2019-03-19 11:00:01 +01:00

1399 lines
59 KiB
Plaintext

=====================================
Sculpt as a community experience (CE)
=====================================
Norman Feske
Introduction
############
Sculpt is a component-based desktop operating system that puts the user in
the position of full control. It is empowered by the Genode OS Framework,
which provides a comprehensive set of building blocks, out of which custom
system scenarios can be created. The name Sculpt hints at the underlying
idea of crafting, molding, and tweaking the system interactively. Starting
from a fairly minimalistic and generic base system, this tour through the
Sculpt system will cover the following topics:
* A boot image that is a live system, rescue system, and bootstrap system all
in one,
* Connecting to a wired or wireless network,
* Installing and deploying software,
* Ways to tweak and introspect the system, and
* Managing and accessing storage devices.
Community
---------
The best place to learn more about using and tweaking Sculpt, to follow the
work of the developers, and to get hold of announcements of new software and
features is the federated Genodians blog:
:Genodians.org community blog:
[https://genodians.org]
Feedback and contact
--------------------
Your feedback is appreciated!
:Join the Genode mailing list for discussion:
[https://genode.org/community/mailing-lists]
:Get in touch with the developers at GitHub:
[https://github.com/genodelabs/genode]
:Contact Genode Labs for commercial inquiries:
[https://www.genode-labs.com]
A printable PDF version of this document is available at
[https://genode.org/documentation/sculpt-ce.pdf].
Hardware requirements and preparations
######################################
Sculpt CE should be compatible with recent Intel-based PC hardware featuring
Intel graphics, E1000 networking, Intel wireless, and AHCI/NVMe.
It is tested best on laptops of the Lenovo X and T series (X220, X250, X260,
T430, T460, T470). For experimenting with Sculpt, we recommend getting a
refurbished version of one of these. You may also find the unofficial hardware
compatibility list [https://usr.sysret.de/jws/genode/hcl.html] helpful for
finding Genode-compatible hardware.
Sculpt has been tested with screen resolutions up to 2560 x 1440. Displays
with a higher resolution are not expected to work. The sweet spot is a full-HD
display.
Please revisit the BIOS settings of your machine in the following respects:
:VT-d enabled: Even though Sculpt is able to run without an IOMMU, we
advise to enable this option for the sandboxing of device drivers.
:VT-x enabled: Hardware-assisted virtualization is needed to run VirtualBox
on top of Sculpt.
:Execution prevention enabled: The standard Sculpt package is provided
for x86-64 and expects your platform to support data execution
prevention (abbreviated DEP or NX). If this feature is disabled your
PC will just reboot on startup.
:Boot from USB enabled: Sculpt is usually booted from a USB stick.
:UEFI boot enabled: Sculpt boots via UEFI by default. The boot image
is specially prepared such that it can be started via legacy boot on older
machines. However, booting it via legacy boot on a modern machine is
hit or miss.
:UEFI secure boot disabled: The Sculpt boot image is not cryptographically
signed.
:Optimize for performance when battery powered: If the latter is not set,
the hardware may behave erratically (e.g., non-working trackpoint when on
battery).
Getting a first impression
##########################
Sculpt is best explored by first booting the prebuilt disk image downloadable
from [https://genode.org/download/sculpt].
Right after system boot, Sculpt's system-management user interface
("Leitzentrale") appears. The menu on the left provides convenient access to
the connected storage devices and the network configuration. The center
displays a live graph (runtime view) of components running and their
relationships. On the right side, diagnostic messages are presented. Consider
the following steps as a warm-up with Sculpt OS.
Select the in-memory file system as *default storage location* by clicking
on the "ram" item of the "Storage" dialog and pressing the "Use" button.
This way, software will be installed solely into memory without accessing any
real storage device.
Enable *networking* in the "Network" dialog by selecting the "Wired" or
"Wifi" option. In the latter case, select an access point and enter the
corresponding passphrase (if needed). A successful network connection is
indicated by the IP address displayed at the bottom of the network dialog.
With a storage location selected and established network connectivity, it is
time to *install and start* additional components by clicking on the '+'
button of the runtime view. Select "Depot ..." from the menu.
[image sculpt_ce_menu 40%]
The depot contains software packages, which can be obtained by different
independent software providers. The selection of software providers is
completely up to the user and can be defined in the "Selection ..." sub menu.
[image sculpt_ce_select 40%]
Select "genodelabs" to download the directory of software officially
provided by Genode Labs. Note that the other options are not necessarily
affiliated with Genode Labs. Think of each option as a different individual.
If you don't trust one particular software provider, you can still install and
use the provided software without risk as long as you don't explicitly grant
their components access to sensitive parts of your system. The judgement
of trust is entirely yours.
When now going back to the depot menu, a new menu item "genodelabs ..."
appears. It leads to a catalogue of software browsable via hierarchically
structured menus. As a starter, let's add a desktop background.
In the "GUI ..." sub menu, a click on the first item named "sticks blue
backdrop" reveals the option to install the package.
[image sculpt_ce_install_backdrop 40%]
A click on the "Install" button triggers the download of the package and its
dependencies. Once the download is complete, the menu presents a configuration
dialog that allows you to define the interplay of the new component with the
system. In this particular case, you have to decide for a GUI service to be
used by the backdrop.
[image sculpt_ce_backdrop_routes 40%]
The first option "system GUI server" would grant direct access to the system's
low-level GUI server, which is normally not used by applications but by
higher-level GUI servers like a window manager. The second option would
connect the component to the special "desktop background" GUI session, which
appears as a layer behind all other applications. The third option "keyboard
focus" is preserved for a single component that controls the keyboard focus.
In our case, "desktop background" is the correct choice. Once the
configuration is complete, a new button for adding the component to the system
appears.
[image sculpt_ce_add_backdrop 40%]
After pressing the button, you should notice a slight visual change. *Press*
*F12* to toggle between the Leitzentrale and the desktop. Now, the backdrop
should become visible in full glory. In the runtime graph, the new component
appears connected to the "GUI". A click on the component reveals further
information along with the option to remove it from the system.
