mirror of
https://github.com/genodelabs/genode.git
synced 2025-01-05 05:24:13 +00:00
741 lines
39 KiB
Plaintext
741 lines
39 KiB
Plaintext
|
|
|
|
===============================================
|
|
Release notes for the Genode OS Framework 24.05
|
|
===============================================
|
|
|
|
Genode Labs
|
|
|
|
|
|
|
|
The main driver behind Genode 24.05 was the
|
|
[https://genode.org/news/sculpt-os-release-24.04 - recent release] of Sculpt
|
|
OS 24.04 ([https://genodians.org/nfeske/2024-04-26-sculpt-os - What's new?]).
|
|
Among the many usability advances of Sculpt OS is the flexible assignment
|
|
of USB devices to components and virtual machines.
|
|
Section [Fine-grained and dynamic assignment of USB devices/interfaces]
|
|
introduces the underpinnings that made our new quality of life possible.
|
|
Another user-facing feature with a surprisingly deep technical reach is
|
|
suspend/resume. Section [Suspend/resume infrastructure] details the changes of
|
|
the framework on that account. The new ability of seamlessly using the GNU
|
|
debugger on top of Sculpt OS is a game changer for developers
|
|
(Section [On-target debugging using the GNU debugger (GDB)]).
|
|
Further user-visible and user-audible topics are the support for
|
|
high-resolution displays and the wrapped-up transition to our new audio stack
|
|
(Section [Transition to the new audio interfaces introduced in 24.02]).
|
|
|
|
Besides the many usability-motivated topics of our
|
|
[https://genode.org/about/road-map - road map], however, we celebrate
|
|
the break-through of running Sculpt OS directly on our custom microkernel
|
|
alternatively to using a 3rd-party kernel.
|
|
Section [First version of Sculpt OS based on Genode's custom kernel]
|
|
details the background story, the showstoppers we had to overcome, and the
|
|
prospects of this achievement.
|
|
|
|
: <div class="visualClear"><!-- --></div>
|
|
: <p>
|
|
: <div style="clear: both; float: left; margin-right:20px;">
|
|
: <a class="internal-link" href="https://genode.org/documentation/genode-foundations-24-05.pdf">
|
|
: <img class="image-inline" src="https://genode.org/documentation/genode-foundations-title.png">
|
|
: </a>
|
|
: </div>
|
|
: </p>
|
|
|
|
The "Genode Foundations" book covers Genode's architecture, developer work
|
|
flows, and reference material. In tandem with the current release, the
|
|
document received its annual update, which includes not only adjustments
|
|
to the most recent version but also new material about accessing GPIO pins,
|
|
audio, debugging, and prominent APIs like the list model.
|
|
|
|
Further topics of the current release reach from timing and network-throughput
|
|
optimizations, over the profound rework of storage encryption, to updated
|
|
3rd-party software such as Mesa, libSDL2, and Curl.
|
|
|
|
: <div class="visualClear"><!-- --></div> <p></p>
|
|
|
|
|
|
First version of Sculpt OS based on Genode's custom kernel
|
|
##########################################################
|
|
|
|
The ability to use a wide variety of kernels is certainly a distinctive
|
|
feature of Genode. Since the very first version, the framework accommodated
|
|
both a microkernel and the Linux kernel.
|
|
Over the years, we embraced most members of the L4 family of kernels
|
|
([https://genode.org/documentation/release-notes/9.05#Supporting_the_OKL4_kernel_as_new_base_platform - OKL4],
|
|
[https://genode.org/documentation/release-notes/9.02#Genode_on_L4ka__Pistachio - Pistachio],
|
|
[https://genode.org/news/genode-os-framework-release-8.08 - Fiasco],
|
|
[https://genode.org/documentation/release-notes/10.02#Codezero_kernel_as_new_base_platform - Codezero]),
|
|
all object-capability microkernels we could get our hands on
|
|
([https://genode.org/documentation/release-notes/10.02#NOVA_hypervisor_as_new_base_platform - NOVA],
|
|
[https://genode.org/documentation/release-notes/11.02#Support_for_Fiasco.OC - Fiasco.OC],
|
|
[https://genode.org/documentation/release-notes/15.05#Proof-of-concept_support_for_the_seL4_kernel - seL4]),
|
|
and even combined the framework with a static isolation kernel
|
|
([https://genode.org/documentation/release-notes/15.08#Genode_on_top_of_the_Muen_Separation_Kernel - Muen]).
|
|
|
|
Confronting the framework with largely different kernel mechanisms has
|
|
undoubtedly strengthened Genode's software design, but also gave us a great
|
|
depth of insights into the landscape of kernel designs and the implications of
|
|
the respective design choices. It did not take us long to question some of
|
|
these choices, and we started experimenting with custom kernel designs on our
|
|
own. This work made its first appearance in version
|
|
[https://genode.org/documentation/release-notes/11.02#Approaching_platform_support_for_Xilinx_MicroBlaze - 11.02]
|
|
targeting Xilinx Microblaze softcore CPUs.
