genode/doc/release_notes/24-05.txt

              ===============================================
              Release notes for the Genode OS Framework 24.05
              ===============================================

                               Genode Labs



The main driver behind Genode 24.05 was the
[https://genode.org/news/sculpt-os-release-24.04 - recent release] of Sculpt
OS 24.04 ([https://genodians.org/nfeske/2024-04-26-sculpt-os - What's new?]).
Among the many usability advances of Sculpt OS is the flexible assignment
of USB devices to components and virtual machines.
Section [Fine-grained and dynamic assignment of USB devices/interfaces]
introduces the underpinnings that made our new quality of life possible.
Another user-facing feature with a surprisingly deep technical reach is
suspend/resume. Section [Suspend/resume infrastructure] details the changes of
the framework on that account. The new ability of seamlessly using the GNU
debugger on top of Sculpt OS is a game changer for developers
(Section [On-target debugging using the GNU debugger (GDB)]).
Further user-visible and user-audible topics are the support for
high-resolution displays and the wrapped-up transition to our new audio stack
(Section [Transition to the new audio interfaces introduced in 24.02]).

Besides the many usability-motivated topics of our
[https://genode.org/about/road-map - road map], however, we celebrate
the break-through of running Sculpt OS directly on our custom microkernel
alternatively to using a 3rd-party kernel.
Section [First version of Sculpt OS based on Genode's custom kernel]
details the background story, the showstoppers we had to overcome, and the
prospects of this achievement.

: <div class="visualClear"><!-- --></div>
: <p>
:  <div style="clear: both; float: left; margin-right:20px;">
:   <a class="internal-link" href="https://genode.org/documentation/genode-foundations-24-05.pdf">
:    <img class="image-inline" src="https://genode.org/documentation/genode-foundations-title.png">
:   </a>
:  </div>
: </p>

The "Genode Foundations" book covers Genode's architecture, developer work
flows, and reference material. In tandem with the current release, the
document received its annual update, which includes not only adjustments
to the most recent version but also new material about accessing GPIO pins,
audio, debugging, and prominent APIs like the list model.

Further topics of the current release reach from timing and network-throughput
optimizations, over the profound rework of storage encryption, to updated
3rd-party software such as Mesa, libSDL2, and Curl.

: <div class="visualClear"><!-- --></div> <p></p>


First version of Sculpt OS based on Genode's custom kernel
##########################################################

The ability to use a wide variety of kernels is certainly a distinctive
feature of Genode. Since the very first version, the framework accommodated
both a microkernel and the Linux kernel.
Over the years, we embraced most members of the L4 family of kernels
([https://genode.org/documentation/release-notes/9.05#Supporting_the_OKL4_kernel_as_new_base_platform - OKL4],
[https://genode.org/documentation/release-notes/9.02#Genode_on_L4ka__Pistachio - Pistachio],
[https://genode.org/news/genode-os-framework-release-8.08 - Fiasco],
[https://genode.org/documentation/release-notes/10.02#Codezero_kernel_as_new_base_platform - Codezero]),
all object-capability microkernels we could get our hands on
([https://genode.org/documentation/release-notes/10.02#NOVA_hypervisor_as_new_base_platform - NOVA],
[https://genode.org/documentation/release-notes/11.02#Support_for_Fiasco.OC - Fiasco.OC],
[https://genode.org/documentation/release-notes/15.05#Proof-of-concept_support_for_the_seL4_kernel - seL4]),
and even combined the framework with a static isolation kernel
([https://genode.org/documentation/release-notes/15.08#Genode_on_top_of_the_Muen_Separation_Kernel - Muen]).

