ARM trust zone and Wayland on Genode?

Fri Jan 31 00:17:51 CET 2014

Hi Peter,

On 01/30/2014 10:37 AM, Norman Feske wrote:
> Hello Peter,
> 
>>     It seems like Genode's secure display windows are off to a good
>> start with "Nitpicker"...  
>> ...What is happening so that the Wayland display compositor will be able
>> to in some way run withing the Genode OS? 
> 
> as far as I know, there is no concrete plan to bring Wayland to Genode.
> It is not mentioned on our road map [1]. However, we have listed the
> topic at our "challenges" page as a rough idea.
> 
> [1]  http://genode.org/about/road-map
> [2]  http://genode.org/about/challenges
> 
> Design-wise there seem to be many similarities between nitpicker and
> Wayland, but both solutions were created under different premises. For
> Wayland, fluent graphics without any tearing artifacts were a big
> motivation. The goal was to overcome the deficiencies of X.org. In
> contrast, nitpicker was designed for security in the first place (you
> can read more details in my dissertation [3]). Both goals led to a
> similar design, which is a very good sign.
> 
> [3]  http://www.genode-labs.com/publications/secure-gui-2009.pdf
> 
> Personally, I think that exploring the combination of Wayland with
> Genode is an interesting topic, but I am anything but sure about the
> outcome. Whereas Wayland was designed for Linux, it is unclear to me how
> well it fits with Genode's capability-based security model. Also, a
> Wayland-based graphics stack will be significantly more complex than a
> nitpicker-based one. This is because Wayland uses OpenGL as backend. So
> Mesa plus the whole driver stack becomes a mandatory part of the trusted
> computing base for any graphical application. In contrast, nitpicker's
> trusted computing base is orders of magnitude less complex.
> 
> That said, I think this does not need to be an either-or discussion
> because different users have different needs. Not everyone is picky
> about a low-complexity trusted-computing base. Having the option to use
> Wayland or nitpicker would be great.
> 
> As a technical precondition to take a closer look at Wayland on Genode,
> we first need to address the problem to bring our version of Mesa up to
> date and provide a way to use hardware-accelerated graphics. Those
> topics are also important for Qt5's QML. For this reason, I raised the
> point during the discussion of the road map. Even though we haven't put
> it on the official road map, we still plan to work on it.
> 
>>     Where might I find more info on the efforts to run Genode within ARM
>> TrustZone...
> 
> We are positively surprised about the response to our TrustZone work.
> Currently, there is not much documentation available. But we will
> obviously need to change that.
> 
> For practical steps of how to start experimenting with TrustZone, maybe
> Stefan can give you a good starting point?
> 
> Btw, there will be talk by him at FOSDEM on Sunday in Brussels. We will
> publish the slides and there may be even a video recording.

Concurrently, we've made just some experiments regarding ARM's
TrustZone. The farthermost developed demonstration scenario therefore is
build for Freescale's i.MX53 SABRE tablet. The code for this scenario
isn't completely part of Genode's mainline code, but can be found here:

  https://github.com/skalk/genode/tree/i.MX53_tablet_demo

A brief "how to" reproduce that scenario is included in there too:

https://github.com/skalk/genode/blob/i.MX53_tablet_demo/os/src/server/vmm/imx53/README

The TrustZone experiments are limited to the "base-hw" platform. Most
code, including the switch between "secure" and "normal" world, can be
found there. I hope this will help as a starting point.

Regards
Stefan

> 
> Best regards
> Norman
> 

-- 
Stefan Kalkowski
Genode Labs

http://www.genode-labs.com/ · http://genode.org/