Hello,
I looked at an old Genode demo from 2006 or so a while ago and found it had secure X11 forwarding. I'm very interested in this feature with virtual machines to get a nice environment for something like Turmvilla, though last time I checked the code it seemed this feature disappeared.
Cheers, Jookia.
Hi Jookia,
welcome to the mailing list!
On 11.06.2015 18:57, Jookia wrote:
I looked at an old Genode demo from 2006 or so a while ago and found it had secure X11 forwarding. I'm very interested in this feature with virtual machines to get a nice environment for something like Turmvilla, though last time I checked the code it seemed this feature disappeared.
Indeed, we removed the code a long time ago. It was specific for the paravirtualized OKLinux kernel that we used in the live-CD scenario back then. The feature consisted of two parts: A custom Linux framebuffer driver that we enhanced with a nitpicker-like interface, and a X11 client that watched all X11 window operations and propagated these information to our driver. The driver, in turn, acted as a client of the nitpicker GUI server.
The mechanism worked well enough to integrate one or multiple X11 window systems into one nitpicker GUI. However, today, in the age of window compositing, I would implement this feature differently. Instead of relying on a guest-OS window manager to manage the X11 windows, I would use a custom compositor that exports the buffers with the content of each window to the Genode world - similar to how the X11 integration works on Qubes OS. This approach has the benefit that all windows (of both Linux applications and Genode applications) could be managed by a single window manager running on Genode.
That said, right now, there is no tangible plan on our side to implement this idea. Maybe you'd like to investigate it? ;-)
Cheers Norman
On Thu, Jun 11, 2015 at 08:52:25PM +0200, Norman Feske wrote:
Hi Jookia,
welcome to the mailing list!
Thanks for the welcome. :)
On 11.06.2015 18:57, Jookia wrote:
I looked at an old Genode demo from 2006 or so a while ago and found it had secure X11 forwarding. I'm very interested in this feature with virtual machines to get a nice environment for something like Turmvilla, though last time I checked the code it seemed this feature disappeared.
Indeed, we removed the code a long time ago. It was specific for the paravirtualized OKLinux kernel that we used in the live-CD scenario back then. The feature consisted of two parts: A custom Linux framebuffer driver that we enhanced with a nitpicker-like interface, and a X11 client that watched all X11 window operations and propagated these information to our driver. The driver, in turn, acted as a client of the nitpicker GUI server.
I see! I assumed it was doing something like Qubes does, given it's one of the things that lead me to Genode as it's not available on ARM or using TrustZone.
The mechanism worked well enough to integrate one or multiple X11 window systems into one nitpicker GUI. However, today, in the age of window compositing, I would implement this feature differently. Instead of relying on a guest-OS window manager to manage the X11 windows, I would use a custom compositor that exports the buffers with the content of each window to the Genode world - similar to how the X11 integration works on Qubes OS. This approach has the benefit that all windows (of both Linux applications and Genode applications) could be managed by a single window manager running on Genode.
Which sounds like something I might look in to doing. I'm a newbie but I have passion, which I suppose makes up for it? I'm not really confident enough to think I could do this securely though I suppose if I went the route of trying to get it upstreamed as a Genode feature it'd get code reviewed, yes?
That said, right now, there is no tangible plan on our side to implement this idea. Maybe you'd like to investigate it? ;-)
Perhaps. My main concern is secure communication between Genode and GNU/Linux. Or Genode and Genode. I'd like to eventually glue a bunch of running machines together, virtual or not, and build a metamachine that I can use for my computing, with secure logins somehow.
Right now the virtual machine monitor I've seen communicates through UART which I don't imagine has a particularly good amount of bandwidth. I assume Genode has some kind of IPC, perhaps it'd be nice to extend this to run with services on other machines (virtual or physical) which could be provided by other Genode or X11 services.
This sounds convoluted but eventually I'd like to have Genode running in the normal world too and use the secure world for my actual screen and keyboard inputs. Perhaps even scaling it up we could start to see situations where I could use my laptop as a thin screen and keyboard for applications running on my desktop. That's maybe too radical and dreamy.
Cheers Norman
Cheers again, Jookia.
Hi Jookia,
I see! I assumed it was doing something like Qubes does, given it's one of the things that lead me to Genode as it's not available on ARM or using TrustZone.
the result looks similar (seamlessly integrated windows of different domains) but the underlying mechanism is different.
