On Tue, Jun 16, 2015 at 05:59:30PM +0200, Norman Feske wrote:
Hi Jookia,
Hi again,
For a setup like the Turmvilla scenario where we have just a single "rich" Linux instance and a growing number of native Genode components, TrustZone would work well. If you decide to go this route, you may benefit from Martin's current line of work on providing a virtual block device to the normal world. The secure world retains the exclusive access to the real device and can make a partition available to the normal world. For the Turmvilla scenario, however, we need to complement this with something similar for the framebuffer and input devices. I just remember that we started our discussion exactly with this topic. :-) If you decide to give it a go, this would be very cool.
I'd certainly like to see this happen, perhaps I could re-use some work of Qubes' implementation: https://www.qubes-os.org/doc/GUIdocs/
You can actually run a fully-fledged Genode system in the secure world (as your future "normal" OS) and use the normal world for the "rich Linux VM".
That's great, though it's a bit of a hack for my use case. I'm using TrustZone to trust less hardware instead of something like an IOMMU. Using it to also provide application compatibility starts to break down the abstraction further as there's now the three categories: untrusted hardware running GNU/Linux applications, trusted hardware running GNU/Linux applications and trusted hardware running Genode applications.
Unfortunately to my knowledge I can't use TrustZone and L4Linux or another virtual machine together given base-hw's current feature set. Someone would have to set up Fiasco.OC's TrustZone suppoort to work with Genode. So I think that rules out both hardware isolation and secure GNU/Linux instances. Are there any plans to change this?
For now I might focus on Fiasco.OC rather than TrustZone.
Instead of going the Qubes route of using multiple Linux VMs as appliances, I would prefer to enable functionality natively on Genode without relying on virtual machines. There are two motivations behind this direction. First, native components are much lighter (with respect to resources, startup times, and the ease of configuration). Second, only by following this way, Genode will eventually become a self-sustainable system. If we keep on relying on the Linux kernel as application runtime, this will possibly never happen.
I completely agree!
Cheers Norman
Cheers, Jookia.