Confronting the framework with largely different kernel mechanisms has
undoubtedly strengthened Genode's software design, but also gave us a great
depth of insights into the landscape of kernel designs and the implications of
the respective design choices. It did not take us long to question some of
these choices, and we started experimenting with custom kernel designs on our
own. This work made its first appearance in version
[https://genode.org/documentation/release-notes/11.02#Approaching_platform_support_for_Xilinx_MicroBlaze - 11.02]
targeting Xilinx Microblaze softcore CPUs.
Without haste, we steadily evolved this kernel as a research endeavour, mainly targeting ARM CPUs
([https://genode.org/documentation/release-notes/14.05#Multi-processor_support - SMP],
[https://genode.org/documentation/articles/trustzone - TrustZone],
[https://genode.org/documentation/release-notes/15.02#Virtualization_on_ARM - virtualization],
[https://genode.org/documentation/release-notes/19.08#64-bit_ARM_and_NXP_i.MX8 - 64 bit]),
and later also addressing the
[https://genode.org/documentation/release-notes/15.05#Feature_completion_of_our_custom_kernel__base-hw_ - x86]
architecture.

When we
[https://genode.org/documentation/release-notes/18.02#Sculpt_for_Early_Adopters - started]
creating Sculpt OS as a Genode-based operating system for commodity PCs, we
picked NOVA as kernel of choice. NOVA's unique combination of microkernel and
virtualization mechanisms served us extremely well. It is truly a technical
marvel! But like any other 3rd-party kernel, it imposes certain complexities
and points of friction onto the user land. In contrast to 3rd-party kernels
like NOVA or seL4, which are self-sufficient programs, our custom kernel is
melted with Genode's core component. This alleviates redundant data structures
between kernel and user space and makes Genode's resource management directly
applicable to kernel objects. In other words, it fits like a glove. Hence,
looking ahead, we foresee a much simpler and ever more coherent trusted
computing base of Sculpt OS.

In order to realize this vision, we had to tackle a couple of long-time
showstoppers. First of all, we needed to move IOMMU support out of the kernel
into the user-level platform driver to render it kernel-agnostic. We completed
a major part of this transition with
[https://genode.org/documentation/release-notes/23.11#Kernel-agnostic_DMA_protection - release 23.11].

Second, virtualization of commodity operating systems is a common use case for
Sculpt installations, ours at Genode Labs included. Therefore, adding support
for Intel's Virtual-Machine Extensions (VMX) was another important missing
piece of the puzzle. Under the hood, we refactored and generalized the
kernel's x86 hypervisor support to allow for the selection of the available
virtualization technology at runtime and consolidated code for page-table
handling. Even though we still have some way to go before the kernel is ready
to replace the time-tested NOVA hypervisor as the default kernel for Sculpt
OS, this release is a milestone in that direction.

The Sculpt OS variant using our custom kernel is now available as a
ready-to-use system image at [https://depot.genode.org/jschlatow/image]
for Intel systems up to 8th generation core processors (Whiskey Lake).
Note, when using Sculpt's integrated update mechanisms, you must already run
at least Sculpt 24.04. The system image includes a launcher for running a
Tiny-Core-Linux VM with a Firefox browser in VirtualBox. The launcher requires
a window manager that is best deployed by switching to the corresponding
preset. You also need to enable the _system clock_ and _mixer_ options.

Note that there are still a few areas of improvement for this Sculpt variant:
The IOMMU support currently omits IRQ remapping, which is important to shield
the system from rogue devices sending arbitrary interrupts. Moreover, we plan
to improve the kernel scheduling for interactive and time-critical workloads.


Fine-grained and dynamic assignment of USB devices/interfaces
#############################################################

USB support has a long history within the Genode framework and for almost one
decade its client session API has remained stable. Back in
[https://genode.org/documentation/release-notes/15.02#USB_session_interface - 2015],
we split the USB host-controller driver parts from other USB client device
drivers. Since then, a USB client component could request exactly one USB
device per session from the USB server resp. USB host-controller driver.
Moreover, a client had to drive the device in its entirety.

This former approach led to some limitations and intricateness. First, USB
drivers capable of driving more than one device of the same class needed to
know each device to request in advance. This information was not delivered by
the USB session but by means of configuration. The out-of-band information
path complicated the management of USB devices in complex systems like Sculpt
OS, e.g., when passing arbitrary USB devices to a guest OS running inside a
virtual machine.

The second drawback was related to USB devices with multiple interfaces of
different interface classes, most prominently, USB headsets with extra buttons
for volume control. Such devices typically have several USB interfaces for
audio playback and recording, and at least one interface for HID input events.
Whereas the development of one driver for each interface class is certainly an
attainable goal, creating driver mixtures for each potential combination of
interfaces is unrealistic. Ultimately, we strive to freely operate different
interfaces of a single device by dedicated drivers.