The mechanism worked well enough to integrate one or multiple X11 window systems into one nitpicker GUI. However, today, in the age of window compositing, I would implement this feature differently. Instead of relying on a guest-OS window manager to manage the X11 windows, I would use a custom compositor that exports the buffers with the content of each window to the Genode world - similar to how the X11 integration works on Qubes OS. This approach has the benefit that all windows (of both Linux applications and Genode applications) could be managed by a single window manager running on Genode.
Which sounds like something I might look in to doing. I'm a newbie but I have passion, which I suppose makes up for it? I'm not really confident enough to think I could do this securely though I suppose if I went the route of trying to get it upstreamed as a Genode feature it'd get code reviewed, yes?
Sure! Don't be afraid of making mistakes. We all do. ;-)
That said, right now, there is no tangible plan on our side to implement this idea. Maybe you'd like to investigate it? ;-)
Perhaps. My main concern is secure communication between Genode and GNU/Linux. Or Genode and Genode. I'd like to eventually glue a bunch of running machines together, virtual or not, and build a metamachine that I can use for my computing, with secure logins somehow.
Right now the virtual machine monitor I've seen communicates through UART which I don't imagine has a particularly good amount of bandwidth. I assume Genode has some kind of IPC, perhaps it'd be nice to extend this to run with services on other machines (virtual or physical) which could be provided by other Genode or X11 services.
This sounds convoluted but eventually I'd like to have Genode running in the normal world too and use the secure world for my actual screen and keyboard inputs. Perhaps even scaling it up we could start to see situations where I could use my laptop as a thin screen and keyboard for applications running on my desktop. That's maybe too radical and dreamy.
Thanks for sharing your motivation behind exploring Genode.
As you are repeatedly speaking of TrustZone, I assume that you are going to target ARM only?
Cheers Norman
On Mon, Jun 15, 2015 at 10:15:03AM +0200, Norman Feske wrote:
Hi Jookia,
Hello again,
As you are repeatedly speaking of TrustZone, I assume that you are going to target ARM only?
So here's the deal with this: I'm a free software zealot so naturally I have a Novena board that I want to use for all my computing. Right now I've started porting NixOS to it given someone's porting the Nix package manager to Genode and I really like the idea of an immutable package manager that can explicitly show an application's TCB.
I'm also a big fan of Qubes and security through isolation. Unfortunately, the Novena uses the i.MX6 chipset which has an ARM Cortex-A9 CPU which means there's no capacity for hardware-based virtualization or isolation. So I'm left with three choices: Don't isolate my environment and use a single GNU/Linux desktop, try porting Qubes to LXC and have a monolithic kernel as a hypervisor, or go down the road of using the wrong tool for the job: TrustZone.
From what I know TrustZone is ideally used to host a small secure operating
system alongside a regular operating system. I'd like to be able to use the TrustZone as my normal operating system and use the normal world for untrusted hardware like network adapters or USB sticks. Combining this with L4Linux I'm hoping I'll be able to have some virtual machines spread out in a Qubes fashion with some hardware protection.
Aside from the Novena I have my current x86_64 i7 920 machine and also a laptop with an Intel Atom processor. I don't really consider these as interesting targets for development, though I wouldn't mind setting up Genode on the laptop for fun. Don't hold me to that though.
Cheers Norman
Cheers! Jookia.
Hi Jookia,
thanks for explaining your background. Now the picture becomes much clearer.
I'm also a big fan of Qubes and security through isolation. Unfortunately, the Novena uses the i.MX6 chipset which has an ARM Cortex-A9 CPU which means there's no capacity for hardware-based virtualization or isolation. So I'm left with three choices: Don't isolate my environment and use a single GNU/Linux desktop, try porting Qubes to LXC and have a monolithic kernel as a hypervisor, or go down the road of using the wrong tool for the job: TrustZone.
For a setup like the Turmvilla scenario where we have just a single "rich" Linux instance and a growing number of native Genode components, TrustZone would work well. If you decide to go this route, you may benefit from Martin's current line of work on providing a virtual block device to the normal world. The secure world retains the exclusive access to the real device and can make a partition available to the normal world. For the Turmvilla scenario, however, we need to complement this with something similar for the framebuffer and input devices. I just remember that we started our discussion exactly with this topic. :-) If you decide to give it a go, this would be very cool.
