Hello Jean-Adrien,
thank you very much for your enthusiastic posting. I'm happy that you hold our project in such high regard.
You are presenting a firework of ideas! Please see my comments below.
First, I will fix issues I have with my test machine to run Sculpt fully featured. Currently, networking via Wifi is not possible. Other difficulties may come after improving connectivity support.
Don't hesitate to post your hardware configuration (e.g., the model of the Wifi card) here. Maybe, someone else has already taken steps to enable it?
Then during my spare time, I would like to join efforts on support for Xen or Virt. Layer for Qube, adjusting myself to ongoing plans, if any exist?
Even though we brainstormed ideas to bring both projects closer together, I am not aware of any concrete efforts under way.
Following the "Roadmap 2023" discussion and after having a recent look at "Futur Challenges" [1] on the website, it is with lots of excitement that I found many subjects very close to my interests. Here are the topics:
- Character device drivers as VFS plugins
I proposed, some time ago [2], an SPI driver. The commits never made it to the staging branch because of the interfacing / "quality". Over time, at Gapfruit, we gained experience using the SPI bus, but only with TPMs. We recently refactored it into a VFS plugin for easier interfacing with libraries such as WolfTPM and TPM TSS. I believe BUS drivers such as I2C and SPI could be unified behind a standard "character device" VFS plugin interface. Can that benefit the community? I can put some effort into improving and contributing those commits.
I very much appreciate your suggestion. Personally, my experience in these areas (TPMs, SPI) is quite limited. But the option of plugging character-device drivers into a generic VFS character-device plugin sounds attractive.
Maybe this character-device interface could be designed such that the actual driver code can be operated both in a free-standing fashion (e.g., hosted inside a VFS-less component) as well as embedded in a VFS plugin? So the character driver would actually be a "VFS plugin plugin". That would be great!
- Genode as virtualization layer for Qubes OS
...
It brings so many questions to my mind. First, does full support for a hypervisor such as Xen need to find its way to Genode? Or is base-nova already a viable candidate?
From a security perspective, NOVA is preferable over Xen because NOVA's attack surface is more than an order of magnitude smaller, and Genode/NOVA does not require a Dom0 at all. I got the impression that some Qubes developers found prospect of replacing Xen by a microhypervisor (like NOVA) quite intriguing.
On the other hand, we have to keep in mind that Genode/NOVA currently still lacks a few convenience features like suspend/resume. This, however, will be addressed throughout this year.
Speaking of hypervisor candidates, there is current work in progress to enable the use of Genode's base-hw microkernel as hypervisor on x86 as well. So this may become a further option.
Are all necessary building blocks for AppVM message passing present within Genode?
I think this was the point where our past brainstorming got stuck.
If I remember right, Qubes uses Xen's event channels and shared memory as inter-VM-transport mechanism. VirtualBox on Genode offers quite many host-guest integration features, but none seemed to perfectly align with the needs of Qubes. There were multiple options to explore. But the exploration never really happened.
Which approach would you privilege first for investigation?
I think that it would be best to pick up the existing discussion [1] and interview Marek Górecki so that he can share his views and ideas.
[1] https://forum.qubes-os.org/t/qubes-os-based-on-the-genode-os-framework/11735
The biggest question seems to be how to map the Qubes middleware to the mechanisms available under VirtualBox.
If Xen, support for Genode in a Dom0 scenario first?
To me this sounds quite distracting when considering the following topics.
- One will have to convince Genode to run under Xen. - One will need to host the VM management functionality on Genode, which comes down to a huge porting effort. - Once succeeded, there is still no clear migration path away from Xen.
I would probably not pick this way.
Or, as an AppVM first, focussing on Qube RPC mechanism support? (I am aware of Xen DomU support, but I do not have all details in mind) Currently, those questions might be off-topic. Overall, it seems a significant challenge.
That's probably a rather lower-hanging fruit regarding the combination of both projects (compared to the other directions). But on the other hand, it does not add a huge value to either project.
From Qubes' perspective, there are already unikernels like MirageOS that satisfy the desire for low-complexity AppVMs. Genode would not solve a real problem here.
From Genode's perspective, the Qubes middleware interfaces can only be used on top of Qubes/Xen. But replacing Genode's regular use of a microhypervisor like NOVA by Xen is not attractive.
Therefore, this topic may be best pursued by a regular Qubes user as an experiment, just out of curiosity if it is possible to integrate Genode into a familiar environment, without expecting a measurable impact on either project.
- Xen as "Kernel" for Genode
My ultimate goal here would be to have a pure minimal Genode-based OS in Dom0 for only managing guests' VM.
Last summer, by curiosity related to 2), I started investigating necessary changes to the build system for building Xen as a port and generating a boot image using Xen with a Genode base-hw minimal scenario as Dom0. I was able to set up the port, successfully building Xen and booting it, but with a minimal Linux as Dom0 instead of a chosen Genode scenario "run/log," e.g.
I still need to reach my goal. The real work only begins now. My primary technical motivation was working on low-level mechanisms to manage DomU(s) and enable RPC from one DomU to the other. I lost interest over time because I needed to be more confident in its relevance and missed lots of knowledge.
At that time, I was unaware of the work of Julian Stecklina. I would be interested in looking into it! Is it publicly available?
Wow, this was more than 15 years ago. I'm not aware of any remaining public traces of this work. Have you tried contacting Julian about it?
Another topic I was very interested in is initiatives like Spunky [3]. I am not making it a point as this is not to take as seriously as the others. With the gain of popularity from languages like, e.g. Rust. Is there any plan or similar initiative in that regard?
I have to confess that Spunky is currently on ice [1].
[1] https://github.com/genodelabs/genode/issues/3308#issuecomment-1235217730
This year's road map will revive Genode's foray with Rust. But this time, we will explore it by starting with the application level (Rust atop Genode's POSIX support). The goal is to make it very easy to compile Rust software for Genode using the Goa tool. So we can gradually familiarize ourselves with the benefits of the language without introducing any friction.
The other direction you mentioned - replacing C++ of the base framework with something else - is outside the scope of 2023. Given the rationale of [1], I think we should not seek salvation in alternatives right now but focus on tangible evolutionary improvements while using C++, like replacing exceptions with the 'Attempt' pattern [2], and further tightening the base API.
[2] https://genodians.org/nfeske/2021-11-26-attempt-no-exceptions
I would be up to start one as a pet project. I am interested in trying this out with the Zig programming language [4]. My motivation for such a language comes from a Youtuber I appreciate [5]. He made an interesting video on memory safety within different languages [6]. I do not have any strong opinion on "C++ vs any other lang" topics. If you have other languages in mind, please let me know!
Have you considered integrating support for alternative languages like zig into Goa [3]?
[3] https://github.com/nfeske/goa
Finally, thank you all for your supportive, kind and professional attitude! Since I started working with the Genode OS Framework, it has always been a pleasure to read from and interact with any of you. I am relatively junior to OS development. Thanks to my co-workers and following daily discussions on this mailing list, I learned a lot!
Thank you for sharing your many interests and ideas! I take your email as a big compliment. :-)
Cheers Norman