These limitations accompanied us for quite some time, and a design to overcome
them matured at the back of our minds. With the current release, the USB
session eventually received its long-anticipated redesign.

The new USB session API provides a _devices_ ROM to its client. Within this
ROM a client can retrieve all relevant information about existing devices it
is allowed to access. You can think of it as a virtual private USB bus for
this client. When a new device gets connected that matches the client's policy
of the USB host controller driver, the ROM gets updated appropriately. If a
device gets removed physically, it'll vanish from the _devices_ ROM, which
may, for example, look as follows.

! <devices>
!   <device name="usb-1-10" class="0x0" product="USB Optical Mouse"
!           vendor_id="0x1bcf" product_id="0x5" speed="low" acquired="true">
!     <config active="true" value="0x1">
!       <interface active="true" number="0x0" alt_setting="0x0"
!                  class="0x3" subclass="0x1" protocol="0x2">
!         <endpoint address="0x81" attributes="0x3"
!                   max_packet_size="0x7"/>
!       </interface>
!     </config>
!   </device>
! </devices>

As can be seen in the example, the human-readable XML representation of the
USB devices already contains most information that normally resides in the
full-length device descriptor of the USB standard. That means a driver can
parse relevant information about available configurations, interfaces, and
endpoints - including their types and identifiers - without the need to
communicate with the device in the first place.

Besides the _devices_ ROM, the new USB-session API consists of an acquire
function and a function to release a formerly acquired device. The acquisition
of a device returns a capability to a new device RPC API. This distinct API
includes a function to obtain a packet-stream buffer to exchange USB control
requests with the USB host-controller driver. The host-controller driver
sanity-checks the control requests, and potentially forwards them to the
device. Thereby, a client can change the configuration of the device, enable
an alternate interface, or request additional descriptors regarding
device-class specific aspects.

Moreover, the device RPC API provides functions to acquire or release an
interface of the device. When acquiring an interface, a capability to the
interface RPC API gets returned. This third new RPC API provides a
packet-stream buffer to the client, which allows for the exchange of
interrupt, bulk, or isochronous transfers with the host-controller driver.
The host-controller driver checks these transfer requests for plausibility,
and forwards them directly to the device and vice versa.

The whole internals of the different RPC API layers, however, are not imposed
on the developer. Instead, convenient helper utilities are provided within
_repos/os/include/usb_session/device.h_. Those helper classes simplify the
acquisition of USB devices and interfaces. Moreover, they support the notion
of USB Request Blocks (Urbs) on the level of device (control) and interface
(irq, bulk, isochronous). For an example component that makes use of these
utilities, please refer to the USB block driver.

All components that directly use the USB session have been adapted to the new
API. This includes the Linux USB driver ports for host controllers, HID, USB
Ethernet cards, the libusb library port, our XHCI model within VirtualBox, and
the black-hole component.

Practical considerations
------------------------

For users of the framework or Sculpt OS, the most notable change is that all
USB clients use their own _devices_ ROM to react to device appearance and
disappearance. No global information is required anymore. That means the
addition of a new policy rule in the USB host-controller's configuration is
sufficient to, e.g., let a device appear in a Linux guest. If the rule already
exists, even the pure physical connect will result in the appearance of the
device.

Because one USB session can now control an arbitrary number of devices, the
syntax of the policy rules for a USB host controller driver changed a bit:

! <config>
!   <policy label="usb_net">
!     <device vendor_id="0x0424" product_id="0xec00"/>
!   </policy>
!   <policy label="usb_hid">
!     <device class="0x3"/>
!   </policy>
!   <policy label="vm">
!     <device name="usb-2-2"/>
!     <device name="usb-2-4"/>
!   </policy>
! </config>

As you might notice, there is no differentiation in the policy rules on the
interface-level yet. In short, each device is still handled by only one
driver. As a prerequisite to assign drivers to individual interfaces, drivers
first have to become resilient against denied device-acquisition attempts.
This is not the case for most ported drivers or virtualized guest OSes. Hence,
even though the USB session API is now prepared for driving interfaces of one
USB device by dedicated drivers, we decided against activating this feature on
the policy level at the current time. Nonetheless, once a set of interface
drivers gets in place, we can enable the added flexibility without touching
the USB session API again.