[image sculpt_ce_backdrop_selected 40%]
As a next step, let us add a window system. In the '+' menu, you can find
a readily packaged window system at _genodelabs_ -> _GUI_ -> _themed wm_.
After installing the package, you are asked to take three decisions:
The _GUI (focus)_ should be assigned to "keyboard focus" to put the
window manager in charge of controlling the keyboard focus, which is part
of its job after all.
The _GUI_ should be assigned to "system GUI server" as the basic mechanism
to be used for graphical output and user input for the windowed applications.
Finally, by assigning _Report_ to _system reports_, we allow the window
manager to report information about mouse-pointer shapes.
By adding the component, the "themed wm" will appear in the runtime view.
To give the window system a quick try, add the small demo you can find at
_genodelabs_ -> _Demos_ -> _nano3d_ and assign its _GUI_ to our "themed wm".
[image sculpt_ce_nano3d 40%]
Next, let us add a *small Unix-like subsystem* called _noux_ hosted in a
window. This noux runtime will be presented in a terminal window. The font
used by the terminal is obtained from a font server. To create the font
server, install and add the package _genodelabs_ -> _GUI_ -> _fonts fs_, and
assign the _system font configuration_ to its _ROM (config)_. "ROM" means
read-only memory. So we grant the font server read-only access to the system's
default font configuration (which is generated automatically according to the
screen resolution).
For starting the actual noux runtime, select and install
_genodelabs_ -> _Tools_ -> _noux-system_ from the menu. The configuration
dialog is a bit more elaborate this time.
:GUI: defines the GUI server that should host the terminal.
Select "themed wm".
:File system (config): defines which file system should be mounted at
_/config/_ inside the instance. There exist a number of options.
By selecting _writeable system configuration_, we grant control over
the whole system. It goes without saying that this should not be done
lightheartedly. However, since we trust the "noux-system" package from
Genode Labs, let's do it.
:File system (report): defines the file system to be mounted at _/report/_
inside the instance. By selecting "read-only system reports", we allow
the instance to look at the state of various parts of the system.
:File system (target): defines a file system to be mounted at _/rw/_.
This can be any file system you'd like to work with or explore, for
example the "ram fs".
:File system (fonts): defines the place where to obtain the font used by
the terminal. Select the "fonts fs" component we have started earlier.
:ROM (vimrc): defines the configuration for the vim text editor used
within the instance. Select "default vim configuration" to grant
read-only access to this information.
With those decisions taken, a fresh noux runtime can be started, which appears
in a window.
[image sculpt_ce_noux 60%]
When selecting the "noux-system" component in the runtime view, the
relationship to the other components of the system is presented. This provides
a convenient way to reveal the _trusted computing base_ of the selected
component. For example, since there is no connection from _noux-system_ to the
_nic_router_ we know that this component is isolated from the network. The
network-related components are outside the trusted computing base of the
noux instance.
[image sculpt_ce_noux_selected 50%]
Further exploration
-------------------
Of course, there are many more components to explore and to combine.
For inspiration, please follow the postings at
[https://genodians.org], for example:
:Use GNU/Linux inside a virtual machine on top of Sculpt:
There is a ready-to-use package for downloading Debian for the use inside
a virtual machine along with the ability to use VirtualBox guest
additions:
[https://genodians.org/jws/2019-03-01-download_debian-guest-additions]
For configuring and starting the virtual machine, you may find the
following guide useful:
[https://genodians.org/m-stein/2019-03-07-vm-with-sculpt-ce-preview]
:Disposable Firefox VMs:
Use a minimalistic Tinycore-Linux system to run Firefox in memory without
access to any persistent storage:
[https://genodians.org/alex-ab/2019-03-06-disposal-browser-vm]
Base system
###########
Unless customized, the Sculpt base system resides as a self-contained live
operating system on a USB stick, not installed on disk. This has two
advantages. First, it makes the update of the base system straight-forward
and completely risk-free. Simply install the new version on a second USB
stick. Should the new version cause any trouble, one can fall back to the
original one by swapping the USB sticks. Second, it alleviates the need to
install any boot-loader infrastructure on disk. In fact, one can use an
entire disk as one file system without creating a partition table.
_Note that Genode is not limited to booting from USB. It also supports_
_the use of partitions. But for this guide, we keep things as simple as_
_possible._
System overview
===============
; Drivers | Leitzentrale | Runtime
; subsystem | subsystem | subsystem
; ---------------+--------------------+---------------
; static part of the system
; ----------------------------------------------------
; microkernel / core
[image sculpt_overview]
System overview
The Sculpt system consists of four parts living on top of the microkernel
(Figure [sculpt_overview]).
Static system
-------------
The first - static - part of the system is baked into the boot image. It
contains components that must be shared by the upper - dynamic - parts and
defines the relationships between the upper parts via a static policy that
is fixed by the creator of the boot image.
; Drivers | Leitzentrale | Runtime
; --------------------------------------------------------
; : :
; Nitpicker Report : : ROM [global policy]
; GUI server : : : :
; v v v v
; Report Config
; FS FS
[image sculpt_static]
Detailed look at the static part of the system
Besides a low-complexity GUI multiplexer called Nitpicker, the static
system contains two in-memory file systems. The _config_ file system stores
configuration data whereas the _report_ file system stores information
reported by components. These file systems are invisible to regular
components. Components obtain their configuration data from a (read-only
memory) ROM service, and report their state to a (write-only) report
service.
At boot time, the config file system is pre-populated with information from
the boot image. It stays in memory. Hence, after rebooting the system, any
changes are gone.
Drivers subsystem
-----------------
The drivers subsystem provides all the basic services needed to realize an
interactive system scenario: a framebuffer service for the graphical
output, an input service to obtain user input, and a block service to
access a storage device. All other drivers like networking or audio drivers
are not covered by the drivers subsystem. They will enter the picture at a
later stage and will use the platform service and USB service to access
device resources.
