Hi Fellow Genodians-
It seems like Genode's secure display windows are off to a good start with "Nitpicker"... ...What is happening so that the Wayland display compositor will be able to in some way run withing the Genode OS?
Where might I find more info on the efforts to run Genode within ARM TrustZone...
Thanks -Peter
Hello Peter,
It seems like Genode's secure display windows are off to a goodstart with "Nitpicker"... ...What is happening so that the Wayland display compositor will be able to in some way run withing the Genode OS?
as far as I know, there is no concrete plan to bring Wayland to Genode. It is not mentioned on our road map [1]. However, we have listed the topic at our "challenges" page as a rough idea.
[1] http://genode.org/about/road-map [2] http://genode.org/about/challenges
Design-wise there seem to be many similarities between nitpicker and Wayland, but both solutions were created under different premises. For Wayland, fluent graphics without any tearing artifacts were a big motivation. The goal was to overcome the deficiencies of X.org. In contrast, nitpicker was designed for security in the first place (you can read more details in my dissertation [3]). Both goals led to a similar design, which is a very good sign.
[3] http://www.genode-labs.com/publications/secure-gui-2009.pdf
Personally, I think that exploring the combination of Wayland with Genode is an interesting topic, but I am anything but sure about the outcome. Whereas Wayland was designed for Linux, it is unclear to me how well it fits with Genode's capability-based security model. Also, a Wayland-based graphics stack will be significantly more complex than a nitpicker-based one. This is because Wayland uses OpenGL as backend. So Mesa plus the whole driver stack becomes a mandatory part of the trusted computing base for any graphical application. In contrast, nitpicker's trusted computing base is orders of magnitude less complex.
That said, I think this does not need to be an either-or discussion because different users have different needs. Not everyone is picky about a low-complexity trusted-computing base. Having the option to use Wayland or nitpicker would be great.
As a technical precondition to take a closer look at Wayland on Genode, we first need to address the problem to bring our version of Mesa up to date and provide a way to use hardware-accelerated graphics. Those topics are also important for Qt5's QML. For this reason, I raised the point during the discussion of the road map. Even though we haven't put it on the official road map, we still plan to work on it.
Where might I find more info on the efforts to run Genode within ARMTrustZone...
We are positively surprised about the response to our TrustZone work. Currently, there is not much documentation available. But we will obviously need to change that.
For practical steps of how to start experimenting with TrustZone, maybe Stefan can give you a good starting point?
Btw, there will be talk by him at FOSDEM on Sunday in Brussels. We will publish the slides and there may be even a video recording.
Best regards Norman
Hi Norman-
Given that Genode's design philosophy is all about minimizing the TCB... it would seem that running Wayland under Nitpicker might be the first step toward achieving compatibility with Wayland, while also maintaining the well considered security that you have already achieved via Nitpicker... ie. your very nice thesis work!
It does seem like GPU interfacing security might be a real consideration here. I would propose that you might want to propose doing some research work for NVidia if they might see the wisdom in it.... I think your thesis speaks well of your qualifications for such....and my hunch is that if your sociable and reach out to them, your likely to find it very much a win / win situation... !!
all the best -Peter
On Thu, Jan 30, 2014 at 1:37 AM, Norman Feske <norman.feske@...1...>wrote:
Hello Peter,
It seems like Genode's secure display windows are off to a goodstart with "Nitpicker"... ...What is happening so that the Wayland display compositor will be able to in some way run withing the Genode OS?
as far as I know, there is no concrete plan to bring Wayland to Genode. It is not mentioned on our road map [1]. However, we have listed the topic at our "challenges" page as a rough idea.
[1] http://genode.org/about/road-map [2] http://genode.org/about/challenges
Design-wise there seem to be many similarities between nitpicker and Wayland, but both solutions were created under different premises. For Wayland, fluent graphics without any tearing artifacts were a big motivation. The goal was to overcome the deficiencies of X.org. In contrast, nitpicker was designed for security in the first place (you can read more details in my dissertation [3]). Both goals led to a similar design, which is a very good sign.
[3] http://www.genode-labs.com/publications/secure-gui-2009.pdf
Personally, I think that exploring the combination of Wayland with Genode is an interesting topic, but I am anything but sure about the outcome. Whereas Wayland was designed for Linux, it is unclear to me how well it fits with Genode's capability-based security model. Also, a Wayland-based graphics stack will be significantly more complex than a nitpicker-based one. This is because Wayland uses OpenGL as backend. So Mesa plus the whole driver stack becomes a mandatory part of the trusted computing base for any graphical application. In contrast, nitpicker's trusted computing base is orders of magnitude less complex.
That said, I think this does not need to be an either-or discussion because different users have different needs. Not everyone is picky about a low-complexity trusted-computing base. Having the option to use Wayland or nitpicker would be great.
As a technical precondition to take a closer look at Wayland on Genode, we first need to address the problem to bring our version of Mesa up to date and provide a way to use hardware-accelerated graphics. Those topics are also important for Qt5's QML. For this reason, I raised the point during the discussion of the road map. Even though we haven't put it on the official road map, we still plan to work on it.