Sculpt OS
---------

The outcome of this line of work is already present in
[https://genodians.org/nfeske/2024-04-26-sculpt-os - Sculpt OS 24.04], which makes the
[https://genode.org/documentation/articles/sculpt-24-04#Assignment_of_USB_devices_to_components - assignment of USB devices]
to components intuitive and secure.


On-target debugging using the GNU debugger (GDB)
################################################

The renovation of our debugging monitor in
[https://genode.org/documentation/release-notes/23.08#Multi-component_debug_monitor - Genode 23.08]
was driven by the vision of easy on-target debugging on Sculpt OS. Just
imagine, any runtime component from applications over device drivers to VMMs,
like VirtualBox, could be started with debugging optionally enabled. The key
to make this vision come true is the debug monitor at the heart of the Sculpt
runtime. All other missing ingredients for viable on-target debugging - above
all a GDB front end - are introduced with this release.

The _debug monitor_ component got introduced in version
[https://genode.org/documentation/release-notes/23.08#Multi-component_debug_monitor - 23.08].
It is a drop-in replacement for the init component with the added ability to
control the execution and memory content of selected child components using
the GDB remote serial protocol. On Sculpt, the debug monitor now acts as the
runtime init component. The user decides which components are made available
to debugger control with a check mark in the launcher menu before the
component is started. If the component is selected for debugging, the monitor
configuration part for this component is added to the Sculpt runtime
configuration.

The [https://www.sourceware.org/gdb/ - GDB] component is the user-facing part
of the debugging experience. It presents a command line interface in a
graphical terminal window and communicates with the debug monitor in the
background. The user can enter GDB commands for inspecting and modifying the
state of monitored components.

In order to debug a component in a meaningful way, GDB usually needs to
evaluate the executable files of the component and profits hugely from
additional debug information like symbol names and source-code location
information generated by the compiler. As this information can take up a lot
of space, we decided to store it in separate debug info files shipped in
dedicated _dbg_ depot packages since version
[https://genode.org/documentation/release-notes/23.11#Debug_information_for_depot_binaries - 23.11].
Two small support components help to make this information available to GDB at
runtime:

The _dbg_download_ component can be started by the user by checking the
_download debug info_ option in the Sculpt launcher menu. It evaluates the
Sculpt runtime configuration in the background and downloads any missing _dbg_
archive content of monitored components into the depot.

The _gdb_support_ component is started automatically together with GDB. It
evaluates the Sculpt runtime configuration in the background and dynamically
creates directories with symbolic links to the depot binaries and debug info
files of monitored components in a RAM file system shared with GDB, and
thereby allows GDB to access these files in a convenient way.

[image on_target_gdb]

With this setup in place, the user can debug multiple components at once
and control the execution of threads on an individual basis thanks to GDB's
_non-stop_ mode.
Learn how to integrate and use GDB on Sculpt with our article and screencast
video on [https://genodians.org/chelmuth/2024-05-17-on-target-debugging - Genodians.org].

One noteworthy challenge discovered while testing on Sculpt was that GDB
apparently was not prepared for the case that there are no initial inferiors
and that the first inferior could appear spontaneously on the remote side
instead of being actively started by GDB. We had to make some adaptations to
the GDB source code to support this situation and some more adaptations might
be necessary in the future, for example to update the output of the
_info inferiors_ command when the first inferior appears.


Base framework and OS-level infrastructure
##########################################

Transition to the new audio interfaces introduced in 24.02
==========================================================

In Genode's
[https://genode.org/documentation/release-notes/24.02#Revised_audio_infrastructure - February release],
we introduced new audio 'Record' and 'Play' sessions intended to supersede the
old 'Audio_in' and 'Audio_out' interfaces. In the time following up to the
current release, we worked on integrating the new sessions into the existing
components. In fact, they are already exercised in the most recent
[https://genode.org/news/sculpt-os-release-24.04 - Sculpt release].

