genode/repos/gems/recipes/pkg/sculpt/README
2021-10-14 13:22:18 +02:00

1706 lines
72 KiB
Plaintext

=============================
Sculpt Operating System 21.10
=============================
Norman Feske
Introduction
############
Sculpt is a component-based desktop operating system that puts the user in
the position of full control. It is empowered by the Genode OS Framework,
which provides a comprehensive set of building blocks, out of which custom
system scenarios can be created. The name Sculpt hints at the underlying
idea of crafting, molding, and tweaking the system interactively. Starting
from a fairly minimalistic and generic base system, this tour through the
Sculpt system will cover the following topics:
* A boot image that is a live system, rescue system, and bootstrap system all
in one,
* Connecting to a wired or wireless network,
* Installing and deploying software,
* Ways to tweak and introspect the system, and
* Managing and accessing storage devices.
Community
---------
The best place to learn more about using and tweaking Sculpt, to follow the
work of the developers, and to get hold of announcements of new software and
features is the federated Genodians blog:
:Genodians.org community blog:
[https://genodians.org]
Feedback and contact
--------------------
Your feedback is appreciated!
:Join the Genode mailing list for discussion:
[https://genode.org/community/mailing-lists]
:Get in touch with the developers at GitHub:
[https://github.com/genodelabs/genode]
:Contact Genode Labs for commercial inquiries:
[https://www.genode-labs.com]
A printable PDF version of this document is available at
[https://genode.org/documentation/sculpt-21-10.pdf].
Hardware requirements and preparations
######################################
Sculpt should be compatible with recent Intel-based PC hardware featuring
Intel graphics, E1000 networking, Intel wireless, and AHCI/NVMe.
It is tested best on laptops of the Lenovo X and T series (X220, X250, X260,
T430, T460, T470). For experimenting with Sculpt, we recommend getting a
refurbished version of one of these. You may also find the unofficial hardware
compatibility list [https://usr.sysret.de/jws/genode/hcl.html] helpful for
finding Genode-compatible hardware.
Sculpt has been tested with screen resolutions up to 2560 x 1440. Displays
with a higher resolution are not expected to work. The sweet spot is a full-HD
display.
Please revisit the BIOS settings of your machine in the following respects:
:VT-d enabled: Even though Sculpt is able to run without an IOMMU, we
advise to enable this option for the sandboxing of device drivers.
:VT-x enabled: Hardware-assisted virtualization is needed to run VirtualBox
on top of Sculpt.
:Execution prevention enabled: The standard Sculpt package is provided
for x86-64 and expects your platform to support data execution
prevention (abbreviated DEP or NX). If this feature is disabled your
PC will just reboot on startup.
:Boot from USB enabled: Sculpt is usually booted from a USB stick.
:UEFI boot enabled: Sculpt boots via UEFI by default. The boot image
is specially prepared such that it can be started via legacy boot on older
machines. However, booting it via legacy boot on a modern machine is
hit or miss.
:UEFI secure boot disabled: The Sculpt boot image is not cryptographically
signed.
:Optimize for performance when battery powered: If the latter is not set,
the hardware may behave erratically (e.g., non-working trackpoint when on
battery).
Getting a first impression
##########################
Sculpt is best explored by first booting the prebuilt disk image downloadable
from [https://genode.org/download/sculpt].
Right after system boot, Sculpt's system-management user interface
("Leitzentrale") appears.
The panel at the top of the screen contains two centered tabs for switching
between the "Components" view and a "Files" view (Figure [sculpt_20_08_panel]).
The components view displays a live graph of the software components and their
relationships. It also provides convenient access to the connected storage
devices. The "Log" button at the right side of the panel reveals diagnostic
messages, the "Network" button allows you to configure network connectivity,
and the "Settings" button on the left gives access to a few user-interface
tweaks (Figure [sculpt_20_08_panel]).
[image sculpt_20_08_panel 60%]
Consider the following steps as a warm-up with Sculpt OS.
Select the in-memory file system as *default storage location* by clicking
on the "ram fs" component in the graph and pressing the "Use" button
(Figure [sculpt_20_08_use_ram_fs]).
