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 18
Components
Genode as Desktop OS 19
Components
Genode as Desktop OS 20
Components
Genode as Desktop OS 21
Components
Genode as Desktop OS 22
Components
Genode as Desktop OS 23
Components
Genode as Desktop OS 24
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 25
Faithful virtualization (traditional)
root mode non-root mode
Guest OS
VMprocess
/dev/vboxdrvkernel
vboxdrv.ko
VMMR0 / Hypervisor
highly complex
access control?
authorized tochange the kernel
highly complex
Genode as Desktop OS 26
VirtualBox as Genode subsystem
User Mode
Privileged ModeNOVA Hypervisor
Core
Init
Resource Multiplexer
UnmodifiedGuest OS
virtual CPU
virtual device
virtual RAM
VMMDevice Driver
Kernel
Genode as Desktop OS 27
OS-level virtualization
Genode as Desktop OS 28
OS-level virtualization
Genode as Desktop OS 28
OS-level virtualization (example)
Init
Backdrop FS-ROM RAM FSNoux
Runtime
Editor
configROM
filesystem
filesystem
Genode as Desktop OS 29
Multi-component applications
Init
Window managerNitpicker App
Report ROM
ROMReportDecorator Layouter
Nitpicker
Nitpicker
ROM<window -list >
...
</window -list >
ROM<hover >
...
</hover >
Report<window -layout >
...
</window -layout >
ROM<window -layout >
...
</window -layout >
Report<hover >
...
</hover >
input
Genode as Desktop OS 30
Multi-component applications
Init
Window managerNitpicker App
Report ROM
ROMReportDecorator Layouter
Nitpicker
Nitpicker
ROM<window -list >
...
</window -list >
ROM<hover >
...
</hover >
Report<window -layout >
...
</window -layout >
ROM<window -layout >
...
</window -layout >
Report<hover >
...
</hover >
input
Genode as Desktop OS 30
“Turmvilla” scenario
Init
NitpickerGUI
WindowManager CLI monitor
timeracpi drvacpi report romplatform drvahci drvpart blklog file terminallogrump fswifi drvps2 drvusb drvfb drvrtc drvtrace subject reporterinput mergerreport romnitpickerwm report romwmlayouterdecoratorvbox pointershared fsconfig fsconfig romromcli nit fbcli terminal
VirtualBox Noux
Genode as Desktop OS 31
Rich applications
Loader
Init
AroraWeb
Browser
Init
NitpickerGUI
TCP/IP
Menu
NitpickerGUI
Virtual FramebufferLaunchpad
Testnit
Genode as Desktop OS 32
Outline
1. Why another operating system?
2. Architectural principles
3. Framework for building operating systems
4. Desktop scenarios
5. Present and future
Genode as Desktop OS 33
Disclaimer
Currently used by only a few enthusiasts
No package management
Limited hardware support
Not yet palatable for uninitiated end users
Genode as Desktop OS 34
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
Ambitions
Eating our own dog food (tool chain, email, IRC...)
Capability-based desktop environment
Muen and seL4 as base platforms
RISC-V
USB Armory
Nix package manager
Collaborating with Qubes?
Genode as Desktop OS 35
The Book “Genode Foundations”
GENODEOperating System Framework
FoundationsNorman Feske
http://genode.org/documentation/genode-foundations-15-05.pdf
Genode as Desktop OS 36
Thank you
Genode OS Frameworkhttp://genode.org
Genode Labs GmbHhttp://www.genode-labs.com
Source code at GitHubhttp://github.com/genodelabs/genode
Genode as Desktop OS 37