|
|
Without haste, we steadily evolved this kernel as a research endeavour, mainly targeting ARM CPUs
|
|
([https://genode.org/documentation/release-notes/14.05#Multi-processor_support - SMP],
|
|
[https://genode.org/documentation/articles/trustzone - TrustZone],
|
|
[https://genode.org/documentation/release-notes/15.02#Virtualization_on_ARM - virtualization],
|
|
[https://genode.org/documentation/release-notes/19.08#64-bit_ARM_and_NXP_i.MX8 - 64 bit]),
|
|
and later also addressing the
|
|
[https://genode.org/documentation/release-notes/15.05#Feature_completion_of_our_custom_kernel__base-hw_ - x86]
|
|
architecture.
|
|
|
|
When we
|
|
[https://genode.org/documentation/release-notes/18.02#Sculpt_for_Early_Adopters - started]
|
|
creating Sculpt OS as a Genode-based operating system for commodity PCs, we
|
|
picked NOVA as kernel of choice. NOVA's unique combination of microkernel and
|
|
virtualization mechanisms served us extremely well. It is truly a technical
|
|
marvel! But like any other 3rd-party kernel, it imposes certain complexities
|
|
and points of friction onto the user land. In contrast to 3rd-party kernels
|
|
like NOVA or seL4, which are self-sufficient programs, our custom kernel is
|
|
melted with Genode's core component. This alleviates redundant data structures
|
|
between kernel and user space and makes Genode's resource management directly
|
|
applicable to kernel objects. In other words, it fits like a glove. Hence,
|
|
looking ahead, we foresee a much simpler and ever more coherent trusted
|
|
computing base of Sculpt OS.
|
|
|
|
In order to realize this vision, we had to tackle a couple of long-time
|
|
showstoppers. First of all, we needed to move IOMMU support out of the kernel
|
|
into the user-level platform driver to render it kernel-agnostic. We completed
|
|
a major part of this transition with
|
|
[https://genode.org/documentation/release-notes/23.11#Kernel-agnostic_DMA_protection - release 23.11].
|
|
|
|
Second, virtualization of commodity operating systems is a common use case for
|
|
Sculpt installations, ours at Genode Labs included. Therefore, adding support
|
|
for Intel's Virtual-Machine Extensions (VMX) was another important missing
|
|
piece of the puzzle. Under the hood, we refactored and generalized the
|
|
kernel's x86 hypervisor support to allow for the selection of the available
|
|
virtualization technology at runtime and consolidated code for page-table
|
|
handling. Even though we still have some way to go before the kernel is ready
|
|
to replace the time-tested NOVA hypervisor as the default kernel for Sculpt
|
|
OS, this release is a milestone in that direction.
|
|
|
|
The Sculpt OS variant using our custom kernel is now available as a
|
|
ready-to-use system image at [https://depot.genode.org/jschlatow/image]
|
|
for Intel systems up to 8th generation core processors (Whiskey Lake).
|
|
Note, when using Sculpt's integrated update mechanisms, you must already run
|
|
at least Sculpt 24.04. The system image includes a launcher for running a
|
|
Tiny-Core-Linux VM with a Firefox browser in VirtualBox. The launcher requires
|
|
a window manager that is best deployed by switching to the corresponding
|
|
preset. You also need to enable the _system clock_ and _mixer_ options.
|
|
|
|
Note that there are still a few areas of improvement for this Sculpt variant:
|
|
The IOMMU support currently omits IRQ remapping, which is important to shield
|
|
the system from rogue devices sending arbitrary interrupts. Moreover, we plan
|
|
to improve the kernel scheduling for interactive and time-critical workloads.
|
|
|
|
|
|
Fine-grained and dynamic assignment of USB devices/interfaces
|
|
#############################################################
|
|
|
|
USB support has a long history within the Genode framework and for almost one
|
|
decade its client session API has remained stable. Back in
|
|
[https://genode.org/documentation/release-notes/15.02#USB_session_interface - 2015],
|
|
we split the USB host-controller driver parts from other USB client device
|
|
drivers. Since then, a USB client component could request exactly one USB
|
|
device per session from the USB server resp. USB host-controller driver.
|
|
Moreover, a client had to drive the device in its entirety.
|
|
|
|
This former approach led to some limitations and intricateness. First, USB
|
|
drivers capable of driving more than one device of the same class needed to
|
|
know each device to request in advance. This information was not delivered by
|
|
the USB session but by means of configuration. The out-of-band information
|
|
path complicated the management of USB devices in complex systems like Sculpt
|
|
OS, e.g., when passing arbitrary USB devices to a guest OS running inside a
|
|
virtual machine.
|
|
|
|
The second drawback was related to USB devices with multiple interfaces of
|
|
different interface classes, most prominently, USB headsets with extra buttons
|
|
for volume control. Such devices typically have several USB interfaces for
|
|
audio playback and recording, and at least one interface for HID input events.
|
|
Whereas the development of one driver for each interface class is certainly an
|
|
attainable goal, creating driver mixtures for each potential combination of
|
|
interfaces is unrealistic. Ultimately, we strive to freely operate different
|
|
interfaces of a single device by dedicated drivers.
