Genode as Desktop OS

Norman Feske Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS2 Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS3 Universal Truths

Assurance Scalability

Accountability Utilization

Security Ease of use

Genode as Desktop OS4 TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user → User credentials are exposed to millions of lines of code

Problem: Complexity

Today’s commodity OSes Exceedingly complex trusted computing base (TCB)

Genode as Desktop OS5 → User credentials are exposed to millions of lines of code

Problem: Complexity

Today’s commodity OSes Exceedingly complex trusted computing base (TCB) TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user

Genode as Desktop OS5 Problem: Complexity

Today’s commodity OSes Exceedingly complex trusted computing base (TCB) TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user → User credentials are exposed to millions of lines of code

Genode as Desktop OS5 Huge attack surface for directed attacks

Zero-day exploits

Problem: Complexity (II)

Implications:

High likelihood for bugs (need for frequent security updates)

Genode as Desktop OS6 Zero-day exploits

Problem: Complexity (II)

Implications:

High likelihood for bugs (need for frequent security updates)

Huge attack surface for directed attacks

Genode as Desktop OS6 Problem: Complexity (II)

Implications:

High likelihood for bugs (need for frequent security updates)

Huge attack surface for directed attacks

Zero-day exploits

Genode as Desktop OS6 Universal Truths

Assurance Scalability

Accountability Utilization

Security Ease of use

Genode as Desktop OS7 → Largely indeterministic behavior → Need for complex heuristics, schedulers

Problem: Resource management

Pretension of unlimited resources Lack of accounting

Genode as Desktop OS8 → Need for complex heuristics, schedulers

Problem: Resource management

Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior

Genode as Desktop OS8 Problem: Resource management

Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior → Need for complex heuristics, schedulers

Genode as Desktop OS8 Problem: Resource management

Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior → Need for complex heuristics, schedulers

Genode as Desktop OS8 Universal Truths

Assurance Scalability

Accountability Utilization

Security Ease of use

Genode as Desktop OS9 ...but how to compose those?

Key technologies

Microkernels

Componentization, kernelization

Capability-based security

Virtualization

Genode as Desktop OS 10 Key technologies

Microkernels

Componentization, kernelization

Capability-based security

Virtualization

...but how to compose those?

Genode as Desktop OS 10 Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS 11 Idea

→ Application-specific TCB

Genode as Desktop OS 12 Combined with virtualization

Genode as Desktop OS 13 Each component lives in a virtual environment

A component that possesses a capability can

I Use it (invoke) I Delegate it to acquainted components

Object capabilities

Delegation of authority between components

Genode as Desktop OS 14 A component that possesses a capability can

I Use it (invoke) I Delegate it to acquainted components

Object capabilities

Delegation of authority between components

Each component lives in a virtual environment

Genode as Desktop OS 14 I Delegate it to acquainted components

Object capabilities

Delegation of authority between components

Each component lives in a virtual environment

A component that possesses a capability can

I Use it (invoke)

Genode as Desktop OS 14 Object capabilities

Delegation of authority between components

Each component lives in a virtual environment

A component that possesses a capability can

I Use it (invoke) I Delegate it to acquainted components

Genode as Desktop OS 14 Recursive system structure

Genode as Desktop OS 15 Resource management

Explicit assignment of physical resources to components

Genode as Desktop OS 16 Resource management (II)

Resources can be attached to sessions

Genode as Desktop OS 17 Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS 18 Components

Genode as Desktop OS 19 Components

Genode as Desktop OS 20 Components

Genode as Desktop OS 21 Components

Genode as Desktop OS 22 Components

Genode as Desktop OS 23 Components

Genode as Desktop OS 24 Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS 25 Faithful virtualization (traditional)

root mode non-root mode authorized to change the kernel VM process

highly complex

access control?

/dev/vboxdrv Guest OS kernel

highly complex vboxdrv.ko

VMMR0 / Hypervisor

Genode as Desktop OS 26 VirtualBox as Genode subsystem

Unmodified Guest OS

Kernel

virtual virtual virtual CPU RAM device Resource Device VMM Multiplexer Driver

Init

Core User Mode

NOVA Hypervisor Privileged Mode

Genode as Desktop OS 27 OS-level virtualization

Genode as Desktop OS 28 OS-level virtualization

Genode as Desktop OS 28 OS-level virtualization (example)

Editor

Noux Backdrop FS-ROM RAM FS Runtime

config file file ROM system system

Init

Genode as Desktop OS 29 Report ROM Decorator Layouter Report ROM

input Report ROM Report ROM ROM ......

Nitpicker Window manager Nitpicker App Nitpicker

Init

Multi-component applications

Genode as Desktop OS 30 Multi-component applications

Report ROM Decorator Layouter Report ROM

input Report ROM Report ROM ROM ......

Nitpicker Window manager Nitpicker App Nitpicker

Init

Genode as Desktop OS 30 “Turmvilla” scenario

timer acpi drv acpi report rom VirtualBox Noux platform drv ahci drv part blk log file terminal log rump fs wifi drv ps2 drv usb drv fb drv rtc drv Nitpicker Window trace subject reporter CLI monitor input merger GUI Manager report rom nitpicker wm report rom wm layouter decorator vbox pointer shared fs config fs config rom rom cli nit fb Init cli terminal

Genode as Desktop OS 31 Rich applications

Testnit

Nitpicker Virtual Launchpad GUI Framebuffer Arora Web Browser

TCP/IP Init

Nitpicker Loader Menu GUI

Init

Genode as Desktop OS 32 Outline

1. Why another operating system?

2. Architectural principles

3. Framework for building operating systems

4. Desktop scenarios

5. Present and future

Genode as Desktop OS 33 Disclaimer

Currently used by only a few enthusiasts

No package management

Limited hardware support

Not yet palatable for uninitiated end users

Genode as Desktop OS 34 Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

USB Armory

Nix package manager

Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Genode as Desktop OS 35 Muen and seL4 as base platforms

RISC-V

USB Armory

Nix package manager

Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Genode as Desktop OS 35 RISC-V

USB Armory

Nix package manager

Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

Genode as Desktop OS 35 USB Armory

Nix package manager

Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

Genode as Desktop OS 35 Nix package manager

Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

USB Armory

Genode as Desktop OS 35 Collaborating with Qubes?

Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

USB Armory

Nix package manager

Genode as Desktop OS 35 Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

USB Armory

Nix package manager

Collaborating with Qubes?

Genode as Desktop OS 35 Ambitions

Eating our own dog food (tool chain, email, IRC...)

Capability-based desktop environment

Muen and seL4 as base platforms

RISC-V

USB Armory

Nix package manager

Collaborating with Qubes?

Genode as Desktop OS 35 The Book “Genode Foundations”

GENODE Operating System Framework

Foundations Norman Feske http://genode.org/documentation/genode-foundations-15-05.pdf

Genode as Desktop OS 36 Thank you

Genode OS Framework http://genode.org

Genode Labs GmbH http://www.genode-labs.com

Source code at GitHub http://github.com/genodelabs/genode

Genode as Desktop OS 37