; Framebuffer AHCI
; Driver Driver
; : \ / :
; ACPI --- Platform ------- USB Driver : Dynamic :
; discover driver -- PS/2 : : Manager : Init :
; : : : : : :
; : : : : : :
; : Input : : :
; : Filter : : :
; : : : : :
; : : : : :
; (platform) (input) (USB) (framebuffer) (block)
[image sculpt_drivers 80%]
Services provided by the drivers subsystem
As illustrated by Figure [sculpt_drivers], some drivers like the framebuffer
driver live in a dynamically managed subsystem that depends on runtime
discovery of the hardware by the so-called driver-manager component.
Whenever an Intel graphics device is present, the Intel framebuffer driver
is spawned. Otherwise, a generic VESA driver or a driver for a
boot-time-initialized framebuffer is used.
Several components of the drivers subsystem report their state. For example, when
the Intel framebuffer is used, it reports the list of connectors present.
Most importantly, the driver manager reports the available block devices.
As user input may enter the system in multiple ways - most prominently PS/2
and USB HID - the drivers subsystem contains a so-called input-filter
component that merges these event streams and applies transformations like
key remappings or mouse acceleration.
Leitzentrale subsystem
----------------------
The Leitzentrale gives you - the user - full control over the config file
system and the report file system. You are free to inspect and
manipulate the system in any way you wish. The German term Leitzentrale
refers to a control center that requires a certain degree of sophistication
from the operator, which would be you. A typo at the wrong place may
render your system temporarily inaccessible, eventually requiring a reboot.
But don't be afraid. Since all manual changes performed in the Leitzentrale
occur in memory only, you are not at risk of permanently bricking your machine.
The Leitzentrale can be toggled at any time by pressing F12 and will be enabled
right after boot. It presents itself with a minimalistic GUI for accessing
the storage devices attached to your machine and for configuring your network
connectivity. Most importantly, however, it allows the user to spawn an
interactive shell for manual _config_ and _report_ file systems access. To
spawn this command-line interface, click on the "ram" item from the menu and
select "Inspect". While inspecting file systems, the inspect window replaces
the runtime view.
The inspect window hosts a small Unix-like runtime called noux as user
interface. Don't let the presence of a Unix shell mislead you.
Sculpt is not a Unix system. It merely uses Unix subsystems in the form of
noux instances as convenient tools for managing and editing files.
Within the inspect window, you can interact with both the report and
config file systems using familiar commands such as the bash shell, a
subset of coreutils, and Vim.
Besides the interactive shell, the Leitzentrale employs a noux instance that
gives you a quick glance at the most recent log messages. The log is also
available at _report/log_ and can be browsed with Vim in the inspect window.
_Noux is not bullet-proof. Should you get stuck, you may re-spawn it at_
_any time by toggling the "Inspect" button._
Tweaking and inspecting the system
==================================
The Leitzentrale subsystem empowers you to interactively inspect and tweak
the running system using a command-line interface and the Vim text editor.
Vim skills recommended
----------------------
Sculpt CE leverages (a subset of) GNU coreutils, bash, and Vim as the user
interface for sculpting the system. If you are not yet familiar with using
Vim, you may take Sculpt CE as a welcome chance to get your toes wet. To
enjoy the experience, you should be comfortable with the following
operations:
* Opening and navigating within a text file (moving the cursor,
using '/' to search),
* Using the insert mode to make modifications,
* Reverting accidental modifications ('u' undo),
* Saving a modified file (':w'),
* Opening a file in a secondary buffer (':e'),
* Switching between buffers (':bn' for next, ':bp' for previous),
* Copy and paste ('v' start selection, 'V' start line selection,
'y' remember selection, 'p' paste remembered selection),
* Exiting Vim (':x' save and exit, ':q!' discard changes).
Adjusting the user-input handling
---------------------------------
By default, Sculpt uses the US-English keyboard layout with a functioning
capslock key. You may possibly want to adjust the former and - as a Vim
user - most likely discharge the latter. As mentioned in Section
[Drivers subsystem], user input is processed by the input-filter component.
You can edit this component's configuration via
! inspect:/> vim /config/input_filter
To change the keyboard layout to German, change "en_us.chargen" to
"de.chargen" and save the file. The change becomes effective immediately at
saving time.
To remap the capslock key to escape - a key often needed while using Vim -
uncomment the corresponding '<remap>' rule
! <key name="KEY_CAPSLOCK" to="KEY_ESC"/>
After saving the file, a Vim user's life suddenly becomes much more
pleasant.
[image input_filter 80%]
Filter chain for user-input events
Take the time to review the remaining parts of the input-filter
configuration. The nested configuration nodes define a hierarchy of
filters that are applied in the order from the inside to outside
(Figure [input_filter]). There are filters for merging events ('<merge>'),
remapping buttons and keys ('<remap>'), supplementing symbolic character
information ('<chargen>'), pointer acceleration ('<accelerate>'), and
emulating a scroll wheel by moving the pointer while pressing the middle
mouse button ('<button-scroll>').
Display settings
----------------
If you are running the Intel graphics driver, you can inspect the connected
displays and their supported resolutions by taking a look at the report at
_/report/drivers/dynamic/intel_fb_drv/connectors_. This report is updated
whenever a display is connected or disconnected. You can use this
information to enable or disable a display in the driver's configuration,
which you can find at _/config/fb_drv_.
For a quick test, change the attribute 'height="768"' to 'force_height="768"'
(you may modify 'width' analogously). When saving the file, the screen
real-estate will forcibly be limited to the specified size. This is helpful
during presentations where the projector has a lower resolution than the
laptop's internal display. By specifying the beamer's resolution, both the
laptop and the beamer show the same content.
Exploring the drivers and Leitzentrale subsystems
-------------------------------------------------
You can review the construction plan of the drivers subsystem by opening the
file _/config/drivers_ in Vim. In particular, it is interesting to
follow the '<route>' rules to see how the various components are connected.