|
|
|
|
These limitations accompanied us for quite some time, and a design to overcome
|
|
them matured at the back of our minds. With the current release, the USB
|
|
session eventually received its long-anticipated redesign.
|
|
|
|
The new USB session API provides a _devices_ ROM to its client. Within this
|
|
ROM a client can retrieve all relevant information about existing devices it
|
|
is allowed to access. You can think of it as a virtual private USB bus for
|
|
this client. When a new device gets connected that matches the client's policy
|
|
of the USB host controller driver, the ROM gets updated appropriately. If a
|
|
device gets removed physically, it'll vanish from the _devices_ ROM, which
|
|
may, for example, look as follows.
|
|
|
|
! <devices>
|
|
! <device name="usb-1-10" class="0x0" product="USB Optical Mouse"
|
|
! vendor_id="0x1bcf" product_id="0x5" speed="low" acquired="true">
|
|
! <config active="true" value="0x1">
|
|
! <interface active="true" number="0x0" alt_setting="0x0"
|
|
! class="0x3" subclass="0x1" protocol="0x2">
|
|
! <endpoint address="0x81" attributes="0x3"
|
|
! max_packet_size="0x7"/>
|
|
! </interface>
|
|
! </config>
|
|
! </device>
|
|
! </devices>
|
|
|
|
As can be seen in the example, the human-readable XML representation of the
|
|
USB devices already contains most information that normally resides in the
|
|
full-length device descriptor of the USB standard. That means a driver can
|
|
parse relevant information about available configurations, interfaces, and
|
|
endpoints - including their types and identifiers - without the need to
|
|
communicate with the device in the first place.
|
|
|
|
Besides the _devices_ ROM, the new USB-session API consists of an acquire
|
|
function and a function to release a formerly acquired device. The acquisition
|
|
of a device returns a capability to a new device RPC API. This distinct API
|
|
includes a function to obtain a packet-stream buffer to exchange USB control
|
|
requests with the USB host-controller driver. The host-controller driver
|
|
sanity-checks the control requests, and potentially forwards them to the
|
|
device. Thereby, a client can change the configuration of the device, enable
|
|
an alternate interface, or request additional descriptors regarding
|
|
device-class specific aspects.
|
|
|
|
Moreover, the device RPC API provides functions to acquire or release an
|
|
interface of the device. When acquiring an interface, a capability to the
|
|
interface RPC API gets returned. This third new RPC API provides a
|
|
packet-stream buffer to the client, which allows for the exchange of
|
|
interrupt, bulk, or isochronous transfers with the host-controller driver.
|
|
The host-controller driver checks these transfer requests for plausibility,
|
|
and forwards them directly to the device and vice versa.
|
|
|
|
The whole internals of the different RPC API layers, however, are not imposed
|
|
on the developer. Instead, convenient helper utilities are provided within
|
|
_repos/os/include/usb_session/device.h_. Those helper classes simplify the
|
|
acquisition of USB devices and interfaces. Moreover, they support the notion
|
|
of USB Request Blocks (Urbs) on the level of device (control) and interface
|
|
(irq, bulk, isochronous). For an example component that makes use of these
|
|
utilities, please refer to the USB block driver.
|
|
|
|
All components that directly use the USB session have been adapted to the new
|
|
API. This includes the Linux USB driver ports for host controllers, HID, USB
|
|
Ethernet cards, the libusb library port, our XHCI model within VirtualBox, and
|
|
the black-hole component.
|
|
|
|
Practical considerations
|
|
------------------------
|
|
|
|
For users of the framework or Sculpt OS, the most notable change is that all
|
|
USB clients use their own _devices_ ROM to react to device appearance and
|
|
disappearance. No global information is required anymore. That means the
|
|
addition of a new policy rule in the USB host-controller's configuration is
|
|
sufficient to, e.g., let a device appear in a Linux guest. If the rule already
|
|
exists, even the pure physical connect will result in the appearance of the
|
|
device.
|
|
|
|
Because one USB session can now control an arbitrary number of devices, the
|
|
syntax of the policy rules for a USB host controller driver changed a bit:
|
|
|
|
! <config>
|
|
! <policy label="usb_net">
|
|
! <device vendor_id="0x0424" product_id="0xec00"/>
|
|
! </policy>
|
|
! <policy label="usb_hid">
|
|
! <device class="0x3"/>
|
|
! </policy>
|
|
! <policy label="vm">
|
|
! <device name="usb-2-2"/>
|
|
! <device name="usb-2-4"/>
|
|
! </policy>
|
|
! </config>
|
|
|
|
As you might notice, there is no differentiation in the policy rules on the
|
|
interface-level yet. In short, each device is still handled by only one
|
|
driver. As a prerequisite to assign drivers to individual interfaces, drivers
|
|
first have to become resilient against denied device-acquisition attempts.
|
|
This is not the case for most ported drivers or virtualized guest OSes. Hence,
|
|
even though the USB session API is now prepared for driving interfaces of one
|
|
USB device by dedicated drivers, we decided against activating this feature on
|
|
the policy level at the current time. Nonetheless, once a set of interface
|
|
drivers gets in place, we can enable the added flexibility without touching
|
|
the USB session API again.
