Genode as Desktop OS Norman Feske <[email protected]> Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS2 Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS3 Universal Truths Assurance Scalability Accountability Utilization Security Ease of use Genode as Desktop OS4 TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user → User credentials are exposed to millions of lines of code Problem: Complexity Today’s commodity OSes Exceedingly complex trusted computing base (TCB) Genode as Desktop OS5 → User credentials are exposed to millions of lines of code Problem: Complexity Today’s commodity OSes Exceedingly complex trusted computing base (TCB) TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user Genode as Desktop OS5 Problem: Complexity Today’s commodity OSes Exceedingly complex trusted computing base (TCB) TCB of an application on Linux: Kernel + loaded kernel modules Daemons X Server + window manager Desktop environment All running processes of the user → User credentials are exposed to millions of lines of code Genode as Desktop OS5 Huge attack surface for directed attacks Zero-day exploits Problem: Complexity (II) Implications: High likelihood for bugs (need for frequent security updates) Genode as Desktop OS6 Zero-day exploits Problem: Complexity (II) Implications: High likelihood for bugs (need for frequent security updates) Huge attack surface for directed attacks Genode as Desktop OS6 Problem: Complexity (II) Implications: High likelihood for bugs (need for frequent security updates) Huge attack surface for directed attacks Zero-day exploits Genode as Desktop OS6 Universal Truths Assurance Scalability Accountability Utilization Security Ease of use Genode as Desktop OS7 → Largely indeterministic behavior → Need for complex heuristics, schedulers Problem: Resource management Pretension of unlimited resources Lack of accounting Genode as Desktop OS8 → Need for complex heuristics, schedulers Problem: Resource management Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior Genode as Desktop OS8 Problem: Resource management Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior → Need for complex heuristics, schedulers Genode as Desktop OS8 Problem: Resource management Pretension of unlimited resources Lack of accounting → Largely indeterministic behavior → Need for complex heuristics, schedulers Genode as Desktop OS8 Universal Truths Assurance Scalability Accountability Utilization Security Ease of use Genode as Desktop OS9 ...but how to compose those? Key technologies Microkernels Componentization, kernelization Capability-based security Virtualization Genode as Desktop OS 10 Key technologies Microkernels Componentization, kernelization Capability-based security Virtualization ...but how to compose those? Genode as Desktop OS 10 Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS 11 Idea → Application-specific TCB Genode as Desktop OS 12 Combined with virtualization Genode as Desktop OS 13 Each component lives in a virtual environment A component that possesses a capability can I Use it (invoke) I Delegate it to acquainted components Object capabilities Delegation of authority between components Genode as Desktop OS 14 A component that possesses a capability can I Use it (invoke) I Delegate it to acquainted components Object capabilities Delegation of authority between components Each component lives in a virtual environment Genode as Desktop OS 14 I Delegate it to acquainted components Object capabilities Delegation of authority between components Each component lives in a virtual environment A component that possesses a capability can I Use it (invoke) Genode as Desktop OS 14 Object capabilities Delegation of authority between components Each component lives in a virtual environment A component that possesses a capability can I Use it (invoke) I Delegate it to acquainted components Genode as Desktop OS 14 Recursive system structure Genode as Desktop OS 15 Resource management Explicit assignment of physical resources to components Genode as Desktop OS 16 Resource management (II) Resources can be attached to sessions Genode as Desktop OS 17 Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS 18 Components Genode as Desktop OS 19 Components Genode as Desktop OS 20 Components Genode as Desktop OS 21 Components Genode as Desktop OS 22 Components Genode as Desktop OS 23 Components Genode as Desktop OS 24 Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS 25 Faithful virtualization (traditional) root mode non-root mode authorized to change the kernel VM process highly complex access control? /dev/vboxdrv Guest OS kernel highly complex vboxdrv.ko VMMR0 / Hypervisor Genode as Desktop OS 26 VirtualBox as Genode subsystem Unmodified Guest OS Kernel virtual virtual virtual CPU RAM device Resource Device VMM Multiplexer Driver Init Core User Mode NOVA Hypervisor Privileged Mode Genode as Desktop OS 27 OS-level virtualization Genode as Desktop OS 28 OS-level virtualization Genode as Desktop OS 28 OS-level virtualization (example) Editor Noux Backdrop FS-ROM RAM FS Runtime config file file ROM system system Init Genode as Desktop OS 29 Report ROM Decorator Layouter Report ROM input Report ROM Report ROM ROM <window-layout> <hover > <window-list> <hover > <window-layout> ... ... ... ... ... </window-layout> </hover > </window-list> </hover > </window-layout> Nitpicker Window manager Nitpicker App Nitpicker Init Multi-component applications Genode as Desktop OS 30 Report ROM Decorator Layouter Report ROM input Report ROM Report ROM ROM <window-layout> <hover > <window-list> <hover > <window-layout> ... ... ... ... ... </window-layout> </hover > </window-list> </hover > </window-layout> Nitpicker Window manager Nitpicker App Nitpicker Init Multi-component applications Genode as Desktop OS 30 “Turmvilla” scenario timer acpi drv acpi report rom VirtualBox Noux platform drv ahci drv part blk log file terminal log rump fs wifi drv ps2 drv usb drv fb drv rtc drv Nitpicker Window trace subject reporter CLI monitor input merger GUI Manager report rom nitpicker wm report rom wm layouter decorator vbox pointer shared fs config fs config rom rom cli nit fb Init cli terminal Genode as Desktop OS 31 Rich applications Testnit Nitpicker Virtual Launchpad GUI Framebuffer Arora Web Browser TCP/IP Init Nitpicker Loader Menu GUI Init Genode as Desktop OS 32 Outline 1. Why another operating system? 2. Architectural principles 3. Framework for building operating systems 4. Desktop scenarios 5. Present and future Genode as Desktop OS 33 Disclaimer Currently used by only a few enthusiasts No package management Limited hardware support Not yet palatable for uninitiated end users Genode as Desktop OS 34 Capability-based desktop environment Muen and seL4 as base platforms RISC-V USB Armory Nix package manager Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Genode as Desktop OS 35 Muen and seL4 as base platforms RISC-V USB Armory Nix package manager Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Genode as Desktop OS 35 RISC-V USB Armory Nix package manager Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms Genode as Desktop OS 35 USB Armory Nix package manager Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms RISC-V Genode as Desktop OS 35 Nix package manager Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms RISC-V USB Armory Genode as Desktop OS 35 Collaborating with Qubes? Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms RISC-V USB Armory Nix package manager Genode as Desktop OS 35 Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms RISC-V USB Armory Nix package manager Collaborating with Qubes? Genode as Desktop OS 35 Ambitions Eating our own dog food (tool chain, email, IRC...) Capability-based desktop environment Muen and seL4 as base platforms RISC-V USB Armory Nix package manager Collaborating with Qubes? Genode as Desktop OS 35 The Book “Genode Foundations” GENODE Operating System Framework Foundations Norman Feske http://genode.org/documentation/genode-foundations-15-05.pdf Genode as Desktop OS 36 Thank you Genode OS Framework http://genode.org Genode Labs GmbH http://www.genode-labs.com Source code at GitHub http://github.com/genodelabs/genode Genode as Desktop OS 37.