This way, software will be installed solely into memory without accessing any
real storage device.
[image sculpt_20_08_use_ram_fs 40%]
Enable *networking* in the "Network" dialog by selecting the "Wired" or
"Wifi" option. In the latter case, select an access point and enter the
corresponding passphrase (if needed). A successful network connection is
indicated by the IP address displayed at the bottom of the network dialog
(Figure [sculpt_20_08_network]).
[image sculpt_20_08_network 40%]
With a storage location selected and established network connectivity, it is
time to *install and start* additional components by clicking on the '+'
button of the components view. Select "Depot ..." from the menu
(Figure [sculpt_21_10_menu]).
[image sculpt_21_10_menu 40%]
The depot contains software packages, which can be obtained by different
independent software providers. The selection of software providers is
completely up to the user and can be defined in the "Selection ..." sub menu
(Figure [sculpt_21_10_select]).
[image sculpt_21_10_select 32%]
Select "genodelabs" to download the directory of software officially
provided by Genode Labs. Note that the other options are not necessarily
affiliated with Genode Labs. Think of each option as a different individual.
If you don't trust one particular software provider, you can still install and
use the provided software without risk as long as you don't explicitly grant
their components access to sensitive parts of your system. The judgement
of trust is entirely yours.
When now going back to the depot menu, a new menu item "genodelabs ..."
appears. It leads to a catalogue of software browsable via hierarchically
structured menus. As a starter, let's add a desktop background.
In the "GUI ..." sub menu, a click on the first item named "sticks blue
backdrop" reveals the option to install the package
(Figure [sculpt_20_08_install_backdrop]).
[image sculpt_20_08_install_backdrop 48%]
A click on the "Install" button triggers the download of the package and its
dependencies. Once the download is complete, the menu presents a configuration
dialog that allows you to define the interplay of the new component with the
system. In this particular case, you have to decide for a GUI service to be
used by the backdrop (Figure [sculpt_20_08_backdrop_routes]).
[image sculpt_20_08_backdrop_routes 40%]
The first option "system GUI server" would grant direct access to the system's
low-level GUI server, which is normally not used by applications but by
higher-level GUI servers like a window manager. The second option would give
the component the privilege to act as a lock screen. The third option would
connect the component to the special "desktop background" GUI session, which
appears as a layer behind all other applications. The fourth option "keyboard
focus" is preserved for a single component that controls the keyboard focus.
In our case, "desktop background" is the correct choice.
Once the configuration is complete, a new button for adding the component to
the system appears (Figure [sculpt_20_08_add_backdrop]).
[image sculpt_20_08_add_backdrop 40%]
After pressing the button, you should notice a slight visual change. *Press*
*F12* to toggle between the Leitzentrale and the desktop. Now, the backdrop
should become visible in full glory. In the component graph, the new component
appears connected to the "GUI". A click on the component reveals further
information along with the options to remove it from the system or to
restart it (Figure [sculpt_20_08_backdrop_selected]).
[image sculpt_20_08_backdrop_selected 40%]
As a next step, let us add a window system. In the '+' menu, you can find
a readily packaged window system at _genodelabs_ -> _GUI_ -> _themed wm_.
After installing the package, you are asked to take five decisions:
The _GUI (focus)_ should be assigned to "keyboard focus" to put the
window manager in charge of controlling the keyboard focus, which is part
of its job after all.
The _GUI_ should be assigned to "system GUI server" as the basic mechanism
to be used for graphical output and user input for the windowed applications.
By assigning _Report (shape)_ to _pointer shape_, we allow the window
manager to report information about mouse-pointer shapes.
By assigning _Report (clipboard)_ to _global clipboard_, we grant the
window manager the right to change the content of the global clipboard.
Vice versa, by assigning _ROM (clipboard)_, we permit the window manager
to obtain clipboard content.
After adding the component, the "themed wm" will appear in the components view.
To give the window system a quick try, add the small demo you can find at
_genodelabs_ -> _Demos_ -> _nano3d_ and assign its _GUI_ to our "themed wm".