|
|
|
|
Sculpt OS
|
|
---------
|
|
|
|
The outcome of this line of work is already present in
|
|
[https://genodians.org/nfeske/2024-04-26-sculpt-os - Sculpt OS 24.04], which makes the
|
|
[https://genode.org/documentation/articles/sculpt-24-04#Assignment_of_USB_devices_to_components - assignment of USB devices]
|
|
to components intuitive and secure.
|
|
|
|
|
|
On-target debugging using the GNU debugger (GDB)
|
|
################################################
|
|
|
|
The renovation of our debugging monitor in
|
|
[https://genode.org/documentation/release-notes/23.08#Multi-component_debug_monitor - Genode 23.08]
|
|
was driven by the vision of easy on-target debugging on Sculpt OS. Just
|
|
imagine, any runtime component from applications over device drivers to VMMs,
|
|
like VirtualBox, could be started with debugging optionally enabled. The key
|
|
to make this vision come true is the debug monitor at the heart of the Sculpt
|
|
runtime. All other missing ingredients for viable on-target debugging - above
|
|
all a GDB front end - are introduced with this release.
|
|
|
|
The _debug monitor_ component got introduced in version
|
|
[https://genode.org/documentation/release-notes/23.08#Multi-component_debug_monitor - 23.08].
|
|
It is a drop-in replacement for the init component with the added ability to
|
|
control the execution and memory content of selected child components using
|
|
the GDB remote serial protocol. On Sculpt, the debug monitor now acts as the
|
|
runtime init component. The user decides which components are made available
|
|
to debugger control with a check mark in the launcher menu before the
|
|
component is started. If the component is selected for debugging, the monitor
|
|
configuration part for this component is added to the Sculpt runtime
|
|
configuration.
|
|
|
|
The [https://www.sourceware.org/gdb/ - GDB] component is the user-facing part
|
|
of the debugging experience. It presents a command line interface in a
|
|
graphical terminal window and communicates with the debug monitor in the
|
|
background. The user can enter GDB commands for inspecting and modifying the
|
|
state of monitored components.
|
|
|
|
In order to debug a component in a meaningful way, GDB usually needs to
|
|
evaluate the executable files of the component and profits hugely from
|
|
additional debug information like symbol names and source-code location
|
|
information generated by the compiler. As this information can take up a lot
|
|
of space, we decided to store it in separate debug info files shipped in
|
|
dedicated _dbg_ depot packages since version
|
|
[https://genode.org/documentation/release-notes/23.11#Debug_information_for_depot_binaries - 23.11].
|
|
Two small support components help to make this information available to GDB at
|
|
runtime:
|
|
|
|
The _dbg_download_ component can be started by the user by checking the
|
|
_download debug info_ option in the Sculpt launcher menu. It evaluates the
|
|
Sculpt runtime configuration in the background and downloads any missing _dbg_
|
|
archive content of monitored components into the depot.
|
|
|
|
The _gdb_support_ component is started automatically together with GDB. It
|
|
evaluates the Sculpt runtime configuration in the background and dynamically
|
|
creates directories with symbolic links to the depot binaries and debug info
|
|
files of monitored components in a RAM file system shared with GDB, and
|
|
thereby allows GDB to access these files in a convenient way.
|
|
|
|
[image on_target_gdb]
|
|
|
|
With this setup in place, the user can debug multiple components at once
|
|
and control the execution of threads on an individual basis thanks to GDB's
|
|
_non-stop_ mode.
|
|
Learn how to integrate and use GDB on Sculpt with our article and screencast
|
|
video on [https://genodians.org/chelmuth/2024-05-17-on-target-debugging - Genodians.org].
|
|
|
|
One noteworthy challenge discovered while testing on Sculpt was that GDB
|
|
apparently was not prepared for the case that there are no initial inferiors
|
|
and that the first inferior could appear spontaneously on the remote side
|
|
instead of being actively started by GDB. We had to make some adaptations to
|
|
the GDB source code to support this situation and some more adaptations might
|
|
be necessary in the future, for example to update the output of the
|
|
_info inferiors_ command when the first inferior appears.
|
|
|
|
|
|
Base framework and OS-level infrastructure
|
|
##########################################
|
|
|
|
Transition to the new audio interfaces introduced in 24.02
|
|
==========================================================
|
|
|
|
In Genode's
|
|
[https://genode.org/documentation/release-notes/24.02#Revised_audio_infrastructure - February release],
|
|
we introduced new audio 'Record' and 'Play' sessions intended to supersede the
|
|
old 'Audio_in' and 'Audio_out' interfaces. In the time following up to the
|
|
current release, we worked on integrating the new sessions into the existing
|
|
components. In fact, they are already exercised in the most recent
|
|
[https://genode.org/news/sculpt-os-release-24.04 - Sculpt release].