As most prominently used by ported software, the VFS OSS plugin plays a vital
role in interfacing with Genode's native audio stack. The already existing
VFS plugin got renamed to _legacy_oss_ while the new one takes its place and
is usable as a drop-in replacement. Existing users have to adapt the session
routes accordingly or change their VFS configuration to make use of the
legacy plugin, if the use of the new sessions is not yet desirable.

In contrast to the old plugin, it is possible to configure the fragment size a
client is allowed to use via its configuration and thereby enforce its latency
requirements. The fragment size ranges from 2048 to 8192 bytes, which equals a
period length of around 11.6 to 46.4 ms when using a sample rate of 44.1 kHz.
The plugin leverages the ability of the _report_play_mixer_ to convert sample
rates. However, to constrain the resource requirements of the plugin, it is
limited from 8 kHz to 48 kHz, which covers a reasonable range. Please consult
the _repos/gems/src/lib/vfs/oss/README_ file for more information.

The _black_hole_ component gained additional support for providing the play
and record sessions so that it is able to perform its role when using the new
sessions. We also removed the custom audio subsystem from our SDL1.2 port in
favor of using its own OSS back end, which brings it in line with our SDL2
port.

As there are no critical components left that exclusively use the old sessions
directly, the way is paved to remove them. However, we keep the legacy audio
sessions intact to give users time to migrate their components and become
comfortable with the new interfaces.


Improved timing stability
=========================

Our recent work on real-time audio processing moved the timing characteristics
of the framework into focus. Low latency cannot be attained in the presence of
high jitter. But in a component-based system carrying general-purpose
workloads, jitter can be induced for many reasons including kernel scheduling,
spontaneous high-priority events, or the interference between clients of
shared services. The timer driver in particular is such a shared service.
While analyzing the timer's behaviour under stress, we indeed observed
unwelcome interference between timer clients. E.g., the stability of a
waveform generated at a period of 5 milliseconds would be effected by
otherwise unrelated spontaneous USB-HID events. Those observations motivated
the following improvements:

First, we simplified the timer implementation to make it dead-simple to
understand and straight-forward to trace its behavior. The timer no longer
relies on TSC-interpolated measurements but only on ground-truth values
obtained from the timing device (or from the underlying kernel). Second, to
improve accuracy at the client side, the timer no longer limits the time
resolution when the current time is queried. The deliberate limiting of the
time resolution is applied only to the triggering of timeouts in order to cap
the timer's CPU load induced by its clients. Third, to limit the rate of
inter-component communication, the timer batches the wake-up of clients that
have timeouts closely clustered together. Combined, those measures reduced the
cross-client interferences between timer clients comfortably below the level
relevant for our synthetic test setup using audio periods of 5 ms. Note that
such small periods are not generally usable in practice because real-world
audio applications are subjected to additional sources of jitter.

The improvements are in effect for the timers used on NOVA, the base-hw
kernel, and the PIT-based timer as used on seL4, OKL4, and Pistachio. Linux,
Fiasco.OC, and L4/Fiasco are not covered yet.


Device drivers
##############

Linux-device-driver environment (DDE)
=====================================

Porting Linux drivers to Genode is a multi-staged process with the
configuration of a minimal yet functional platform-specific Linux kernel as
an essential step. The device support in this kernel is the baseline and
reference for the final Genode driver. To simplify the testing of minimal
kernel images, we introduced new run scripts for i.MX boards and PCs. Now, a
plain execution of 'make run/pc_linux' or 'make run/imx_linux' runs Linux on
the test target as known from Genode scenarios. In case of i.MX, a FIT image
is generated, whereas we provide an i.PXE-bootable image for PCs. The run
scripts integrate busybox into an initial RAM disk and, for i.MX, amend this
image with _memtool_, a tool by Pengutronix to inspect all kind of memory
under Linux (via _/dev/mem_).

Furthermore, we address some deficiencies in DDE Linux with this release.
We improved support for fine-grained, sub-millisecond timing by enabling
high-resolution timers and attended to a long-standing pc_nic_drv link reset
bug that manifested in some situations on some platforms only. For driver
developers, we added the 'lx_emul_trace_msg()' function for the generation
of low-overhead trace entries that can be used to debug timing-sensitive or
high-traffic scenarios.


