Hi Jookia,
thanks for explaining your background. Now the picture becomes much clearer.
I'm also a big fan of Qubes and security through isolation. Unfortunately, the Novena uses the i.MX6 chipset which has an ARM Cortex-A9 CPU which means there's no capacity for hardware-based virtualization or isolation. So I'm left with three choices: Don't isolate my environment and use a single GNU/Linux desktop, try porting Qubes to LXC and have a monolithic kernel as a hypervisor, or go down the road of using the wrong tool for the job: TrustZone.
For a setup like the Turmvilla scenario where we have just a single "rich" Linux instance and a growing number of native Genode components, TrustZone would work well. If you decide to go this route, you may benefit from Martin's current line of work on providing a virtual block device to the normal world. The secure world retains the exclusive access to the real device and can make a partition available to the normal world. For the Turmvilla scenario, however, we need to complement this with something similar for the framebuffer and input devices. I just remember that we started our discussion exactly with this topic. :-) If you decide to give it a go, this would be very cool.
From what I know TrustZone is ideally used to host a small secure operating
system alongside a regular operating system. I'd like to be able to use the TrustZone as my normal operating system and use the normal world for untrusted hardware like network adapters or USB sticks. Combining this with L4Linux I'm hoping I'll be able to have some virtual machines spread out in a Qubes fashion with some hardware protection.
You can actually run a fully-fledged Genode system in the secure world (as your future "normal" OS) and use the normal world for the "rich Linux VM".
Instead of going the Qubes route of using multiple Linux VMs as appliances, I would prefer to enable functionality natively on Genode without relying on virtual machines. There are two motivations behind this direction. First, native components are much lighter (with respect to resources, startup times, and the ease of configuration). Second, only by following this way, Genode will eventually become a self-sustainable system. If we keep on relying on the Linux kernel as application runtime, this will possibly never happen.
Cheers Norman