|
|
|
|
As most prominently used by ported software, the VFS OSS plugin plays a vital
|
|
role in interfacing with Genode's native audio stack. The already existing
|
|
VFS plugin got renamed to _legacy_oss_ while the new one takes its place and
|
|
is usable as a drop-in replacement. Existing users have to adapt the session
|
|
routes accordingly or change their VFS configuration to make use of the
|
|
legacy plugin, if the use of the new sessions is not yet desirable.
|
|
|
|
In contrast to the old plugin, it is possible to configure the fragment size a
|
|
client is allowed to use via its configuration and thereby enforce its latency
|
|
requirements. The fragment size ranges from 2048 to 8192 bytes, which equals a
|
|
period length of around 11.6 to 46.4 ms when using a sample rate of 44.1 kHz.
|
|
The plugin leverages the ability of the _report_play_mixer_ to convert sample
|
|
rates. However, to constrain the resource requirements of the plugin, it is
|
|
limited from 8 kHz to 48 kHz, which covers a reasonable range. Please consult
|
|
the _repos/gems/src/lib/vfs/oss/README_ file for more information.
|
|
|
|
The _black_hole_ component gained additional support for providing the play
|
|
and record sessions so that it is able to perform its role when using the new
|
|
sessions. We also removed the custom audio subsystem from our SDL1.2 port in
|
|
favor of using its own OSS back end, which brings it in line with our SDL2
|
|
port.
|
|
|
|
As there are no critical components left that exclusively use the old sessions
|
|
directly, the way is paved to remove them. However, we keep the legacy audio
|
|
sessions intact to give users time to migrate their components and become
|
|
comfortable with the new interfaces.
|
|
|
|
|
|
Improved timing stability
|
|
=========================
|
|
|
|
Our recent work on real-time audio processing moved the timing characteristics
|
|
of the framework into focus. Low latency cannot be attained in the presence of
|
|
high jitter. But in a component-based system carrying general-purpose
|
|
workloads, jitter can be induced for many reasons including kernel scheduling,
|
|
spontaneous high-priority events, or the interference between clients of
|
|
shared services. The timer driver in particular is such a shared service.
|
|
While analyzing the timer's behaviour under stress, we indeed observed
|
|
unwelcome interference between timer clients. E.g., the stability of a
|
|
waveform generated at a period of 5 milliseconds would be effected by
|
|
otherwise unrelated spontaneous USB-HID events. Those observations motivated
|
|
the following improvements:
|
|
|
|
First, we simplified the timer implementation to make it dead-simple to
|
|
understand and straight-forward to trace its behavior. The timer no longer
|
|
relies on TSC-interpolated measurements but only on ground-truth values
|
|
obtained from the timing device (or from the underlying kernel). Second, to
|
|
improve accuracy at the client side, the timer no longer limits the time
|
|
resolution when the current time is queried. The deliberate limiting of the
|
|
time resolution is applied only to the triggering of timeouts in order to cap
|
|
the timer's CPU load induced by its clients. Third, to limit the rate of
|
|
inter-component communication, the timer batches the wake-up of clients that
|
|
have timeouts closely clustered together. Combined, those measures reduced the
|
|
cross-client interferences between timer clients comfortably below the level
|
|
relevant for our synthetic test setup using audio periods of 5 ms. Note that
|
|
such small periods are not generally usable in practice because real-world
|
|
audio applications are subjected to additional sources of jitter.
|
|
|
|
The improvements are in effect for the timers used on NOVA, the base-hw
|
|
kernel, and the PIT-based timer as used on seL4, OKL4, and Pistachio. Linux,
|
|
Fiasco.OC, and L4/Fiasco are not covered yet.
|
|
|
|
|
|
Device drivers
|
|
##############
|
|
|
|
Linux-device-driver environment (DDE)
|
|
=====================================
|
|
|
|
Porting Linux drivers to Genode is a multi-staged process with the
|
|
configuration of a minimal yet functional platform-specific Linux kernel as
|
|
an essential step. The device support in this kernel is the baseline and
|
|
reference for the final Genode driver. To simplify the testing of minimal
|
|
kernel images, we introduced new run scripts for i.MX boards and PCs. Now, a
|
|
plain execution of 'make run/pc_linux' or 'make run/imx_linux' runs Linux on
|
|
the test target as known from Genode scenarios. In case of i.MX, a FIT image
|
|
is generated, whereas we provide an i.PXE-bootable image for PCs. The run
|
|
scripts integrate busybox into an initial RAM disk and, for i.MX, amend this
|
|
image with _memtool_, a tool by Pengutronix to inspect all kind of memory
|
|
under Linux (via _/dev/mem_).
|
|
|
|
Furthermore, we address some deficiencies in DDE Linux with this release.
|
|
We improved support for fine-grained, sub-millisecond timing by enabling
|
|
high-resolution timers and attended to a long-standing pc_nic_drv link reset
|
|
bug that manifested in some situations on some platforms only. For driver
|
|
developers, we added the 'lx_emul_trace_msg()' function for the generation
|
|
of low-overhead trace entries that can be used to debug timing-sensitive or
|
|
high-traffic scenarios.