But there is more. The configuration is live. It enables you to reconfigure
individual components on-the-fly. For example, search for the '<start>' node
of the PS/2 driver and add the attribute 'verbose_keyboard="yes"' to the
embedded '<config>' node. By saving the file, the changed configuration
becomes effective. Any key pressed or released on the PS/2 keyboard will
result in a log message on the right. You may revert this change (vim: 'u')
and save the original version of the file.
_Note that not all components are dynamically reconfigurable but many_
_modern ones - in particular the init component and most long-running_
_server components - are._
_It is possible to forcibly restart a component by adding a 'version'_
_attribute to the '<start>' node. Whenever the 'version' value is changed,_
_the component is re-spawned._
_The component-specific configuration options are documented in the README_
_files accompanying the respective components in the source tree._
Analogously to the drivers subsystem, you can find the construction plan
for the Leitzentrale subsystem at _/config/leitzentrale_. Try out
the following tweaks:
* Change the transparency of the Leitzentrale by modifying the 'alpha'
attribute of the 'fader' component.
* Change the font size of the 'log_terminal' component from "10"
to "18".
You may also enjoy tinkering with the configuration of the Nitpicker GUI
server, which is located at _/config/nitpicker_. For example, you
may change the background color or the labeling color of the "default"
domain.
System resources
================
Whenever adding a new component via the '+' menu, one has to define how to
connect the component with the rest of the system. It is important to know
what the presented options mean to take educated decisions.
[image sculpt_ce_noux_routing 40%]
Each choice represents a connection to a system resource of a particular type.
Initially, the presented options are resources that are built-in into Sculpt's
base system. Once new components enter the picture, their services also appear
as options.
Resource type | Interface | Built-in options
----------------------------------------------------------------------------
----------------------------------------------------------------------------
GUI | 'Nitpicker' | keyboard focus
----------------------------------------------------------------------------
| | desktop background
----------------------------------------------------------------------------
| | system GUI server
----------------------------------------------------------------------------
ROM | 'ROM' | global capslock state
----------------------------------------------------------------------------
| | default vim configuration
----------------------------------------------------------------------------
| | system font configuration
----------------------------------------------------------------------------
| | platform information
----------------------------------------------------------------------------
| | system status
----------------------------------------------------------------------------
Report | 'Report' | system reports
----------------------------------------------------------------------------
File system | 'File_system' | writeable system configuration
----------------------------------------------------------------------------
| | read-only system reports
----------------------------------------------------------------------------
Real-time clock | 'Rtc' | system clock
----------------------------------------------------------------------------
Block device | 'Block' | direct block-device access
----------------------------------------------------------------------------
USB | 'Usb' | direct USB-device access
----------------------------------------------------------------------------
Device access | 'Platform' | wifi hardware
----------------------------------------------------------------------------
| | network hardware
----------------------------------------------------------------------------
| | audio hardware
----------------------------------------------------------------------------
| | ACPI
----------------------------------------------------------------------------
Region maps | 'RM' | custom virtual memory objects
----------------------------------------------------------------------------
Direct memory-mapped I/O | 'IO_MEM' | raw hardware access
----------------------------------------------------------------------------
Direct port I/O | 'IO_PORT' | raw hardware access
----------------------------------------------------------------------------
Direct device interrupts | 'IRQ' | raw hardware access
----------------------------------------------------------------------------
Tracing | 'TRACE' | system-global tracing
----------------------------------------------------------------------------
Hardware virtualization | 'VM' | virtualization hardware
----------------------------------------------------------------------------
Network | 'Nic' |
----------------------------------------------------------------------------
Terminal | 'Terminal' |
----------------------------------------------------------------------------
Audio input | 'Audio_in' |
----------------------------------------------------------------------------
Audio output | 'Audio_out' |
[table resources]
Overview of system resources
Table [resources] gives an overview of the different built-in
resources and their types. The names given in the interface column correspond
to the Genode session types as found in the routing rules of the deploy
configuration or launcher definitions (Section [Runtime management]).
Let's look into each type in more detail.
GUI
~~~
The GUI service interface is provided by the low-level system GUI server
(named Nitpicker) as well as the higher-level window manager. It entails both
the ability to perform graphical output and the reception of user input. Note
that the low-level GUI server keeps its client applications isolated by
default. One application cannot see the output of other applications nor can
it sniff user input globally. One can connect multiple applications -
trusted and untrusted alike - to the low-level GUI server without fear.
However, in typical scenarios, applications don't use the bare-bone system GUI
server directly but rather employ a window manager that sits in-between the
system GUI server and the applications, and equips the system with the
notion of windows.
The base system provides three different GUI options.
:keyboard focus: grants control over the keyboard focus. It should be
assigned to only one component, typically a window manager. However,
in principle, another component like _noux-system_ can be connected
to it and thereby becomes able to receive keyboard input.
:desktop background: allows a component to present its graphical output
in a dedicated layer behind all other applications. The desktop background
cannot receive keyboard focus. But it can respond to pointer events
(mouse clicks and motion).
:system GUI server: allows a component to perform graphical output and
handle pointer events, but no keyboard input. It is designated as a
base mechanism for the window manager, or for implementing GUI features
like global overlays or status displays.
By the way, the configuration of the low-level GUI server can be found at
_/config/nitpicker_ and can be modified on the fly.
ROM
~~~
ROM stands for read-only memory. A ROM service reveals information to
its clients but a client cannot change the information. Note that the
provided information does not need to be static. It can potentially
change over time. Whenever that happens, the ROM service informs its
clients about the availability of a new version. The base system provides
the following built-in ROM resources:
:global capslock state: the system-global state of the capslock key.
It can be handed out to components like virtual machines to keep the
capslock state of guest operation systems consistent with the host.
:default vim configuration: the configuration of the Vim text
editor as used in the Leitzentrale's inspect window and managed at
_/config/vimrc_. It allows you to customize one vim configuration at a
central place and use this configuration consistently across Sculpt's
inspect window and manually deployed components.