You will be greeted with the window as shown in Figure [sculpt_ce_nano3d].
[image sculpt_ce_nano3d 40%]
Next, let us add a *small Unix-like subsystem* called _system shell_ hosted in
a window. This subsystem will be presented in a terminal window. The font
used by the terminal is obtained from a font server. To create the font
server, install and add the package _genodelabs_ -> _GUI_ -> _fonts fs_, and
assign the _system font configuration_ to its _ROM (config)_. "ROM" means
read-only memory. So we grant the font server read-only access to the system's
default font configuration (which is generated automatically according to the
screen resolution).
For starting the actual system shell, select and install
_genodelabs_ -> _Tools_ -> _system shell_ from the menu. The configuration
dialog is a bit more elaborate this time.
:GUI: defines the GUI server that should host the terminal.
Select "themed wm".
:File system (config): defines which file system should be mounted at
_/config/_ inside the instance. There exist a number of options.
By selecting _writeable system configuration_, we grant control over
the whole system. It goes without saying that this should not be done
lightheartedly. However, since we trust the "system shell" package from
Genode Labs, let's do it.
:File system (report): defines the file system to be mounted at _/report/_
inside the instance. By selecting "read-only system reports", we allow
the instance to look at the state of various parts of the system.
:File system (target): defines a file system to be mounted at _/rw/_.
This can be any file system you'd like to work with or explore, for
example the "ram fs".
:File system (fonts): defines the place where to obtain the font used by
the terminal. Select the "fonts fs" component we have started earlier.
:ROM (vimrc): defines the configuration for the vim text editor used
within the instance. Select "default vim configuration" to grant
read-only access to this information.
:ROM (clipboard): defines the service to obtain clipboard content from.
Select "themed wm" (not "global clipboard").
:Report (clipboard): defines the service for reporting new clipboard content.
Select "themed wm". More information about the integration and use of the
clipboard can be found in
[https://genodians.org/nfeske/2019-07-03-copy-paste - a dedicated article].
:Region maps:
Select "custom virtual memory objects" to allow the subsystem to manage
its virtual memory layout by itself.
With those decisions taken, a fresh system shell can be started, which appears
in a window (Figure [sculpt_20_08_system_shell]).
[image sculpt_20_08_system_shell 60%]
When selecting the "system shell" component in the graph, the
relationship to the other components of the system is presented. This provides
a convenient way to reveal the _trusted computing base_ of the selected
component (Figure [sculpt_20_08_system_shell_selected]).
For example, since there is no connection from _system shell_ to the
_nic_router_, we know that this component is isolated from the network. The
network-related components are outside the trusted computing base of the
system shell.
[image sculpt_20_08_system_shell_selected 50%]
Further exploration
-------------------
Of course, there are many more components to explore and to combine.
For inspiration, please follow the postings at
[https://genodians.org], for example:
:Copy and paste mechanism:
Sculpt provides a built-in mechanism for exchanging data between
virtual machines, terminals, and Qt applications:
[https://genodians.org/nfeske/2019-07-03-copy-paste]
:Use GNU/Linux inside a virtual machine on top of Sculpt:
There is a ready-to-use package for downloading Debian for the use inside
a virtual machine along with the ability to use VirtualBox guest
additions:
[https://genodians.org/jws/2019-07-08-download_debian-guest-additions-reloaded]
For configuring and starting the virtual machine, you may find the
following guide useful:
[https://genodians.org/m-stein/2019-03-07-vm-with-sculpt-ce-preview]
You may even go a step further by re-using an existing Linux installation
inside VirtualBox on Sculpt:
[https://genodians.org/jschlatow/2021-04-23-start-existing-linux-from-sculpt]
:Disposable Firefox VMs:
Use a minimalistic Tinycore-Linux system to run Firefox in memory without
access to any persistent storage:
[https://genodians.org/alex-ab/2019-03-06-disposal-browser-vm]
:Advanced window management:
Let Sculpt remember window positions across reboots, swap out window
decorations on the fly, and have fun with manipulating the window layout
directly via a textual interface.
