The Genode project has released version 11.11 of their OS framework, which allows the construction of spezialized operating systems out of building blocks including 8 different kernels, plenty of device drivers, and an increasing number of system services.
With the current release, the project explored various opportunities to combine Genode’s architecture with virtualization techniques ranging from faithful virtualization of x86 hardware, over running Android on a paravirtualized Linux kernel, to custom designed OS-level virtualization and application-level virtualization approaches. The latter variant is particularly interesting because it paved the way to Genode’s new support for user-level debugging via GDB.
With the initial port of the Vancouver virtual machine monitor (VMM), the project embraces the world of faithful virtualization. Vancouver implements a virtual x86 PC and is specifically developed for the use with the NOVA hypervisor and hardware-supported virtualization (VTX or SVM). The single property that sets NOVA/Vancouver apart from the crowd of virtualization products such as KVM, Xen, VirtualBox, and VMware is its microkernel-aided design. In contrast to those traditional solutions that implement the virtual machine monitor in the hypervisor, the Vancouver VMM runs entirely in user space. Only the basic mechanisms for reflecting virtualization events to the user space remain in the hypervisor, for which the NOVA developers consequently coined the term microhypervisor.
On NOVA, each virtual machine has a dedicated instance of a Vancouver virtual machine monitor, each instance being isolated from each other via protection mechanisms as known from microkernels. This way, a problem in one virtual machine or VMM cannot affect any other part of the system. The trusted computing base critical for maintaining the isolation between virtual machines is orders of magnitude smaller compared to traditional approaches. This sounds good but isn’t putting the VMM into user space hurting the performance? The answer is actually: No! According to a paper by the authors of NOVA/Vancouver, the performance of their solution blows existing virtualization solutions out of the water. Long story, short: NOVA/Vancouver is an amazing technology, which will now become integrated with Genode. Even though the initial adaptation of Vancouver to Genode is still at an early stage, it already shows how well Vancouver fits into the framework’s architecture.
The second new feature of Genode 11.11 is the integration of L4Android running on the Fiasco.OC kernel. L4Android is based on the paravirtualized Linux kernel called L4Linux with the Android patch set applied. This enables one or multiple instances of the unmodified Android user land to be executed as nodes of Genode’s process tree. To tightly integrate L4Android with the component framework, L4Linux has been enhanced with several so-called stub drivers that act as Linux device drivers but use Genode interfaces as back ends instead of real devices. New stub drivers have been added for accessing block devices, UARTs, network cards, and pointer devices. L4Android is supported for both x86_32 and ARM platforms on the Fiasco.OC kernel.
Noux is Genode’s own take to OS-level virtualization. In contrast to faithful virtualization or paravirtualization, this work aims as executing individual UNIX applications without the overhead of running and managing a complete Guest OS. With the current release, Noux has become able to execute software as complex as VIM natively without the need to change any source code. For its developers, the ability to run GNU software without manual porting labour represents the path towards an OS that is suitable as development environment.
Finally, the project introduces a new form of virtualization called application-level virtualization. This approach facilitates the most fundamental property of Genode’s architecture, which is the sandboxed execution of each program. Combined with capability-based security, this architecture makes it possible to virtualize the environment of each process in the system in arbitrary ways. One particularly useful application of this methodology is to let a user-level debugger transparently intercept the interaction of a process with its environment. The new GDB monitor is the implementation of this idea. It is able to provide a fully featured debugging solution for user-level components including the support for single stepping, break points, source-level debugging, and backtraces. Thanks to the approach to implement the debugging facility using application-level virtualization, this facility requires no special debugging interfaces in the underlying platform, which could potentially short-circuit security policies.
In addition to the results of the virtualization-related work, the version 11.11 comes with new device drivers, a new free-standing tool chain, a new IPC implementation for Linux, and updates of several base platforms.
As usual, the complete coverage of all the improvements is detailed in the project’s release notes.