:system font configuration: is the default font configuration managed
by Sculpt according to the current screen resolution. It is of course
customizable by the user. By using this configuration, components can
foster a consistent user experience regarding the display of text.
:platform information: provides details about the underlying kernel and
hardware. Some drivers and virtual machine monitors need this information to
take platform intrinsics like the concrete flavor of virtualization hardware
into account. Normal applications should never need this information.
:system status: reflects the system-global power state. It is used by the
optional ACPICA driver to respond to requests for a system reset or
power-down.
Report
~~~~~~
Report services play the counterpart of ROM services. They allow clients
to report information in a fire-and-forget fashion, but not to retrieve
information. As explained in Section [System overview], the base system
includes a report service that aggregates incoming reports into the in-memory
report file system. The incoming reports are organized according to their
origin (their session labels). By granting a component access to the _system_
_reports_, the component can contribute to this knowledge base. However,
keep in mind that Sculpt's built-in report file system is limited in size.
A misbehaving component may put the system in jeopardy by producing overly
sized reports.
Reports labeled with 'shape' play a special role. They are routed to the mouse
pointer and thereby enable graphical applications to suggest context-specific
pointer shapes. The application-provided shape is shown whenever the
corresponding application is hovered.
File system
~~~~~~~~~~~
A file-system service offers the storage and retrieval of data organized in
a hierarchical directory structure. Access to a file system can be restricted
to be read only. The distinction between read-only and read-writable does
not exist per file but for the entire file-system resource.
Of course, many use cases call for finer-grained access control. This is
where intermediate _chroot_ file-system components come into play. Such
a component reduces the view on an existing file system to a specific
sub directory, which then appears as a new file system to the application.
For examples, please review the launchers at _/config/launcher/_ such as the
_shared_fs_.
The Sculpt base system has two built-in file systems.
:writeable system configuration: corresponds to the config file system
described in Section [System overview]. The ability to access this file
system equals to total control over the system. Hence, never assign
this file system to components that you don't fully trust.
:read-only system reports: allows the client to inspect the global state of
the system. The reports found in this file system are organized in a
directory structure that corresponds to the system structure. For example,
all reports generated by the runtime sub system reside within the _runtime/_
directory. Note that this global state may contain sensible information.
For this reason, the system reports should not be handed out to components
that are suspected of information leakage.
The two built-in file systems reside in memory. In order to access persistent
storage, additional file-system services can be started as regular components
within the runtime subsystem. Those components, in turn, need to be connected to
the corresponding block devices.
Block device
~~~~~~~~~~~~
A block-device resource allows for the block-level storage and retrieval
of data whereas a block-device can be read-only or read-writable. The base
system's built-in block service hands out the devices listed at
_/report/drivers/block_devices_ according to the label of the client's session.
The label must correspond to the name of the block device. Typically, the
built-in block service is used via manually created launchers by using a route
like this:
! <route>
! <service name="Block"> <parent label="ahci-1"/> </service>
! </route>
Device access
~~~~~~~~~~~~~
With Sculpt, device drivers can be installed and used like any regular
component. In contrast to plain applications, however, device drivers need
to access the corresponding device hardware. This access is guarded by the
so-called platform driver hosted in the _drivers_ subsystem. The platform
driver has two purposes.
First, it uses the IOMMU to isolate devices from each other and to restrict
the reach of each device to the memory explicitly assigned to the device
(DMA buffers).
Second, it arbitrates the access of device-driver components to devices.
Regarding the latter, the platform driver differentiates four categories
of drivers, namely wifi, network, audio, and ACPI. When assigning one
of those resources to a driver component, the driver will see a virtual
PCI bus with only the devices that fall in the chosen category.
Note that USB, AHCI, NVMe, and PS/2 are handled differently as those
devices are driven by Sculpt's _drivers_ subsystem.
USB
~~~
By connecting a component to USB, the component becomes able to access
individual USB devices. The device is selected by the component by specifying
a session label that corresponds to a name of a device listed at
_/report/drivers/usb_devices_. The most prominent use case for the USB
resource is the direct assignment of USB devices to virtual machines
as described in Section
[Updating the USB boot device from within VirtualBox].
Real-time clock
~~~~~~~~~~~~~~~
The real-time clock enables a component to know what time it is.
Region maps
~~~~~~~~~~~
The region-map service of the base system gives components a flexible way to
manage their virtual address spaces manually. This mechanism is used by a few
advanced components only, most specifically virtual machine monitors. Access
to the region-map service is not security critical. But as it is rarely
needed, it is not granted be default to limit the potential (attack) surface
of the base system as far as possible by default.
Direct memory-mapped I/O, port I/O, and device interrupts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These low-level services are provided by Genode's core component. They
should never be needed by any regular component. Even device drivers
don't use those services directly but rather rely on the higher-level
device-access service described in Section [Device access].
However, a few special use cases demand for such low-level access. In
particular the use of ACPI functionality.
As a rule of thumb, never grant access of those resources to any component
except you know exactly what you are doing and you completely trust the
provider of the component.
Tracing
~~~~~~~
The low-level tracing interface allows a component to observe and to
manipulate all activities in the system. It should only be granted to
components that are fully trusted.
Hardware virtualization
~~~~~~~~~~~~~~~~~~~~~~~
The hardware-virtualization service allows virtual machine monitors to
leverage virtualization technology (Intel VT).
Network
~~~~~~~
Network services provide an interface for sending and receiving network
packets. Note that the base system does not provide such a service. However,
Sculpt's Leitzentrale conveniently manages drivers for wireless (wifi drv) and
wired (nic drv) networking as well as the user-level network routing component
(nic router). So you usually see those options. The drivers should not be
used directly while the NIC router is running because they only accept
one client at a time. However, the NIC router multiplexes the network access
and multiple network applications can be connected to the NIC router to
reach the network.