[https://genodians.org/nfeske/2020-03-27-window-management]
:Encrypted file store:
The file-vault package provides Sculpt users with an easy way to set
up and use an encrypted file store using Genode's custom CBE block
encrypter.
[https://genodians.org/m-stein/2021-05-17-introducing-the-file-vault]
Base system
###########
Unless customized, the Sculpt base system resides as a self-contained live
operating system on a USB stick, not installed on disk. This has two
advantages. First, it makes the update of the base system straight-forward
and completely risk-free. Simply install the new version on a second USB
stick. Should the new version cause any trouble, one can fall back to the
original one by swapping the USB sticks. Second, it alleviates the need to
install any boot-loader infrastructure on disk. In fact, one can use an
entire disk as one file system without creating a partition table.
_Note that Genode is not limited to booting from USB. It also supports_
_the use of partitions. But for this guide, we keep things as simple as_
_possible._
System overview
===============
; Drivers | Leitzentrale | Runtime
; subsystem | subsystem | subsystem
; ---------------+--------------------+---------------
; static part of the system
; ----------------------------------------------------
; microkernel / core
[image sculpt_overview]
System overview
The Sculpt system consists of four parts living on top of the microkernel
(Figure [sculpt_overview]).
Static system
-------------
The first - static - part of the system is baked into the boot image. It
contains components that must be shared by the upper - dynamic - parts and
defines the relationships between the upper parts via a static policy that
is fixed by the creator of the boot image (Figure [sculpt_static]).
; Drivers | Leitzentrale | Runtime
; --------------------------------------------------------
; : :
; Nitpicker Report : : ROM [global policy]
; GUI server : : : :
; v v v v
; Report Config
; FS FS
[image sculpt_static]
Detailed look at the static part of the system
Besides a low-complexity GUI multiplexer called Nitpicker, the static
system contains two in-memory file systems. The _config_ file system stores
configuration data whereas the _report_ file system stores information
reported by components. These file systems are invisible to regular
components. Components obtain their configuration data from a (read-only
memory) ROM service, and report their state to a (write-only) report
service.
At boot time, the config file system is pre-populated with information from
the boot image. It stays in memory. Hence, after rebooting the system, any
changes are gone.
Drivers subsystem
-----------------
The drivers subsystem provides all the basic services needed to realize an
interactive system scenario: a framebuffer driver for the graphical
output, input drivers to obtain user input, and a block service to
access a storage device. All other drivers like networking or audio drivers
are not covered by the drivers subsystem. They will enter the picture at a
later stage and will use the platform service and USB service to access
device resources.
; Framebuffer AHCI
; Driver Driver
; : \ / :
; ACPI --- Platform ------- USB Driver : Dynamic :
; discover driver -- PS/2 : : Manager : Init :
; : : : : : :
; : : : : : :
; : Event : : :
; : Filter : : :
; : : : : :
; : : : : :
; (platform) (event) (USB) (framebuffer) (block)
[image sculpt_20_08_drivers 80%]
Services provided by the drivers subsystem
As illustrated by Figure [sculpt_20_08_drivers], some drivers like the
framebuffer driver live in a dynamically managed subsystem that depends on
runtime discovery of the hardware by the so-called driver-manager component.
Whenever an Intel graphics device is present, the Intel framebuffer driver
is spawned. Otherwise, a generic VESA driver or a driver for a
boot-time-initialized framebuffer is used.
Several components of the drivers subsystem report their state. For example,
when the Intel framebuffer is used, it reports the list of connectors present.
Most importantly, the driver manager reports the available block devices.
As user input may enter the system in multiple ways - most prominently PS/2
and USB HID - the drivers subsystem contains a so-called event-filter
component that merges these event streams and applies transformations like
key remappings or mouse acceleration.
Leitzentrale subsystem
----------------------
The Leitzentrale gives you - the user - full control over the config file
system and the report file system. You are free to inspect and
manipulate the system in any way you wish. The German term Leitzentrale
refers to a control center that requires a certain degree of sophistication
from the operator, which would be you. A typo at the wrong place may
render your system temporarily inaccessible, eventually requiring a reboot.