Intel framebuffer and GPU driver
================================

An essential prerequisite for providing a GUI as Sculpt OS does, is having a
driver for the graphics controller. In Genode, this task is split between the
framebuffer driver and the GPU driver. Exposing these to a growing range of
devices led to a few robustness and compatibility improvements for the Intel
framebuffer/GPU drivers.

In the context of the latest Sculpt release, we made the accounting of maximum
framebuffer memory configurable. Previously, this was derived from the
component's RAM quota, which implicitly limited the maximum display
resolution. The separate configuration explicitly sets the maximum framebuffer
memory by default to 64 MiB, which suffices for resolutions of at least
3840x2160. The actual memory used by the component depends on the configured
display resolution. If the RAM quota is depleted, the component will issue a
resource request. The configuration follows the scheme established for the GPU
driver with
[https://genode.org/documentation/release-notes/24.02#Dynamic_aperture_handling_for_high_resolution_framebuffers - release 24.02].

In this release, we also incorporated a vendor check in the Intel framebuffer
driver in order to ensure that it only operates Intel devices. Our central
platform driver typically hands out all VGA-class devices to the driver,
including GPUs of other vendors. This caused issues on platforms with an
additional Nvidia GPU for multiple users. Thanks to Alice Domage for this
contribution.

Furthermore, we fixed a few issues that popped up when test-driving Sculpt OS
on the ZimaBlade. By doing this, we added support for Intel HD Graphics 500 to
the Intel framebuffer/GPU drivers. This GPU can be found in various Intel
Processors in the Pentium/Celeron N-series.


Suspend/resume infrastructure
=============================

As planned in our [https://genode.org/about/road-map - road map], we
integrated the current state of x86 suspend/resume as a feature into Sculpt
OS. The sculpt manager got enhanced to drive the system state and manage the
life cycle of driver components during suspend-resume cycles.
The new
[https://genode.org/documentation/articles/sculpt-24-04#System_power_control - power options]
can be found in the _System_ menu once the ACPI support option is activated.

[image sculpt_24_04_system_power]

Non-stateful drivers are removed from the runtime before suspending and are
restarted during resume, e.g., network drivers. Stateful drivers like NVME,
AHCI, and GPU drivers participate cooperatively in the system states by
stopping their processing and reporting their fulfillment. Currently, the USB
host driver needs to be restarted forcefully on resume. To avoid data loss,
the power suspend feature is not offered while a USB block device is in use.

Additionally, during Sculpt integration, several drivers got enhanced. The
acpica application now reflects the completion of the last action, which the
sculpt manager monitors and incorporates into the system state machine. The PC
platform driver saves and restores the IOMMU configurations before and after
suspend. Additionally, the platform driver gained the ability to trigger the
final suspend RPC to Genode's core. Furthermore, the Intel display driver now
participates in the system state changes by switching off all connectors
before suspend in order to reduce graphical noise on displays during the
transition.


Mesa updated to version 24.0.1
==============================

With the goal to add support for more recent Intel GPUs (Alder Lake+), we took
the first step by updating our three-year-old Mesa 21 to version 24. Because
Mesa is under heavy development, the effort to do so was more elaborate than
anticipated. For the current release, we enabled all the previously supported
GPUs, which are Intel Gen8 (Broadwell), Gen9 (Skylake up to Whiskey Lake),
Gen12 (Tiger Lake) using the Iris Gallium driver, Vivante as found in i.MX8
SoCs, and Mali on the PinePhone. There are still many improvements to be
explored, like buffer life-time management, using Mesa's native build system
(Meson) for simplifying future updates, testing Alder Lake, replacing softpipe
with llvm for software rendering, and adding Vulkan support, to name a few.
We are looking forward to tackle these topics in future Genode releases.


Removed obsolete loader component and session interface
=======================================================

The loader was originally introduced in version
[https://genode.org/documentation/release-notes/10.11#Qt4 - 10.11] as part of an
early [https://genode.org/news/genode-live-demonstration-2010-11 - live CD].
It later served the purpose of dynamically starting and stopping preconfigured
subsystems. As of today, the latter use case has long been covered by the
dynamically reconfigurable init component. The only substantial client of the
loader remained to be the qpluginwidget in combination with the Arora web
browser. But as the blending of plugins with websites never moved beyond a
fancy tech demo and Arora was replaced by Falkon, the current release removes
the now obsolete loader infrastructure.


