166291 at ...9...
Thu Dec 24 13:46:42 CET 2015
On Thu, Dec 24, 2015 at 12:47:13PM +0100, Norman Feske wrote:
> Hi Jookia,
> thanks for joining the discussion!
> Do you have any concrete plans for Genode on the Novena board?
Concrete? Hmm. I'm still setting up NixOS on it and documenting my setup in a
system-agnostic way which could be translated to Genode. I'd like to use Genode
on it as a replacement for my existing system eventually. I haven't done too
much more research as I'm mainly waiting for a package manager. Ideally I'd like
to leverage the isolation I get on Genode to compose a complex system.
Configuring firewalls and routes when you have multiple interfaces, including
containers on GNU/Linux is a nightmare. I tried to avoid containers as much as I
could, but eventually I had to give in as there's no way to have per-interface
DNS on GNU unless you're running a container, due to system state.
I'd like to have better sandboxing for my applications. I could use containers
in NixOS, and it's tempting as I don't have the pay much of the cost of
duplicating a rootfs, but still complex to set up when you want to share data
such as through a GUI or file system. One good reason for this is security, but
development is probably a bigger factor for me.
I'd like to allocate resources and CPU time to processes easier. Right now I've
installed BFQ and BFS in my Linux kernel which will magically speed up my
system, though I still don't have the knowledge or tools to set up cgroups to
limit resources. I'm not even trying to do anything too amazing, it's just
difficult to say to my computer 'Hey, run my photo rendering but do it in the
background when I'm not using my disk or CPU' without doing all this and
installing schedtool (which I haven't managed to set up yet.)
It's not that I don't have time to learn these things, I'm fortunate enough that
I do- it's that it's tedious even for someone who does somewhat low level
hacking. The more I try and get my computer to do multiple things the more it
feels like I don't have the tools for it to do them. Not because I don't have
the hardware or software, but because I don't have enough isolation for things
to not clobber each other.
That's my motivation. So off the top of my head for things I'd need in Genode:
Free software, and lots of it. A GTK port, a Tor port, an OpenVPN port,
something like JACK for audio (routing applications mainly), video and photo
editing through Blender and RawTherapee, web browsing through Tor Browser,
some kind of routing system that can handle NAT along with a network stack
suited for a router (DHCP, IPv6, etc), and a 'proper' firewall system.
Having GNU/Linux running in TrustZone and using Xpra to view them in Genode
would help- though I'd still want to port my free video drivers (etnaviv) to
Genode. Unfortunately I'm certain that's out of my skill level and the half a
dozen people working on etnaviv are much too busy for this. Unless I can do
porting without understanding more than the modules and APIs. From what I know I
can't run the i.MX6 GPU in the TrustZone side, so this might actually be the
'one thing' that stops me from using Genode as I tend to need acceleration for
video playback. I'm still not sure about this. I'd be fine doing the work if it
doesn't require in-depth graphics knowledge but more grunt work.
Now, I mentioned 'proper' firewall system above in quotes. I'm not going to do
another rant, but rather focus on what I'd like to see on a firewall system:
Integration with system routing. I'd like to focus on per-application rules
rather than per-interface or per-port, and multiplexers to combine applications
or interfaces. I'd also like to see applications that do routing too. My current
rules are complex and involve giving applications (defined by port or user)
access to interfaces based on interface and subnet.
I've been toying with the idea of running a VPN in a container on GNU/Linux and
exporting a HTTP proxy so it handles DNS automatically while having no DNS or
direct Internet access on the host. In Genode this could be replaced by routing
applications to a router application which is composed with OpenVPN perhaps.
Either way, that's my brain dump for now. I'm eager to get Genode going on the
Novena and probably more obscure hardware in the future like lowRISC if I ever
see a way to get a kernel on it. Having a fully free software stack allows me to
do all this. Happy holidays in UTC+12!
More information about the users