But don't be afraid. Since all manual changes performed in the Leitzentrale
occur in memory only, you are not at risk of permanently bricking your machine.
The Leitzentrale can be toggled at any time by pressing F12 and will be enabled
right after boot. It presents itself with a minimalistic GUI for accessing
the storage devices attached to your machine and for configuring your network
connectivity. Most importantly, however, it allows the user to access the
_config_ and _report_ file systems. Both file systems are readily accessible
under the "Files" tab of the panel. The file browser allows you to traverse
directory hierarchies, inspect individual files, and edit files.
Alternatively to the "Files" tab, Sculpt 21.10 features a command-line
interface. To spawn this command-line interface, click on the "ram fs"
component in the graph and select "Inspect". In the panel, a third tab named
"Inspect" appears, which hosts the command-line interface
(Figure [sculpt_20_08_inspect_tab]).
[image sculpt_20_08_inspect_tab 60%]
The inspect tab hosts a small Unix-like runtime as user interface. Don't let
the presence of a Unix shell mislead you. Sculpt is not a Unix system. It
merely uses Unix-like subsystems as convenient tools for managing and editing
files. Within the inspect tab, you can interact with both the report and
config file systems using familiar commands such as the bash shell, a subset
of coreutils, and Vim.
_Note that the interactive inspect view is not bullet-proof. Should you get_
_stuck, you may re-spawn it at any time by toggling the "Inspect" button._
Besides the interactive shell, the Leitzentrale employs a simple viewer of the
most recent diagnostic log messages. You can toggle the log display via the
panel's log button. Each line of the log is prefixed by the label of the
originating component. For detailed analysis, the complete log is also
available at _report/log_ and can be browsed with Vim in the inspect window.
Tweaking and inspecting the system
==================================
The Leitzentrale subsystem empowers you to interactively inspect and tweak
the running system either by using the file browser hosted in the "Files"
tab or by using the command-line interface and the Vim text editor provided by
the "Inspect" tab.
Interactive file browser
------------------------
The "Files" tab of the panel switches the main screen area to a simple file
browser that lists all file systems available, in particular the _config_
and _report_ file systems (Figure [sculpt_21_03_files_tab]).
By toggling one of the file-system buttons, the
respective directory hierarchy can be browsed. When hovering a file, an "Edit"
or "View" button appears, which can be used to open the file in a text area
that appears on the right side of the file browser. The editor supports the
usual notepad-like motions, operations, and shortcuts (control-c for copy,
control-v for paste, control-s for save).
[image sculpt_21_03_files_tab 80%]
_Note that the file browser as the most recent addition to Sculpt does not_
_yet support file operations like the copying, renaming, or removal of_
_files. Also the editing of files with long lines or the browsing of_
_directories with many entries is not appropriately covered yet. As a_
_fallback when encountering these limitations, the current version of Sculpt_
_still features the Unix-based inspect tab, which can be activated by_
_toggling the "Inspect" button inside the USB or storage nodes of the_
_component graph._
Vim skills recommended for using the inspect tab
------------------------------------------------
With the "Inspect" button toggled for at least one file system, the inspect
tab leverages (a subset of) GNU coreutils, bash, and Vim as the user interface
for sculpting the system. If you are not yet familiar with using Vim, you may
take Sculpt as a welcome chance to get your toes wet. To enjoy the experience,
you should be comfortable with the following operations:
* Opening and navigating within a text file (moving the cursor,
using '/' to search),
* Using the insert mode to make modifications,
* Reverting accidental modifications ('u' undo),
* Saving a modified file (':w'),
* Opening a file in a secondary buffer (':e'),
* Switching between buffers (':bn' for next, ':bp' for previous),
* Copy and paste ('v' start selection, 'V' start line selection,
'y' remember selection, 'p' paste remembered selection),
* Exiting Vim (':x' save and exit, ':q!' discard changes).
