With version 17.08, the Genode OS project conquers the highly complex topic of hardware-accelerated graphics. In true microkernel fashion, Genode’s new Intel-GPU multiplexer provides the bare minimum of functionality to enable (potentially untrusted) components to use the GPU without interfering with each other. Further highlights of the new release are the broadened support for the seL4 microkernel on ARM and 64-bit x86, the ability to boot via UEFI, and Genode’s use as Xen DomU domain.
Seven years ago, the Genode developers took their first baby steps with the use of hardware-accelerated graphics. However, their original port of the Intel graphics execution manager along with Mesa/Gallium to the Genode user land never outgrew an experimental stage. One particular limitation was that the GPU could only be used by a single application exclusively. At that time, the secure sharing of GPUs among multiple – and potentially malicious – applications was an afterthought in the predominant driver architectures like Linux’ DRI. A port of this driver architecture to Genode would not magically solve that.
In the meanwhile, hardware features like per-process graphics translation tables (PPGTT) and hardware contexts have proliferated and are now present in all modern Intel GPUs. What MMU-based virtual memory is to a CPU, these features are to a GPU. They in principle allow the sandboxed execution of GPU commands under the regime of a potentially very small GPU driver, analogously to how a microkernel facilitates an MMU to sandbox user-level components. However, with about 100K lines of code, Intel’s official i915 driver stack as used in the Linux kernel is far from being small and simple. To put the number in perspective, modern microkernels like seL4 or NOVA consist of merely 10K lines of code. Inflating Genode’s trusted computing base by on order of magnitude would be a tough decision. There had to be another way. Hence, one year ago, an experiment was started to develop a clean-slate GPU multiplexer as a Genode component. In contrast to the i915 driver stack that needs to accommodate a mind boggling number of legacy hardware that is still in broad use, Genode’s custom GPU multiplexer could do a clear cut by only supporting very recent GPUs. The result is quite reassuring. At far less than 10K of code, Genode’s new user-land GPU multiplexer is able to accommodate trusted and untrusted OpenGL applications side by side. The current release features the first version of this component along with several examples.
Besides the GPU topic, the new release comes with numerous other improvements. Most noteworthy is the ability to use Genode with the seL4 kernel on the ARM and 64-bit x86 architectures. The upgraded seL4 support also enables SMP on x86, priorities, and Genode’s CPU-monitoring facilities. Following up on the big infrastructural changes of the previous releases, the current release comes with gradual refinements of the VFS infrastructure, the timing accuracy, and the package-management tools. The complete picture is presented in the official release documentation.
…is extremely well-documented. I read in great length all of its features, designs, etc. Yet when all is said and done, I’m left with a big “What the heck is this?” Is it just me?
It’s going to be a very secure desktop OS, some day when package management is finalized, native Qt5 applications become more numerous, and the desktop shell can handle spawning and killing processes an arbitrary number of times.
Right now it’s just a big fancy research project.
so this means the support for GPUs is much better by design and engineering than in linux?
* by design the GPU is intended to be multi-plexed
* and a hostile or crashing driver doesn’t bring the whole system down
Windows, OS X, and the BSDs have all the same problems. What Genode is doing is leveraging hardware features designed for virtualization to improve security of a host OS.
Yes, I do think this means that its better from a security standpoint. From a feature and performance and hardware support standpoint, no Genode is not better.
I would however, love to simular changes made to linux.
Edited 2017-09-01 20:25 UTC
Without the progression of, say, Genode: Linux would certainly not get those upgrades, or would it?
Edited 2017-09-01 21:00 UTC
Yes, I think the linux project is certainly capable of making similar large changes like this. It will just need to be done more cautiously and will take more effort.
This feature set exists because of changes Intel made. Intel did not make them with Genode in mind. If, I had to guess, it was done with both Linux and Windows in mind. Check back in 2-3 years and I’m wiling to bet One of those will have support.