Terminal, audio input, and audio output
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Terminal services allow for the input and output of streams of text. Examples
are a graphical terminal, or an UART driver. The base system has no built-in
terminal service.
As the names suggest, audio input and output enable components to record
and play audio. The base system does not provide such services. Instead,
audio infrastructure like drivers and a mixer can be installed as regular
components.
Runtime management
==================
[image sculpt_runtime_highlighted]
In contrast to the drivers subsystem and the Leitzentrale, which have a
predefined purpose, the runtime subsystem is shaped by the user. The
components present in the runtime subsystem are displayed by the runtime view.
Some of them are managed by the Leitzentrale. For example, while inspecting a
file system, the corresponding "inspect", "inspect_terminal", and
"inspect_noux" components appear automatically. Other components correspond to
subsystems deployed from installed packages, in particular the ones created
via the runtime view's "+" menu.
The current configuration of the runtime subsystem is available at
_/config/managed/runtime_. It is not recommended to modify this file manually.
However, in some situations, it is useful to take manual control over
the runtime configuration. This is possible by copying the file to
_config/runtime_. Note that this will inhibit the management functionality
of the Leitzentrale. You can yield back the control to the Leitzentrale by
removing the _/config/runtime_ file.
As a prerequisite for deploying user-selected components, a default storage
location must be defined by selecting the "Use" button of a file system
in the menu. For the start, it is best to select the "ram" file system as
storage location. Once you are comfortable with Sculpt, you may make the
installation and customizations permanent by using a real storage device
instead.
The selection of a "used" file system has two immediate effects. First, any
files present at _config/<VERSION>/_ at the selected file system are copied to
the config file system. As the RAM file system is empty, no files are copied.
Second, the so-called _depot/_ is initialized at the selected file system. The
depot is the designated place for the installation of software packages. By
default, the depot is initialized such that the Sculpt system accepts software
from Genode Labs as well as from a few members of the Genode community. You
may inspect the content of _/ram/depot_ using the inspect window.
With a file system and an Internet connection selected, additional software
can be installed and run. The most convenient way is the interactive use of
the '+' menu to browse the catalogues of packages provided by software
providers and to configure new component instances.
Additionally, the deployment can be controlled
by the _/config/deploy_ file and the so-called launchers located at
_/config/launcher/_.
The _deploy_ file contains a '<start>' node for each running component.
Such a <start> node specifies the package, the assigned resources,
and the rules of how the component is connected with other components.
Alternatively, a <start> node may refer to a launcher that encapsulates
this policy as a separate file at _/config/launcher/_.
By default, the launcher corresponds to the 'name' attribute of the start node.
It is possible to explicitly refer to a differently named launcher by
specifying a 'launcher' attribute. This way, one launcher can be instantiated
multiple times.
The files at _/config/launcher/_ are monitored by Sculpt and therefore can be
edited on the fly. This is especially useful for editing '<config>' nodes
of already running components.
A '<config>' node within a launcher - when present - overrides the one
provided by the package. In turn, a '<config>' node within a node of the
deploy config overrides any other '<config>' node. Both the launcher and a
'<start>' node may contain a '<route>' node. The routing rules defined in the
'<start>' node have precedence over the ones defined by the launcher. This
way, the routing of a launcher can be parameterized at the deploy
configuration.
Each time the _/config/deploy_ file or a launcher file is written, the change
takes immediate effect. In particular, the Sculpt manager will automatically
kick off the download of the referenced packages and its dependencies and
thereby populates the depot. Once the download has completed, the packages are
started.
Interplay of the deploy configuration and interactive changes
-------------------------------------------------------------
The content of _/config/deploy_ is taken as the starting point for the
interactive use via the '+' menu. All interactive changes to the deployment
are reflected in the _/config/managed/deploy_ file.
Note that any modification of _/config/deploy_ resets _/config/managed/deploy_
to the state defined in _/config/deploy_.
Launchers appear at the top level of the '+' menu. So they are a convenient
mechanism to quickly add often-used components with specific policies to the
system.
Storage device access and preparation
=====================================
Whereas the RAM file system is practical for quick tests, it goes without
saying that we want to persistently store data, programs, and configuration
information on a storage device. Sculpt supports SATA disks, NVMe devices,
and USB-storage devices. The storage dialog lists all devices detected by
the drivers subsystem. A click on a device reveals possible operations or -
if a partition table is present - more details about the device structure.
Depending on the operation selected by the user, the Sculpt manager will
automatically spawn helper components in the runtime to perform the selected
operation.
For example, by selecting the "Format device" operation, the Sculpt manager
will create a noux instance with the selected block device mounted at
'/dev/block' and e2fsprogs mounted at '/'. The noux instance runs
'mkfs.ext2' as init process. Likewise, an existing EXT2 file system
can be checked by activating the "Check" button, which triggers the execution
of 'fsck.ext2' for the selected file system.
A particularly interesting option is presented at the last partition of the
Sculpt USB stick. Initially - right after copying Sculpt's tiny disk image to
the USB stick - the partition is only a few MiB in size. However, using the
"Expand" operation, the partition can be extended to the full size of the USB
stick, which makes enough room to use the USB stick as Sculpt file system.
This clears the way for sculpting a custom live system stored entirely on
the USB stick.
All file systems supported by Sculpt present an "Inspect" button. By toggling
this button, the selected file system becomes accessible in the inspect
window. Note that more than one file system can be inspected at a time.
Each file system will appear as a directory at the root of the inspect
directory tree, named after the corresponding device and partition number.
This way, the inspect window becomes a convenient tool for copying files
between file systems. Under the hood, the Sculpt manager spawns a file-system
component for each inspected file system, which translates the notion of files
and directories to block-device accesses.
Making customizations permanent
===============================
It is possible to make any customization of the config file system
permanent by copying the modified files to a directory named
_config/<VERSION>_ on a persistent file system where _<VERSION>_ corresponds
to the Sculpt version number as found in the _/VERSION_ file.