Adjusting the user-input handling
---------------------------------
By default, Sculpt uses the US-English keyboard layout but it offers a few
alternative keyboard layouts like French and German in the settings menu at
the upper left corner. A change of this setting is reflected in the
_config/managed/event_filter_ file, which is the configuration for the
event-filter component mentioned in Section [System overview]. For tweaking
the input processing beyond the keyboard-layout setting, copy this file to
_config/event_filter_.
! inspect:/> cp /config/managed/event_filter /config/event_filter
With the _config/event_filter_ file in place, you may notice that the
keyboard-layout menu has vanished. This is because now you have taken over
manual control. (BTW, you can get the menu back at any time by removing the
file).
As a Vim user, you most likely want to remap the useless capslock key to
escape, don't you? You can accomplish this by editing your
_/config/event_filter_ file.
! inspect:/> vim /config/event_filter
To remap the capslock key to escape, change the following line
! <key name="KEY_CAPSLOCK" to="KEY_CAPSLOCK"/>
to
! <key name="KEY_CAPSLOCK" to="KEY_ESC"/>
After saving the file, a Vim user's life suddenly becomes much more pleasant.
[image event_filter 80%]
Filter chain for user-input events
Take the time to review the remaining parts of the event-filter
configuration. The nested configuration nodes define a hierarchy of
filters that are applied in the order from the inside to outside
(Figure [event_filter]). There are filters for merging events ('<merge>'),
remapping buttons and keys ('<remap>'), supplementing symbolic character
information ('<chargen>'), pointer acceleration ('<accelerate>'), and
emulating a scroll wheel by moving the pointer while pressing the middle
mouse button ('<button-scroll>').
Display settings
----------------
If you are running the Intel graphics driver, you can inspect the connected
displays and their supported resolutions by taking a look at the report at
_/report/drivers/dynamic/intel_fb_drv/connectors_. This report is updated
whenever a display is connected or disconnected. You can use this
information to enable or disable a display in the driver's configuration,
which you can find at _/config/fb_drv_.
For a quick test, change the attribute 'height="768"' to 'force_height="768"'
(you may modify 'width' analogously). When saving the file, the screen
real-estate will forcibly be limited to the specified size. This is helpful
during presentations where the projector has a lower resolution than the
laptop's internal display. By specifying the beamer's resolution, both the
laptop and the beamer show the same content.
Exploring the drivers and Leitzentrale subsystems
-------------------------------------------------
You can review the construction plan of the drivers subsystem by opening the
file _drivers_ at the config file system. In particular, it is interesting to
follow the '<route>' rules to see how the various components are connected.
But there is more. The configuration is live. It enables you to reconfigure
individual components on-the-fly. For example, search for the '<start>' node
of the PS/2 driver and add the attribute 'verbose_keyboard="yes"' to the
embedded '<config>' node. By saving the file, the changed configuration
becomes effective. Any key pressed or released on the PS/2 keyboard will
result in a log message on the right. You may revert this change (vim: 'u')
and save the original version of the file.
_Note that not all components are dynamically reconfigurable but many_
_modern ones - in particular the init component and most long-running_
_server components - are._
_It is possible to forcibly restart a component by adding a 'version'_
_attribute to the '<start>' node. Whenever the 'version' value is changed,_
_the component is re-spawned._
_The component-specific configuration options are documented in the README_
_files accompanying the respective components in the source tree._
Analogously to the drivers subsystem, you can find the construction plan
for the Leitzentrale subsystem at the file _leitzentrale_. Try out
the following tweaks:
* Change the transparency of the Leitzentrale by modifying the 'alpha'
attribute of the 'fader' component.
* Change the font size of the 'log_terminal' component from "10"
to "18".
You may also enjoy tinkering with the configuration of the Nitpicker GUI
server, which is located at the file _nitpicker_. For example, you
may change the background color or the labeling color of the "default"
domain.
System resources
================
Whenever adding a new component via the '+' menu, one has to define how to
connect the component with the rest of the system. It is important to know
what the presented options mean to take educated decisions.
[image sculpt_20_08_system_shell_routing 40%]
Each choice represents a connection to a system resource of a particular type.
