On Thu, Dec 24, 2015 at 12:47:13PM +0100, Norman Feske wrote:
Hi Jookia,
thanks for joining the discussion! Do you have any concrete plans for Genode on the Novena board?
Concrete? Hmm. I'm still setting up NixOS on it and documenting my setup in a system-agnostic way which could be translated to Genode. I'd like to use Genode on it as a replacement for my existing system eventually. I haven't done too much more research as I'm mainly waiting for a package manager. Ideally I'd like to leverage the isolation I get on Genode to compose a complex system.
Configuring firewalls and routes when you have multiple interfaces, including containers on GNU/Linux is a nightmare. I tried to avoid containers as much as I could, but eventually I had to give in as there's no way to have per-interface DNS on GNU unless you're running a container, due to system state.
I'd like to have better sandboxing for my applications. I could use containers in NixOS, and it's tempting as I don't have the pay much of the cost of duplicating a rootfs, but still complex to set up when you want to share data such as through a GUI or file system. One good reason for this is security, but development is probably a bigger factor for me.
I'd like to allocate resources and CPU time to processes easier. Right now I've installed BFQ and BFS in my Linux kernel which will magically speed up my system, though I still don't have the knowledge or tools to set up cgroups to limit resources. I'm not even trying to do anything too amazing, it's just difficult to say to my computer 'Hey, run my photo rendering but do it in the background when I'm not using my disk or CPU' without doing all this and installing schedtool (which I haven't managed to set up yet.)
It's not that I don't have time to learn these things, I'm fortunate enough that I do- it's that it's tedious even for someone who does somewhat low level hacking. The more I try and get my computer to do multiple things the more it feels like I don't have the tools for it to do them. Not because I don't have the hardware or software, but because I don't have enough isolation for things to not clobber each other.
That's my motivation. So off the top of my head for things I'd need in Genode: Free software, and lots of it. A GTK port, a Tor port, an OpenVPN port, something like JACK for audio (routing applications mainly), video and photo editing through Blender and RawTherapee, web browsing through Tor Browser, some kind of routing system that can handle NAT along with a network stack suited for a router (DHCP, IPv6, etc), and a 'proper' firewall system.
Having GNU/Linux running in TrustZone and using Xpra to view them in Genode would help- though I'd still want to port my free video drivers (etnaviv) to Genode. Unfortunately I'm certain that's out of my skill level and the half a dozen people working on etnaviv are much too busy for this. Unless I can do porting without understanding more than the modules and APIs. From what I know I can't run the i.MX6 GPU in the TrustZone side, so this might actually be the 'one thing' that stops me from using Genode as I tend to need acceleration for video playback. I'm still not sure about this. I'd be fine doing the work if it doesn't require in-depth graphics knowledge but more grunt work.
Now, I mentioned 'proper' firewall system above in quotes. I'm not going to do another rant, but rather focus on what I'd like to see on a firewall system: Integration with system routing. I'd like to focus on per-application rules rather than per-interface or per-port, and multiplexers to combine applications or interfaces. I'd also like to see applications that do routing too. My current rules are complex and involve giving applications (defined by port or user) access to interfaces based on interface and subnet.
I've been toying with the idea of running a VPN in a container on GNU/Linux and exporting a HTTP proxy so it handles DNS automatically while having no DNS or direct Internet access on the host. In Genode this could be replaced by routing applications to a router application which is composed with OpenVPN perhaps.
Either way, that's my brain dump for now. I'm eager to get Genode going on the Novena and probably more obscure hardware in the future like lowRISC if I ever see a way to get a kernel on it. Having a fully free software stack allows me to do all this. Happy holidays in UTC+12!
Cheers Norman
Cheers, Jookia.