Libraries and applications
##########################

Consolidation of Tresor block encryptor and File Vault
======================================================

Genode [https://genode.org/documentation/release-notes/23.05#Revision_of_Genode_s_custom_block-encryption_infrastructure - 23.05]
marked a big update of the core logic for block-data security and management
behind the file vault. It replaced the former Ada/SPARK-based implementation
called CBE with a C++-based, modernized library that we named _Tresor_. As a
side effect of this endeavor, we improved testing and fixed many issues of the
former approach. However, the tresor library also inherited some unwelcome
traits from its predecessor. The CBE approach was shaped in many ways by the
semantic restrictions imposed by SPARK and the tresor library had retained
some of these at the expense of code redundancy. In addition, we had adopted a
rather peculiar approach to execution flow that led to unforeseen
implementation complexity down the road. In order to improve this situation,
the current release comes with a comprehensive re-design of the tresor
library, relieving it from legacy burdens, significantly shrinking the code
base, and making it much easier to understand.

Once warmed up with the topic, we stepped one level up in the block-encryption
stack and continued reworking the tresor VFS plugin because it also suffered
from over-complexity and redundancy. After finishing that, we noticed that the
next higher layer - the File Vault - could also be improved in two ways:
First, the file vault used to combine two unrelated tasks in one component:
The logic for modeling typical user work-flows on the tresor VFS and the
operation of a graphical user interface. We found that these are better
assigned to separate components that work together via a narrow and
well-defined interface. Second, the file vault used to operate directly on
the low-level interface of the menu view component in order to drive its GUI
instead of using the newer and far easier dialog API for this purpose.

[image file_vault_gui]

For the component that deals with the logic, we stayed with the name
_file vault_ whereas the new front-end is the _file vault gui_.

Putting all these changes together, the whole ecosystem around the tresor block
encryption and the file vault becomes far more manageable and its code base
has been cut in half while providing the same feature set as before:

   component                    | 23.05 | 24.05 | difference
  -----------------------------------------------------------
  -----------------------------------------------------------
   lib/tresor                   | 14374 |  5212 | -63%
  -----------------------------------------------------------
   lib/vfs/tresor               |  2728 |  1823 | -33%
  -----------------------------------------------------------
   lib/vfs/tresor_crypto        |  1162 |  1213 |
  -----------------------------------------------------------
   lib/vfs/tresor_trust_anchor  |  1800 |  1992 |
  -----------------------------------------------------------
   app/tresor_init              |   159 |    93 |
  -----------------------------------------------------------
   app/tresor_init_trust_anchor |   166 |   163 |
  -----------------------------------------------------------
   app/file_vault               |  5429 |  1256 | -76%
  -----------------------------------------------------------
   app/file_vault_gui           |     - |   617 |
  -----------------------------------------------------------
  -----------------------------------------------------------
   total                        | 25818 | 12369 | -52%

But the update is not only about cleaning up. We also consolidated the stack
by, for instance, fixing and re-enabling asynchronous rekeying, implementing
robust handling of corner-case configurations, patching several performance
limitations, and further improving the test suite.

Last but not least, the file vault received two handy usability enhancements.
First, the new file-vault GUI is fully controllable via keyboard.
The hotkeys are documented in _repos/gems/src/app/file_vault_gui/README_.
Second, as an implication of separating GUI from logic, the text-based
interface of the file vault became the canonical way to steer that component.
In order to achieve that, the interface had to be extended to the full feature
set, which has the welcome side effect of easing the combination of the file
vault with alternative front ends. For instance, the file vault could now
become an integrated part of the administrative user interface of Sculpt OS.
The new interface is mostly backwards compatible (only the non-functional
version attribute disappeared) and documented in
_repos/gems/src/app/file_vault/README_.

Despite the extensive overhaul, file vault version 24.05 remains compatible
with old containers created via the 23.05 version and we also kept the
structure and appearance of the new graphical front end close to that of the
old version in order to make the transition as smooth as possible.