Where might I find more info on the efforts to run Genode within ARMTrustZone...
We are positively surprised about the response to our TrustZone work. Currently, there is not much documentation available. But we will obviously need to change that.
For practical steps of how to start experimenting with TrustZone, maybe Stefan can give you a good starting point?
Btw, there will be talk by him at FOSDEM on Sunday in Brussels. We will publish the slides and there may be even a video recording.
Best regards Norman
-- Dr.-Ing. Norman Feske Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.cl... _______________________________________________ Genode-main mailing list Genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Hi Peter,
On 01/30/2014 10:37 AM, Norman Feske wrote:
Hello Peter,
It seems like Genode's secure display windows are off to a goodstart with "Nitpicker"... ...What is happening so that the Wayland display compositor will be able to in some way run withing the Genode OS?
as far as I know, there is no concrete plan to bring Wayland to Genode. It is not mentioned on our road map [1]. However, we have listed the topic at our "challenges" page as a rough idea.
[1] http://genode.org/about/road-map [2] http://genode.org/about/challenges
Design-wise there seem to be many similarities between nitpicker and Wayland, but both solutions were created under different premises. For Wayland, fluent graphics without any tearing artifacts were a big motivation. The goal was to overcome the deficiencies of X.org. In contrast, nitpicker was designed for security in the first place (you can read more details in my dissertation [3]). Both goals led to a similar design, which is a very good sign.
[3] http://www.genode-labs.com/publications/secure-gui-2009.pdf
Personally, I think that exploring the combination of Wayland with Genode is an interesting topic, but I am anything but sure about the outcome. Whereas Wayland was designed for Linux, it is unclear to me how well it fits with Genode's capability-based security model. Also, a Wayland-based graphics stack will be significantly more complex than a nitpicker-based one. This is because Wayland uses OpenGL as backend. So Mesa plus the whole driver stack becomes a mandatory part of the trusted computing base for any graphical application. In contrast, nitpicker's trusted computing base is orders of magnitude less complex.
That said, I think this does not need to be an either-or discussion because different users have different needs. Not everyone is picky about a low-complexity trusted-computing base. Having the option to use Wayland or nitpicker would be great.
As a technical precondition to take a closer look at Wayland on Genode, we first need to address the problem to bring our version of Mesa up to date and provide a way to use hardware-accelerated graphics. Those topics are also important for Qt5's QML. For this reason, I raised the point during the discussion of the road map. Even though we haven't put it on the official road map, we still plan to work on it.
Where might I find more info on the efforts to run Genode within ARMTrustZone...
We are positively surprised about the response to our TrustZone work. Currently, there is not much documentation available. But we will obviously need to change that.
For practical steps of how to start experimenting with TrustZone, maybe Stefan can give you a good starting point?
Btw, there will be talk by him at FOSDEM on Sunday in Brussels. We will publish the slides and there may be even a video recording.
Concurrently, we've made just some experiments regarding ARM's TrustZone. The farthermost developed demonstration scenario therefore is build for Freescale's i.MX53 SABRE tablet. The code for this scenario isn't completely part of Genode's mainline code, but can be found here:
https://github.com/skalk/genode/tree/i.MX53_tablet_demo
A brief "how to" reproduce that scenario is included in there too:
https://github.com/skalk/genode/blob/i.MX53_tablet_demo/os/src/server/vmm/im...
The TrustZone experiments are limited to the "base-hw" platform. Most code, including the switch between "secure" and "normal" world, can be found there. I hope this will help as a starting point.
Regards Stefan
Best regards Norman
Hi Norman-
At the risk of coming across as a bit confused, For the life of me with Genode Labs having recognized the significance of actively taking into account the GUI layer in it's security model.. How in any real sense can Genode's growth road-map not yet openly account for Wayland's rise within the Linux computing world?.... Am I just asking about something that Genode labs is choosing to play closer to there chest?.... I gather the good parts of Nitpicker might likely be a good starting point. I'm just asking for some sense of assurance that, A. people are actively planing Genode's longer term growth future. B. that somehow we might be able to figure out how Genode might support apps that might be expecting a Wayland display compositor to talk to...
...Am I asking the right questions here?
all the best -Peter
On Thu, Jan 30, 2014 at 11:31 AM, Peter Lindener <lindener.peter@...9...>wrote:
Hi Norman-
Given that Genode's design philosophy is all about minimizing theTCB... it would seem that running Wayland under Nitpicker might be the first step toward achieving compatibility with Wayland, while also maintaining the well considered security that you have already achieved via Nitpicker... ie. your very nice thesis work!
It does seem like GPU interfacing security might be a real consideration here. I would propose that you might want to propose doing some research work for NVidia if they might see the wisdom in it.... I think your thesis speaks well of your qualifications for such....and my hunch is that if your sociable and reach out to them, your likely to find it very much a win / win situation... !!
all the best -Peter
On Thu, Jan 30, 2014 at 1:37 AM, Norman Feske < norman.feske@...1...> wrote:
Hello Peter,
It seems like Genode's secure display windows are off to a goodstart with "Nitpicker"... ...What is happening so that the Wayland display compositor will be able to in some way run withing the Genode OS?
as far as I know, there is no concrete plan to bring Wayland to Genode. It is not mentioned on our road map [1]. However, we have listed the topic at our "challenges" page as a rough idea.
