users

users@lists.genode.org

2285 discussions

Sabre Lite imx6
by Baconicsynergy 02 Jan '18

02 Jan '18

Hello friends :) I am now the proud owner of the sabre lite imx6 SoC for the purpose of experimenting and running seL4, and am really eager to start building Genode scenarios. Unfortunately, the create_builddir tool only specifies imx53. What can i do to start working with genode on the sabre lite? Best regards, Joel Desermeau

3 2

Decentralized reproducible packages distribution system
by Michael Bideau 29 Dec '17

29 Dec '17

Hi everyone, I'm very new to Genode (discovered last week with seL4), so please forgive my lack of experience. I just wanted to bring you some information that might interest you, may be not today but soon (I hope). I stumble accross CHAINIAC <https://eprint.iacr.org/2017/648.pdf> (Usenix presentation video <https://www.usenix.org/conference/usenixsecurity17/technical-sessions/prese…>), a system to distribute software with many nice properties, that might be used for Debian packages one day. I copy-past Bryan Ford (co-author) description emailed at IEFT <https://www.ietf.org/mail-archive/web/suit/current/msg00154.html> : Abstract: Software-update mechanisms are critical to the security of modern systems, but their typically centralized design presents a lucrative and frequently attacked target. In this work, we propose CHAINIAC, a decentralized software-update framework that eliminates single points of failure, enforces transparency, and provides efficient verifiability of integrity and authenticity for software-release processes. Independent witness servers collectively verify conformance of software updates to release policies, build verifiers validate the source-to-binary correspondence, and a tamper-proof release log stores collectively signed updates, thus ensuring that no release is accepted by clients before being widely disclosed and validated. The release log embodies a skipchain, a novel data structure, enabling arbitrarily out-of-date clients to efficiently validate updates and signing keys. Evaluation of our CHAINIAC prototype on reproducible Debian packages shows that the automated update process takes the average of 5 minutes per release for individual packages, and only 20 seconds for the aggregate timeline. We further evaluate the framework using real-world data from the PyPI package repository and show that it offers clients security comparable to verifying every single update themselves while consuming only one-fifth of the bandwidth and having a minimal computational overhead. It uses blockchain, but it is an optional feature (as discussed in the Q&A at the end of the Usenix Conference <https://youtu.be/xpT6L8htINU?t=24m18s>) as long as you can check servers of the Cothority (if I have understood it well). It is written in Go (github repo <https://github.com/dedis/paper_chainiac>). On the subject of application portability/deployment, I know there is a lot of initiatives trying to normalize application packaging in a Linux kernel context, like OCI <https://www.opencontainers.org/>, Habitat <https://www.habitat.sh/>, Flatpak <https://flatpak.org/>, each targetting a different audience (cloud/desktop). It might be an interesting combination with Chainiac... I don't know. That was my $2 contribution. Hope it was not spam for you. I really want to help. I can start a wiki page if you want? But I will not be able to maintain it. Disclaimer : I'm absolutely not an expert neither about kernel/OS development, software distribution/package management, cyber security or any technology of this topic. But, until recently I've tryed to develop a generic desktop secure OS that isolate every process into a sandbox (using a Linux kernel, tools like firejail/bubblewrap/minijail providing linux-namespace and secomp-bpf, and inspiration from OpenWall for least priviledge policy. I've a prototype runing and working well but really too hacky. I've stopped because of not enought time and resources. Genode is an obviously much better approach! Congrats :-) I cannot wait to see my workstation runing a port of Qubes/SubGraph on Genode+seL4... Best wishes and happy new year. Michael Bideau, from France.

1 0

IPC messaging
by Nobody III 29 Dec '17

29 Dec '17

Currently, Genode has session interfaces for various use cases, but I'm unsure of which one to use for simple "send-and-forget" scenarios. The "Terminal" interface seems to be the best option currently available, but seems a little misleading. Should I use "Terminal" sessions for send-and-forget IPC, or is there a better option?

2 1

improved fs_rom
by Nobody III 29 Dec '17

29 Dec '17

While working on my own "Sculpt" scenario, I saw that the fs_rom server still doesn't allow using multiple directories as sources. Being able to separate the executables, libraries, and config files would be very helpful for organizing the filesystem and providing shared libraries to programs without exposing the configuration files as well. Is there a way to do this with the components currently available, or should fs_rom (or some other component) be modified to enable ROM file separation?

2 4

vfs named pipes
by Nobody III 27 Dec '17

27 Dec '17

Currently, there is no vfs plugin for named pipes. I can emulate this using two vfs instances and terminal_crosslink (using <terminal> vfs nodes), but is there a better/cleaner way of doing this?