|
|
|
|
|
|
Intel framebuffer and GPU driver
|
|
================================
|
|
|
|
An essential prerequisite for providing a GUI as Sculpt OS does, is having a
|
|
driver for the graphics controller. In Genode, this task is split between the
|
|
framebuffer driver and the GPU driver. Exposing these to a growing range of
|
|
devices led to a few robustness and compatibility improvements for the Intel
|
|
framebuffer/GPU drivers.
|
|
|
|
In the context of the latest Sculpt release, we made the accounting of maximum
|
|
framebuffer memory configurable. Previously, this was derived from the
|
|
component's RAM quota, which implicitly limited the maximum display
|
|
resolution. The separate configuration explicitly sets the maximum framebuffer
|
|
memory by default to 64 MiB, which suffices for resolutions of at least
|
|
3840x2160. The actual memory used by the component depends on the configured
|
|
display resolution. If the RAM quota is depleted, the component will issue a
|
|
resource request. The configuration follows the scheme established for the GPU
|
|
driver with
|
|
[https://genode.org/documentation/release-notes/24.02#Dynamic_aperture_handling_for_high_resolution_framebuffers - release 24.02].
|
|
|
|
In this release, we also incorporated a vendor check in the Intel framebuffer
|
|
driver in order to ensure that it only operates Intel devices. Our central
|
|
platform driver typically hands out all VGA-class devices to the driver,
|
|
including GPUs of other vendors. This caused issues on platforms with an
|
|
additional Nvidia GPU for multiple users. Thanks to Alice Domage for this
|
|
contribution.
|
|
|
|
Furthermore, we fixed a few issues that popped up when test-driving Sculpt OS
|
|
on the ZimaBlade. By doing this, we added support for Intel HD Graphics 500 to
|
|
the Intel framebuffer/GPU drivers. This GPU can be found in various Intel
|
|
Processors in the Pentium/Celeron N-series.
|
|
|
|
|
|
Suspend/resume infrastructure
|
|
=============================
|
|
|
|
As planned in our [https://genode.org/about/road-map - road map], we
|
|
integrated the current state of x86 suspend/resume as a feature into Sculpt
|
|
OS. The sculpt manager got enhanced to drive the system state and manage the
|
|
life cycle of driver components during suspend-resume cycles.
|
|
The new
|
|
[https://genode.org/documentation/articles/sculpt-24-04#System_power_control - power options]
|
|
can be found in the _System_ menu once the ACPI support option is activated.
|
|
|
|
[image sculpt_24_04_system_power]
|
|
|
|
Non-stateful drivers are removed from the runtime before suspending and are
|
|
restarted during resume, e.g., network drivers. Stateful drivers like NVME,
|
|
AHCI, and GPU drivers participate cooperatively in the system states by
|
|
stopping their processing and reporting their fulfillment. Currently, the USB
|
|
host driver needs to be restarted forcefully on resume. To avoid data loss,
|
|
the power suspend feature is not offered while a USB block device is in use.
|
|
|
|
Additionally, during Sculpt integration, several drivers got enhanced. The
|
|
acpica application now reflects the completion of the last action, which the
|
|
sculpt manager monitors and incorporates into the system state machine. The PC
|
|
platform driver saves and restores the IOMMU configurations before and after
|
|
suspend. Additionally, the platform driver gained the ability to trigger the
|
|
final suspend RPC to Genode's core. Furthermore, the Intel display driver now
|
|
participates in the system state changes by switching off all connectors
|
|
before suspend in order to reduce graphical noise on displays during the
|
|
transition.
|
|
|
|
|
|
Mesa updated to version 24.0.1
|
|
==============================
|
|
|
|
With the goal to add support for more recent Intel GPUs (Alder Lake+), we took
|
|
the first step by updating our three-year-old Mesa 21 to version 24. Because
|
|
Mesa is under heavy development, the effort to do so was more elaborate than
|
|
anticipated. For the current release, we enabled all the previously supported
|
|
GPUs, which are Intel Gen8 (Broadwell), Gen9 (Skylake up to Whiskey Lake),
|
|
Gen12 (Tiger Lake) using the Iris Gallium driver, Vivante as found in i.MX8
|
|
SoCs, and Mali on the PinePhone. There are still many improvements to be
|
|
explored, like buffer life-time management, using Mesa's native build system
|
|
(Meson) for simplifying future updates, testing Alder Lake, replacing softpipe
|
|
with llvm for software rendering, and adding Vulkan support, to name a few.
|
|
We are looking forward to tackle these topics in future Genode releases.
|
|
|
|
|
|
Removed obsolete loader component and session interface
|
|
=======================================================
|
|
|
|
The loader was originally introduced in version
|
|
[https://genode.org/documentation/release-notes/10.11#Qt4 - 10.11] as part of an
|
|
early [https://genode.org/news/genode-live-demonstration-2010-11 - live CD].
|
|
It later served the purpose of dynamically starting and stopping preconfigured
|
|
subsystems. As of today, the latter use case has long been covered by the
|
|
dynamically reconfigurable init component. The only substantial client of the
|
|
loader remained to be the qpluginwidget in combination with the Arora web
|
|
browser. But as the blending of plugins with websites never moved beyond a
|
|
fancy tech demo and Arora was replaced by Falkon, the current release removes
|
|
the now obsolete loader infrastructure.