Each time this file system is selected for "Use", those files will be
automatically copied to the in-memory config file system.
The most important customization is the system composition, usually created
via the '+' menu. To make it permanent, copy the current state of
_/config/managed/deploy_ to _/<DISK>/config/<VERSION>/deploy_ where _<DISK>_
corresponds to your Sculpt partition. This deploy configuration will take
effect whenever the Sculpt partition is selected for "Use".
To streamline the boot procedure into a customized Sculpt system even more,
it is possible to mark one file system as default. At boot time - when the
Sculpt manager discovers the attached storage devices - it automatically
selects a file system for use according to the following order of preference:
# Partition labeled as "GENODE*" on a USB device,
# Partition labeled as "GENODE*" on a SATA or NVMe storage device,
# An entire SATA or NVMe device used as a single EXT2 file system (as devised
by Sculpt EA).
The storage dialog hosts a convenient "Default" button that allows one
to toggle a partition label between "GENODE" and "GENODE*". For example,
the last partition of the Sculpt USB stick can be marked as default or
non-default using this button.
Advanced usage
##############
Manual configuration
====================
Thanks to the Sculpt-manager component of the Leitzentrale, many typical
work flows and configuration tweaks are largely automated. For example,
* The management of storage devices,
* The creation of file-system components for used or inspected file systems,
* The selection and configuration of network access,
* Font size selection depending on the screen resolution,
* Triggering the download of missing depot content on demand.
This convenience comes at the price of built-in policy, which may stand in
the way of sophisticated scenarios. For this reason, almost all policies
of the Sculpt manager can be overridden by manually managed configuration
files.
The Sculpt manager interacts with the rest of the system solely by
monitoring reports aggregated in the report file system, and writing
configuration files into the config file system. All files generated
by the Sculpt manager are located at _/config/managed/_. By manually creating a
same-named file at _/config/_, one can supply a custom managed configuration
to the Sculpt manager. A useful practice is taking a snapshot of the
generated configuration as a starting point for the custom version. For
example, by copying the NIC router configuration while it is connected to
a network:
! cp /config/managed/nic_router /config
Now, the copy at _/config/nic_router_ can be edited. Note that changes
usually take immediate effect.
Examples of manual customization are:
* Adding custom NIC router policies such as port-forwarding rules,
* Installing depot content manually by managing _/config/installation_
by hand. This includes the ability to download the source code for
any package.
* Disarming the automated update mechanism by using a _/config/installation_
file with no '<archive>' entries.
* Fixing the current state of the runtime subsystem by copying
_/config/managed/runtime_ to _/config/runtime_. This allows one to
manually tweak and inspect the runtime in any way, e.g., to enable
additional reporting when troubleshooting.
* Manually defining the default font sizes by creating a custom _config/fonts_
configuration.
* Managing Wifi credentials manually by supplying a custom _config/wifi_ file.
To revert any manual customization, delete the corresponding file. In this
case, the Sculpt manager will take over again. Note that all manual
customizations can be made permanent by following the steps explained in
Section [Making customizations permanent].
Building the boot image
=======================
The following steps assume that you have the Genode tool chain installed on a
GNU/Linux system. For reference, Ubuntu 16.04 is known to work well. If you
don't know your way around Genode's source tree yet, please consider the
"Getting started" section of the Genode Foundations book that is available as
a free download at [https://genode.org].
# Clone Genode's Git repository:
! git clone https://github.com/genodelabs/genode.git
! cd genode
! git checkout -b sculpt_ce sculpt_ce
# Download the support for the NOVA microkernel
! ./tool/depot/download genodelabs/bin/x86_64/base-nova/2019-03-17
The content is downloaded to the _public/_ directory and extracted to
the _depot/_ directory.
# Download all ingredients for the Sculpt boot image
! ./tool/depot/download genodelabs/pkg/x86_64/sculpt/2019-03-19
# Create a build directory
! ./tool/create_builddir x86_64
# Configure the build directory by editing _build/x86_64/etc/build.conf_.
Most importantly, enable the 'gems' source-code repository where the
Sculpt scenario resides. In addition, the 'ports', 'dde_linux' and 'dde_ipxe'
repository are needed as well. Second, change the default configuration
of the 'QEMU_RUN_OPT' variable to 'image/disk' instead of 'image/iso'.
This way, the build process will produce a valid disk image with a GPT
partition table instead of a legacy ISO image.
# Create the Sculpt boot image (defined by the run script at
_repos/gems/run/sculpt.run_)
! make -C build/x86_64 run/sculpt KERNEL=nova
The boot image is created at _build/x86_64/var/run/sculpt.img_.
# Write the boot image to a USB stick:
! sudo dd if=build/x86_64/var/run/sculpt.img of=/dev/sdx bs=1M conv=fsync
Here, '/dev/sdx' refers to the device node of your USB stick. To determine
it, you may inspect the output of 'dmesg' after plugging it in.
Reproducing the system from source
==================================
Section [Building the boot image] presents the creation of the boot image
from pre-built packages. You may want to build those packages from source,
in particular for customizing the system.
Before building the packages, various ports of 3rd-party software need to
be prepared. The following command prepares all of them at once:
! <GENODE-DIR>/tool/ports/prepare_port \
! bash coreutils curl dde_ipxe dde_linux \
! dde_rump e2fsprogs gnupg grub2 jitterentropy \
! libarchive libc libgcrypt libiconv libssh \
! lwip_legacy ncurses nova openssl qemu-usb \
! stdcxx vim virtualbox5 x86emu xz zlib libpng \
! ttf-bitstream-vera stb
The ingredients of the boot image are subsumed by the 'pkg/sculpt' package.
The default set of software installed by the update runtime is defined by
the 'pkg/sculpt-installation' package. You can find the depot recipes for
these packages at _repos/gems/recipes/pkg/_.
The _repos/gems/run/sculpt.run_ script can be executed to build a boot image.