From what I know TrustZone is ideally used to host a small secure operating
system alongside a regular operating system. I'd like to be able to use the TrustZone as my normal operating system and use the normal world for untrusted hardware like network adapters or USB sticks. Combining this with L4Linux I'm hoping I'll be able to have some virtual machines spread out in a Qubes fashion with some hardware protection.
You can actually run a fully-fledged Genode system in the secure world (as your future "normal" OS) and use the normal world for the "rich Linux VM".
Instead of going the Qubes route of using multiple Linux VMs as appliances, I would prefer to enable functionality natively on Genode without relying on virtual machines. There are two motivations behind this direction. First, native components are much lighter (with respect to resources, startup times, and the ease of configuration). Second, only by following this way, Genode will eventually become a self-sustainable system. If we keep on relying on the Linux kernel as application runtime, this will possibly never happen.
Cheers Norman
Hi Jookia,
On 16.06.2015 17:59, Norman Feske wrote:
If you decide to go this route, you may benefit from Martin's current line of work on providing a virtual block device to the normal world. The secure world retains the exclusive access to the real device and can make a partition available to the normal world.
My working branches regarding this topic are [1] and [2]. If you have questions on that, don't hesitate to ask ;)
Cheers, Martin
[1] https://github.com/m-stein/genode/tree/1497_hw_usb_armory_USB_in_tz_vmm_linu... [2] https://github.com/m-stein/linux/tree/usb_armory_genode_tz_vmm_usb
On Tue, Jun 16, 2015 at 06:38:34PM +0200, Martin Stein wrote:
Hi Jookia,
My working branches regarding this topic are [1] and [2]. If you have questions on that, don't hesitate to ask ;)
Cheers, Martin
[1] https://github.com/m-stein/genode/tree/1497_hw_usb_armory_USB_in_tz_vmm_linu... [2] https://github.com/m-stein/linux/tree/usb_armory_genode_tz_vmm_usb
Hello Martin,
This is quite interesting, I do have a question:
Does this use the same interface as other virtual machines in Genode, or is it specific to TrustZone? I'm guessing it'd be the first given there's also other virtual machine monitors. I ask to estimate the difficulty of writing tools that use virtual machines without being specific to the technology itself.
Thanks for sharing, Jookia.
On Tue, Jun 16, 2015 at 05:59:30PM +0200, Norman Feske wrote:
Hi Jookia,
Hi again,
For a setup like the Turmvilla scenario where we have just a single "rich" Linux instance and a growing number of native Genode components, TrustZone would work well. If you decide to go this route, you may benefit from Martin's current line of work on providing a virtual block device to the normal world. The secure world retains the exclusive access to the real device and can make a partition available to the normal world. For the Turmvilla scenario, however, we need to complement this with something similar for the framebuffer and input devices. I just remember that we started our discussion exactly with this topic. :-) If you decide to give it a go, this would be very cool.
I'd certainly like to see this happen, perhaps I could re-use some work of Qubes' implementation: https://www.qubes-os.org/doc/GUIdocs/
You can actually run a fully-fledged Genode system in the secure world (as your future "normal" OS) and use the normal world for the "rich Linux VM".
That's great, though it's a bit of a hack for my use case. I'm using TrustZone to trust less hardware instead of something like an IOMMU. Using it to also provide application compatibility starts to break down the abstraction further as there's now the three categories: untrusted hardware running GNU/Linux applications, trusted hardware running GNU/Linux applications and trusted hardware running Genode applications.
Unfortunately to my knowledge I can't use TrustZone and L4Linux or another virtual machine together given base-hw's current feature set. Someone would have to set up Fiasco.OC's TrustZone suppoort to work with Genode. So I think that rules out both hardware isolation and secure GNU/Linux instances. Are there any plans to change this?
For now I might focus on Fiasco.OC rather than TrustZone.
Instead of going the Qubes route of using multiple Linux VMs as appliances, I would prefer to enable functionality natively on Genode without relying on virtual machines. There are two motivations behind this direction. First, native components are much lighter (with respect to resources, startup times, and the ease of configuration). Second, only by following this way, Genode will eventually become a self-sustainable system. If we keep on relying on the Linux kernel as application runtime, this will possibly never happen.
I completely agree!
Cheers Norman
Cheers, Jookia.
-
Jookia -
Martin Stein -
Norman Feske