|
|
|
|
|
|
Libraries and applications
|
|
##########################
|
|
|
|
Consolidation of Tresor block encryptor and File Vault
|
|
======================================================
|
|
|
|
Genode [https://genode.org/documentation/release-notes/23.05#Revision_of_Genode_s_custom_block-encryption_infrastructure - 23.05]
|
|
marked a big update of the core logic for block-data security and management
|
|
behind the file vault. It replaced the former Ada/SPARK-based implementation
|
|
called CBE with a C++-based, modernized library that we named _Tresor_. As a
|
|
side effect of this endeavor, we improved testing and fixed many issues of the
|
|
former approach. However, the tresor library also inherited some unwelcome
|
|
traits from its predecessor. The CBE approach was shaped in many ways by the
|
|
semantic restrictions imposed by SPARK and the tresor library had retained
|
|
some of these at the expense of code redundancy. In addition, we had adopted a
|
|
rather peculiar approach to execution flow that led to unforeseen
|
|
implementation complexity down the road. In order to improve this situation,
|
|
the current release comes with a comprehensive re-design of the tresor
|
|
library, relieving it from legacy burdens, significantly shrinking the code
|
|
base, and making it much easier to understand.
|
|
|
|
Once warmed up with the topic, we stepped one level up in the block-encryption
|
|
stack and continued reworking the tresor VFS plugin because it also suffered
|
|
from over-complexity and redundancy. After finishing that, we noticed that the
|
|
next higher layer - the File Vault - could also be improved in two ways:
|
|
First, the file vault used to combine two unrelated tasks in one component:
|
|
The logic for modeling typical user work-flows on the tresor VFS and the
|
|
operation of a graphical user interface. We found that these are better
|
|
assigned to separate components that work together via a narrow and
|
|
well-defined interface. Second, the file vault used to operate directly on
|
|
the low-level interface of the menu view component in order to drive its GUI
|
|
instead of using the newer and far easier dialog API for this purpose.
|
|
|
|
[image file_vault_gui]
|
|
|
|
For the component that deals with the logic, we stayed with the name
|
|
_file vault_ whereas the new front-end is the _file vault gui_.
|
|
|
|
Putting all these changes together, the whole ecosystem around the tresor block
|
|
encryption and the file vault becomes far more manageable and its code base
|
|
has been cut in half while providing the same feature set as before:
|
|
|
|
component | 23.05 | 24.05 | difference
|
|
-----------------------------------------------------------
|
|
-----------------------------------------------------------
|
|
lib/tresor | 14374 | 5212 | -63%
|
|
-----------------------------------------------------------
|
|
lib/vfs/tresor | 2728 | 1823 | -33%
|
|
-----------------------------------------------------------
|
|
lib/vfs/tresor_crypto | 1162 | 1213 |
|
|
-----------------------------------------------------------
|
|
lib/vfs/tresor_trust_anchor | 1800 | 1992 |
|
|
-----------------------------------------------------------
|
|
app/tresor_init | 159 | 93 |
|
|
-----------------------------------------------------------
|
|
app/tresor_init_trust_anchor | 166 | 163 |
|
|
-----------------------------------------------------------
|
|
app/file_vault | 5429 | 1256 | -76%
|
|
-----------------------------------------------------------
|
|
app/file_vault_gui | - | 617 |
|
|
-----------------------------------------------------------
|
|
-----------------------------------------------------------
|
|
total | 25818 | 12369 | -52%
|
|
|
|
But the update is not only about cleaning up. We also consolidated the stack
|
|
by, for instance, fixing and re-enabling asynchronous rekeying, implementing
|
|
robust handling of corner-case configurations, patching several performance
|
|
limitations, and further improving the test suite.
|
|
|
|
Last but not least, the file vault received two handy usability enhancements.
|
|
First, the new file-vault GUI is fully controllable via keyboard.
|
|
The hotkeys are documented in _repos/gems/src/app/file_vault_gui/README_.
|
|
Second, as an implication of separating GUI from logic, the text-based
|
|
interface of the file vault became the canonical way to steer that component.
|
|
In order to achieve that, the interface had to be extended to the full feature
|
|
set, which has the welcome side effect of easing the combination of the file
|
|
vault with alternative front ends. For instance, the file vault could now
|
|
become an integrated part of the administrative user interface of Sculpt OS.
|
|
The new interface is mostly backwards compatible (only the non-functional
|
|
version attribute disappeared) and documented in
|
|
_repos/gems/src/app/file_vault/README_.
|
|
|
|
Despite the extensive overhaul, file vault version 24.05 remains compatible
|
|
with old containers created via the 23.05 version and we also kept the
|
|
structure and appearance of the new graphical front end close to that of the
|
|
old version in order to make the transition as smooth as possible.