1 0

pthread_main_np not implemented
by Steven Harp 27 Dec '17

27 Dec '17

After upgrading to 17.11, I noticed some of my libc+lwip using programs have started logging many warnings like: pthread_main_np_int: pthread_main_np called, not implemented This is observed with a fresh checkout (under x86_32/nova); so, I presume the cause is distinct from the similar warnings noted in #2312. Possibly related (?), during build, there were also quite a few warnings like: libports/src/lib/libc_lwip/plugin.cc:284:31: warning: âGenode::Env_deprecated* Genode::env()â is deprecated [-Wdeprecated-declarations] Genode::destroy(Genode::env()->heap(), context(fdo)); The programs actually seem to work, but the logs are "overly colorful". Perhaps there is some initialization that needs to be done differently? Any diagnostic hints appreciated. // Steve Harp

2 1

quota management and RAM reservation
by Nobody III 27 Dec '17

27 Dec '17

The RAM preservation feature in init is very nice; I used to have issues with init running out of memory. However, the RAM reservation applies after first reserving the RAM for all of the child processes based on their quotas. That may be fine in most cases, but it doesn't work properly when you give a child process a huge RAM quota to ensure that it gets all of the available RAM. In that situation, the RAM preservation happens after all of the available RAM has been reserved for the child processes, leaving no RAM available for init to preserve for itself. Something needs to change here. Changing the ordering is the simplest solution, but there may be a better solution. When we reserve all the remaining RAM for a particular process, we supply a huge RAM quota that is much larger than the process actually needs. It seems that the solution would be to split the quota numbers into a minimum (amount *reserved*) and a maximum (amount *available*). It would work very nicely for standard desktop workloads, especially when web browsers are involved. For example, I'd like to ensure that chromium has access to up to 2G of RAM, if it is available, but I don't want to reserve 2G of RAM specifically for chromium. Would this solution work well? Or is there something that I'm missing here?

1 0

wifi: assignment of PCI device failed
by Johannes Kliemann 21 Dec '17

21 Dec '17

Hi all, I tried to use the Wifi driver for Intel wifi chips. When running the driver I get the following messages: > [platform_drv] Error: wifi_drv -> : assignment of PCI device 4:0.0 failed phys=0xf8400000 virt=0x10 and > [wifi_drv] [iwl_trans_pcie_grap_nic_access] *WARN* Timeout waiting for hardware access (CSR_GP_CNTRL 0xffffffff) The corresponding run file [1] is explicitly written without any default routes. I can only provide a photo of the log output [2] (at least the visible part) as I don't have any other debug method yet on this hardware. I thought that this was a missing route but I couldn't find a related message and assigning default routes didn't fix it. The error seems to appear in repos/base-nova/src/core/pd_session_support.cc:assign_pci returning false but I couldn't find out why this happens. Does anyone have an idea? Regards, Johannes [1]: https://github.com/jklmnn/base-linux-hw/blob/5824238397139b012785f056c12670… [2]: https://imgur.com/a/DkWTq

3 9

overhead of using multiple processes
by Nobody III 21 Dec '17

21 Dec '17

In Genode, it is common practice to separate everything into small modular components, especially when dealing with untrusted data. How far can we go with this before running into performance or memory issues? For example, a file manager would benefit from content-based file type identification. However, identifying files within the file manager (e.g. using libmagic) could pose a security risk. However, using a discrete component for this could have a noticeable effect on performance. If we use a single component instance for all of the files, the only significant added overhead would be from IPC, AFAIK. This seems to be acceptable in terms of performance, but a malicious file may be able to cause the component to misidentify other files in the directory, which could be a security risk. A more secure method would be to run an instance of the component for each individual file in the directory. However, this may substantially reduce performance for large directories, depending on the overhead of component creation. Would performance be an issue here? (And am I overestimating the risk of file misidentification?) Similar cases include icon/thumbnail rendering, general-purpose image loading, and text rendering from many different sources. Would there be any notable differences for these?

2 2

libc and Genode signal handlers, RPC
by Steven Harp 20 Dec '17

20 Dec '17

Release 17.02 introduced a new execution model of the C runtime which was, I believe, intended to make it possible to write components that combine regular Genode signal handlers and RPC with code using libc. This would be very handy for porting network services etc that are greatly simplified by the C runtime. Q: Is there a preferred model for the interaction between the libc and non-libc parts of such a component? For example, suppose we want to make the libc code block on a Genode signal (asynchronous event)? After reading discussion [1] I found that running the libc elements in a new Genode thread, and blocking on a Genode::Semaphore was a workable option, though perhaps not very elegant. The naive approach (using the semaphore without the extra thread) seems to lead to a situation where signals are received but never unblock the libc code. Can anyone recommend some examples/tests that illustrate the intended new approach for: (a) libc code blocking on a Genode signal, (b) a component's RPC service invoking some code using libc (c) libc code invoking Genode RPC (d) invoking libc code in Genode callback, e.g. timeout handler (My question relates to the 17.11 version of Genode.) Regards, Steve Harp [1] https://sourceforge.net/p/genode/mailman/message/35912728/

2 1

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

users