posted by nfeske on Fri 1st Sep 2017 10:00 UTC
Icon

With version 17.08, the Genode OS project conquers the highly complex topic of hardware-accelerated graphics. In true microkernel fashion, Genode's new Intel-GPU multiplexer provides the bare minimum of functionality to enable (potentially untrusted) components to use the GPU without interfering with each other. Further highlights of the new release are the broadened support for the seL4 microkernel on ARM and 64-bit x86, the ability to boot via UEFI, and Genode's use as Xen DomU domain.

Seven years ago, the Genode developers took their first baby steps with the use of hardware-accelerated graphics. However, their original port of the Intel graphics execution manager along with Mesa/Gallium to the Genode user land never outgrew an experimental stage. One particular limitation was that the GPU could only be used by a single application exclusively. At that time, the secure sharing of GPUs among multiple - and potentially malicious - applications was an afterthought in the predominant driver architectures like Linux' DRI. A port of this driver architecture to Genode would not magically solve that.

In the meanwhile, hardware features like per-process graphics translation tables (PPGTT) and hardware contexts have proliferated and are now present in all modern Intel GPUs. What MMU-based virtual memory is to a CPU, these features are to a GPU. They in principle allow the sandboxed execution of GPU commands under the regime of a potentially very small GPU driver, analogously to how a microkernel facilitates an MMU to sandbox user-level components. However, with about 100K lines of code, Intel's official i915 driver stack as used in the Linux kernel is far from being small and simple. To put the number in perspective, modern microkernels like seL4 or NOVA consist of merely 10K lines of code. Inflating Genode's trusted computing base by on order of magnitude would be a tough decision. There had to be another way. Hence, one year ago, an experiment was started to develop a clean-slate GPU multiplexer as a Genode component. In contrast to the i915 driver stack that needs to accommodate a mind boggling number of legacy hardware that is still in broad use, Genode's custom GPU multiplexer could do a clear cut by only supporting very recent GPUs. The result is quite reassuring. At far less than 10K of code, Genode's new user-land GPU multiplexer is able to accommodate trusted and untrusted OpenGL applications side by side. The current release features the first version of this component along with several examples.

Besides the GPU topic, the new release comes with numerous other improvements. Most noteworthy is the ability to use Genode with the seL4 kernel on the ARM and 64-bit x86 architectures. The upgraded seL4 support also enables SMP on x86, priorities, and Genode's CPU-monitoring facilities. Following up on the big infrastructural changes of the previous releases, the current release comes with gradual refinements of the VFS infrastructure, the timing accuracy, and the package-management tools. The complete picture is presented in the official release documentation.


e p (3)    7 Comment(s)

Technology White Papers

See More