VirtualBox network-throughput improvements
==========================================

The Uplink and NIC session interfaces provide means to batch several network
packets before informing the other side to process the packets. The batching
is crucial to achieve good network throughput and also to keep the CPU
overhead per packet at a moderate level. Up to now, our ports of VirtualBox
did not leverage this feature, which became noticeable on systems under high
CPU load. By adding the batching of network packets to our VirtualBox ports,
we were able to reduce the CPU load and achieve stable throughput
measurements, which otherwise fluctuate more depending on other factors like
scheduling.


Seoul virtual machine monitor
=============================

Since the
[https://genode.org/documentation/release-notes/24.02#Seoul_VMM - previous]
release, the VMM received several improvements.

Notably, the former global motherboard lock got replaced by fine-grained
locking within each device model where appropriate. Thanks to the better CPU
utilization, long-running work, for example compilation, now finishes earlier.
The network binding got reworked and now reflects network link-state changes
from the Genode interface into the guest VMs. The legacy audio-session binding
got replaced by Genode's new Play interface.

The so far unused ACPI model of the Seoul sources got enabled and adjusted
to support so-called fixed ACPI events, e.g., power-button press event. On
GUI window close, the event is now triggered and forwarded to the guest VM.
Depending on the configuration of the guest, the VM may power down
automatically, similar as done by our port of VirtualBox.

Finally, a USB XHCI model powered by our qemu-usb library has been added to
Seoul, which got developed during our recent
[https://github.com/genodelabs/genode/issues/4989 - Hack'n'Hike] event.
With this new model, USB devices can be passed through to the guest. It has
been successfully tested with several USB storage, keyboard, and audio
devices.


SDL2 improvements
=================

We enhanced our SDL2 port by enabling more subsystems, improving its window
handling, and adding support for its text-input API.

This release adds preliminary support window resizing. It works well for some
of the currently available ports but still has issues with others (especially
those using an OpenGL context) as it depends to some degree on the component
itself using the SDL2 library. As an additional feature, we added support for
setting the initial window geometry via the '<initial>' node, e.g.:

! <initial width="800" height="600"/>

This allows for restricting the initial window size because otherwise the
actual screen size will be used and that might be too large depending on the
attached display.

Support for using SDL2's text-input API has been enabled. Once the application
enables text input, any key press that has a valid Unicode codepoint is sent
as text input.


Curl updated to version 8.7.1
=============================

We updated our cURL port to version 8.7.1 to support the use of
elliptic-curve algorithms for TLS (CURLOPT_SSL_EC_CURVES).

In setups where no service is employed to provide entropy, it might be
necessary to increase the amount of statically configured entropy. Doubling
the content of the '<inline>' VFS plugin as used in static configurations
seems satisfactory. Furthermore, DNS resolving needs a configured '<pipe>'
plugin to work properly. For an exemplary configuration, please look at the
_repos/libports/run/fetchurl.inc_ run-script snippet.

The 'fetchurl' component also gained a 'verbose' configuration option to
enable verbose operations as a convenience feature to ease debugging.


Platforms
#########

NOVA microhypervisor
====================

Some of the command-line options changed. The 'iommu' option is now split up
into 'iommu_amd' and 'iommu_intel', so that they may be enabled/disabled
separately. The 'novga' option turned into 'vga' since it is unused nowadays.
The tagged TLB feature for virtual machines is now enabled by default.

The kernel now supports the 'mwait' instruction besides the 'hlt' instruction,
which can be used to give hints to the CPU to enter deeper sleep states.
The feature is off by default and can be utilized via the 'Pd::system_control'
interface.


Build system and tools
######################

Goa SDK
=======

Aligned with the Sculpt release, the Goa tool has been updated with the
corresponding depot archive versions for Sculpt 24.04. This also involved
adding support for the new audio play and record sessions.

The _Goa testbed_ package and preset have been updated accordingly so that
an out-of-the-box Sculpt 24.04 lends itself as a
[https://genode.org/documentation/release-notes/24.02#Sculpt_OS_as_remote_test_target_for_the_Goa_SDK - remote test target for Goa].