|
|
|
|
|
|
VirtualBox network-throughput improvements
|
|
==========================================
|
|
|
|
The Uplink and NIC session interfaces provide means to batch several network
|
|
packets before informing the other side to process the packets. The batching
|
|
is crucial to achieve good network throughput and also to keep the CPU
|
|
overhead per packet at a moderate level. Up to now, our ports of VirtualBox
|
|
did not leverage this feature, which became noticeable on systems under high
|
|
CPU load. By adding the batching of network packets to our VirtualBox ports,
|
|
we were able to reduce the CPU load and achieve stable throughput
|
|
measurements, which otherwise fluctuate more depending on other factors like
|
|
scheduling.
|
|
|
|
|
|
Seoul virtual machine monitor
|
|
=============================
|
|
|
|
Since the
|
|
[https://genode.org/documentation/release-notes/24.02#Seoul_VMM - previous]
|
|
release, the VMM received several improvements.
|
|
|
|
Notably, the former global motherboard lock got replaced by fine-grained
|
|
locking within each device model where appropriate. Thanks to the better CPU
|
|
utilization, long-running work, for example compilation, now finishes earlier.
|
|
The network binding got reworked and now reflects network link-state changes
|
|
from the Genode interface into the guest VMs. The legacy audio-session binding
|
|
got replaced by Genode's new Play interface.
|
|
|
|
The so far unused ACPI model of the Seoul sources got enabled and adjusted
|
|
to support so-called fixed ACPI events, e.g., power-button press event. On
|
|
GUI window close, the event is now triggered and forwarded to the guest VM.
|
|
Depending on the configuration of the guest, the VM may power down
|
|
automatically, similar as done by our port of VirtualBox.
|
|
|
|
Finally, a USB XHCI model powered by our qemu-usb library has been added to
|
|
Seoul, which got developed during our recent
|
|
[https://github.com/genodelabs/genode/issues/4989 - Hack'n'Hike] event.
|
|
With this new model, USB devices can be passed through to the guest. It has
|
|
been successfully tested with several USB storage, keyboard, and audio
|
|
devices.
|
|
|
|
|
|
SDL2 improvements
|
|
=================
|
|
|
|
We enhanced our SDL2 port by enabling more subsystems, improving its window
|
|
handling, and adding support for its text-input API.
|
|
|
|
This release adds preliminary support window resizing. It works well for some
|
|
of the currently available ports but still has issues with others (especially
|
|
those using an OpenGL context) as it depends to some degree on the component
|
|
itself using the SDL2 library. As an additional feature, we added support for
|
|
setting the initial window geometry via the '<initial>' node, e.g.:
|
|
|
|
! <initial width="800" height="600"/>
|
|
|
|
This allows for restricting the initial window size because otherwise the
|
|
actual screen size will be used and that might be too large depending on the
|
|
attached display.
|
|
|
|
Support for using SDL2's text-input API has been enabled. Once the application
|
|
enables text input, any key press that has a valid Unicode codepoint is sent
|
|
as text input.
|
|
|
|
|
|
Curl updated to version 8.7.1
|
|
=============================
|
|
|
|
We updated our cURL port to version 8.7.1 to support the use of
|
|
elliptic-curve algorithms for TLS (CURLOPT_SSL_EC_CURVES).
|
|
|
|
In setups where no service is employed to provide entropy, it might be
|
|
necessary to increase the amount of statically configured entropy. Doubling
|
|
the content of the '<inline>' VFS plugin as used in static configurations
|
|
seems satisfactory. Furthermore, DNS resolving needs a configured '<pipe>'
|
|
plugin to work properly. For an exemplary configuration, please look at the
|
|
_repos/libports/run/fetchurl.inc_ run-script snippet.
|
|
|
|
The 'fetchurl' component also gained a 'verbose' configuration option to
|
|
enable verbose operations as a convenience feature to ease debugging.
|
|
|
|
|
|
Platforms
|
|
#########
|
|
|
|
NOVA microhypervisor
|
|
====================
|
|
|
|
Some of the command-line options changed. The 'iommu' option is now split up
|
|
into 'iommu_amd' and 'iommu_intel', so that they may be enabled/disabled
|
|
separately. The 'novga' option turned into 'vga' since it is unused nowadays.
|
|
The tagged TLB feature for virtual machines is now enabled by default.
|
|
|
|
The kernel now supports the 'mwait' instruction besides the 'hlt' instruction,
|
|
which can be used to give hints to the CPU to enter deeper sleep states.
|
|
The feature is off by default and can be utilized via the 'Pd::system_control'
|
|
interface.
|
|
|
|
|
|
Build system and tools
|
|
######################
|
|
|
|
Goa SDK
|
|
=======
|
|
|
|
Aligned with the Sculpt release, the Goa tool has been updated with the
|
|
corresponding depot archive versions for Sculpt 24.04. This also involved
|
|
adding support for the new audio play and record sessions.
|
|
|
|
The _Goa testbed_ package and preset have been updated accordingly so that
|
|
an out-of-the-box Sculpt 24.04 lends itself as a
|
|
[https://genode.org/documentation/release-notes/24.02#Sculpt_OS_as_remote_test_target_for_the_Goa_SDK - remote test target for Goa].
|