[1] http://genode.org/about/road-map [2] http://genode.org/about/challenges
Design-wise there seem to be many similarities between nitpicker and Wayland, but both solutions were created under different premises. For Wayland, fluent graphics without any tearing artifacts were a big motivation. The goal was to overcome the deficiencies of X.org. In contrast, nitpicker was designed for security in the first place (you can read more details in my dissertation [3]). Both goals led to a similar design, which is a very good sign.
[3] http://www.genode-labs.com/publications/secure-gui-2009.pdf
Personally, I think that exploring the combination of Wayland with Genode is an interesting topic, but I am anything but sure about the outcome. Whereas Wayland was designed for Linux, it is unclear to me how well it fits with Genode's capability-based security model. Also, a Wayland-based graphics stack will be significantly more complex than a nitpicker-based one. This is because Wayland uses OpenGL as backend. So Mesa plus the whole driver stack becomes a mandatory part of the trusted computing base for any graphical application. In contrast, nitpicker's trusted computing base is orders of magnitude less complex.
That said, I think this does not need to be an either-or discussion because different users have different needs. Not everyone is picky about a low-complexity trusted-computing base. Having the option to use Wayland or nitpicker would be great.
As a technical precondition to take a closer look at Wayland on Genode, we first need to address the problem to bring our version of Mesa up to date and provide a way to use hardware-accelerated graphics. Those topics are also important for Qt5's QML. For this reason, I raised the point during the discussion of the road map. Even though we haven't put it on the official road map, we still plan to work on it.
Where might I find more info on the efforts to run Genode within ARMTrustZone...
We are positively surprised about the response to our TrustZone work. Currently, there is not much documentation available. But we will obviously need to change that.
For practical steps of how to start experimenting with TrustZone, maybe Stefan can give you a good starting point?
Btw, there will be talk by him at FOSDEM on Sunday in Brussels. We will publish the slides and there may be even a video recording.
Best regards Norman
-- Dr.-Ing. Norman Feske Genode Labs
http://www.genode-labs.com · http://genode.org
Genode Labs GmbH · Amtsgericht Dresden · HRB 28424 · Sitz Dresden Geschäftsführer: Dr.-Ing. Norman Feske, Christian Helmuth
WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds.
http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.cl... _______________________________________________ Genode-main mailing list Genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
Hi Peter,
At the risk of coming across as a bit confused, For the life of me with Genode Labs having recognized the significance of actively taking into account the GUI layer in it's security model.. How in any real sense can Genode's growth road-map not yet openly account for Wayland's rise within the Linux computing world?....
the road map has a horizon of one year. It contains tangible goals to which we commit ourselves. Most of the items you find on it are either fundamentally important for us developers to use Genode as a general-purpose OS (e.g., wireless, block cache), or are closely related to our current research interests (in particular the work on base-hw).
We are nowhere near to catering the general-purpose computing needs for a large crowd of normal users - such as people with a background of being Linux power users. Advertising Genode as such would be a delusion.
Once we have reached the point where we developers are able to use Genode every day, Wayland will possibly become very interesting to look at. But today, it would just distract us from addressing more fundamental topics.
As another technicality, it is almost futile to plan the integration of Wayland before we even have a decent performing OpenGL implementation (including GPU support) available. Enabling this is hard work though. Maybe you'd like to lend a helping hand with this topic. ;-)
Am I just asking about something that Genode labs is choosing to play closer to there chest?.... I gather the good parts of Nitpicker might likely be a good starting point. I'm just asking for some sense of assurance that, A. people are actively planing Genode's longer term growth future. B. that somehow we might be able to figure out how Genode might support apps that might be expecting a Wayland display compositor to talk to...
Concerning A, "long term" seems to be a pretty loose term. Our road map covers just one year, which is a time frame that we can realistically foresee. Personally, I wouldn't call it "long term".
I do not agree with your statement B as I am not aware of even a single popular application that has a hard dependency on Wayland. Applications are developed against toolkits such as Qt or Gtk. Since Genode supports Qt, such applications can run natively on Genode already without the need for Wayland. I don't expect this situation to suddenly change within the next year.
As a general remark, if the use of existing software on top of Genode is a concern, why not run Linux in a virtual machine on top of Genode as a stop-gap solution? On NOVA, there exists a high-performance VMM called Seoul. Additionally, VirtualBox will be available by the end of the month. Those solutions can bridge the gap between the applications Genode supports natively and commodity applications.
In short, Wayland is an interesting topic for sure but I don't think that Genode will miss the train if we don't jump on the Wayland bandwagon right now.
Cheers Norman
-
Norman Feske -
Peter Lindener -
Stefan Kalkowski