By default, the boot image refers to 'genodelabs/pkg/sculpt' and to
'genodelabs/pkg/sculpt-installation' for the runtime-installed software. You
may want to install your version of these packages instead by changing the
package provider from 'genodelabs' to '<YOU>' by adding the line
! RUN_OPT += --depot-user <YOU>
to your _<build-dir>/etc/build.conf_.
To build the packages for the boot image:
! <GENODE-DIR>/tool/depot/create \
! UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
! <YOU>/pkg/x86_64/sculpt \
! <YOU>/bin/x86_64/base-nova
The 'FORCE=1' argument ensures that source archives are re-created and
checked for the consistency with their versions. If the source code of any
of the archives changed, the 'UPDATE_VERSIONS=1' argument automatically
updates its version. Please don't forget to commit the updated 'hash'
files. The empty 'REBUILD=' argument limits the creation of binary packages
to those that do not yet exist in binary form. If not specified, the
command would recompile all packages each time. You may further add '-j<N>'
to parallelize the build process where '<N>' is the level of parallelism.
Building the 'sculpt-installation' package works analogously to the 'sculpt'
package.
! <GENODE-DIR>/tool/depot/create \
! UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
! <YOU>/pkg/x86_64/sculpt-installation
To make the 'sculpt-installation' available for download from within the
boot image, you must publish it. This involves the archiving, signing,
and uploading of the content. The former two steps are covered by the
_tool/depot/publish_ tool, which expects one to specify a concrete version.
The current version of the 'sculpt-installation' can be obtained via
! cat <GENODE-DIR>/repos/gems/recipes/pkg/sculpt-installation/hash
The first part is the version. The second part is the content hash of the
version. For more information about working with the depot tool, refer to
[https://genode.org/documentation/developer-resources/package_management].
The launchers integrated in the boot image are defined at
_gems/run/sculpt/launcher/_. Each file contains a node with a mandatory pkg
attribute. If the attribute value contains one or more '/' characters, it is
assumed to be a complete pkg path of the form '<USER>/pkg/<NAME>/<VERSION>'.
Otherwise it is assumed to be just the pkg name and is replaced by the current
version of the current depot user's pkg at system-integration time.
Updating the USB boot device from within VirtualBox
===================================================
The _/config/deploy_ example is prepared to assign USB storage
devices directly to a running virtual machine. You may inspect the report
_/report/drivers/usb_active_config_ to get a list of attached USB devices.
Use Vim to copy the '<policy>' node of the selected device into the
'<inline>' section within the _/config/launcher/usb_devices_rom_ file, and
adjust the line as follows:
* Replace the node type '<policy>' by '<device>', and
* Rename the attribute 'label_suffix' to 'label'.
The updated 'usb_devices' ROM prompts VirtualBox to open a USB session at
the drivers subsystem. Hence, when saving the modified
_/config/launcher/usb_devices_rom_ file, the guest OS should detect a new USB
device (check the output of 'dmesg'). You may now write a new version of the
Sculpt ISO image to the device by following the steps described in Section
[Building the boot image].
Credits
#######
Sculpt is an example system scenario of the Genode project, which is an
operating-system technology designed and developed from scratch.
:Genode OS Framework:
[https://genode.org]
That said, Genode is not developed in a vacuum. It rather stands on the
shoulders of giants and greatly benefits from the free-software/open-source
community. The following projects play a particularly important role for
the Sculpt scenario.
:NOVA microhypervisor:
Sculpt's kernel is a derivate of NOVA, maintained by Genode Labs.
NOVA was originally created by Udo Steinberg [http://hypervisor.org].
:Linux kernel:
[https://kernel.org]
Sculpt reuses several Linux subsystems as individual components, in
particular the USB stack, the Intel wireless stack, the Intel graphics
driver, and the TCP/IP stack.
:NetBSD's rump kernel:
[https://wiki.netbsd.org/rumpkernel/]
The file-system support is based on NetBSD kernel code, which became
reusable on Genode thanks to the rump kernel project.
:FreeBSD:
[https://www.freebsd.org/]
The C runtime that is used by most 3rd-part software is based on FreeBSD's
libc.
Device drivers
--------------
:WPA supplicant:
[https://w1.fi/wpa_supplicant/]
_(used by the wireless driver)_
:iPXE:
[http://ipxe.org]
_(basis of the wired network driver)_
:xf86emu:
[http://xorg.freedesktop.org/]
_(used by the VESA driver)_
Programs and libraries used within the noux runtime
---------------------------------------------------
:Vim:
[http://www.vim.org]
:ncurses:
[https://www.gnu.org/software/ncurses/ncurses.html]
:GNU coreutils:
[https://www.gnu.org/software/coreutils/coreutils.html]
:GNU bash:
[https://www.gnu.org/software/bash/]
:E2fsprogs:
[http://e2fsprogs.sourceforge.net/]
Libraries used for the package-management infrastructure
--------------------------------------------------------
:curl:
[https://curl.haxx.se]
_(basis of the fetchurl tool)_
:libssh:
[https://www.libssh.org]
:OpenSSL:
[https://www.openssl.org]
:XZ Utils:
[https://tukaani.org/xz/]
_(support for tar.xz archives)_
:libarchive:
[https://www.libarchive.org]
_(basis of the extract tool)_
:zlib:
[https://www.zlib.net]
:GnuPG:
[https://www.gnupg.org]
_(basis of the verify tool)_
Applications
------------
:VirtualBox:
[https://www.virtualbox.org]
_(used for hosting virtual machines)_
Crucial tools used during development
-------------------------------------
:GNU/Linux: (various distributions)
:Git:
[https://git-scm.com]
:GNU compiler collection:
[https://gcc.gnu.org]
:GNU binutils:
[https://www.gnu.org/software/binutils/]
:GNU make:
[https://www.gnu.org/software/make/]
:Tcl:
[https://www.tcl.tk]
:Expect:
[http://expect.sourceforge.net]
:Qemu:
[https://www.qemu.org]
:GitHub issues:
[https://github.com]