Initially, the presented options are resources that are built-in into Sculpt's
base system. Once new components enter the picture, their services also appear
as options.
Resource type | Interface | Built-in options
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Audio input | 'Audio_in' |
----------------------------------------------------------------------------
Audio output | 'Audio_out' |
----------------------------------------------------------------------------
Block device | 'Block' | direct block-device access
----------------------------------------------------------------------------
Capture | 'Capture' | system GUI
----------------------------------------------------------------------------
| | management GUI
----------------------------------------------------------------------------
Device access | 'Platform' | wifi hardware
----------------------------------------------------------------------------
| | network hardware
----------------------------------------------------------------------------
| | audio hardware
----------------------------------------------------------------------------
| | ACPI
----------------------------------------------------------------------------
Direct memory-mapped I/O | 'IO_MEM' | raw hardware access
----------------------------------------------------------------------------
Direct port I/O | 'IO_PORT' | raw hardware access
----------------------------------------------------------------------------
Direct device interrupts | 'IRQ' | raw hardware access
----------------------------------------------------------------------------
Event | 'Event' | system input events
----------------------------------------------------------------------------
| | management GUI events
----------------------------------------------------------------------------
File system | 'File_system' | writeable system configuration
----------------------------------------------------------------------------
| | read-only system reports
----------------------------------------------------------------------------
| | used file system
----------------------------------------------------------------------------
GPU | 'Gpu' | hardware-accelerated graphics
----------------------------------------------------------------------------
GUI | 'Gui' | keyboard focus
----------------------------------------------------------------------------
| | desktop lock screen
----------------------------------------------------------------------------
| | desktop background
----------------------------------------------------------------------------
| | system GUI server
----------------------------------------------------------------------------
Hardware virtualization | 'VM' | virtualization hardware
----------------------------------------------------------------------------
Network | 'Nic' |
----------------------------------------------------------------------------
Protection domain | 'PD' | system PD service
----------------------------------------------------------------------------
Real-time clock | 'Rtc' |
----------------------------------------------------------------------------
Region maps | 'RM' | custom virtual memory objects
----------------------------------------------------------------------------
Report | 'Report' | system reports
----------------------------------------------------------------------------
| | pointer shape
----------------------------------------------------------------------------
| | global clipboard
----------------------------------------------------------------------------
ROM | 'ROM' | global capslock state
----------------------------------------------------------------------------
| | default vim configuration
----------------------------------------------------------------------------
| | system font configuration
----------------------------------------------------------------------------
| | platform information
----------------------------------------------------------------------------
| | system status
----------------------------------------------------------------------------
| | global clipboard
----------------------------------------------------------------------------
Terminal | 'Terminal' |
----------------------------------------------------------------------------
Tracing | 'TRACE' | system-global tracing
----------------------------------------------------------------------------
USB | 'Usb' | direct USB-device access
[table resources]
Overview of system resources
Table [resources] gives an overview of the different built-in
resources and their types. The names given in the interface column correspond
to the Genode session types as found in the routing rules of the deploy
configuration or launcher definitions (Section [Runtime management]).
Let's look into each type in more detail.
GUI
~~~
The GUI service interface is provided by the low-level system GUI server
(named Nitpicker) as well as the higher-level window manager. It entails both
the ability to perform graphical output and the reception of user input. Note
that the low-level GUI server keeps its client applications isolated by
default. One application cannot see the output of other applications nor can
it sniff user input globally. One can connect multiple applications -
trusted and untrusted alike - to the low-level GUI server without fear.
However, in typical scenarios, applications don't use the bare-bone system GUI
server directly but rather employ a window manager that sits in-between the
system GUI server and the applications, and equips the system with the
notion of windows.
The base system provides three different GUI options.
:keyboard focus: grants control over the keyboard focus. It should be
assigned to only one component, typically a window manager. However,
in principle, another component like the _system shell_ can be connected
to it and thereby becomes able to receive keyboard input.
:desktop lock screen: assigns the component the role of a lock screen. Once
the component is present at the GUI, it seizes the keyboard focus and is
able to cover the entire screen.
_Note that - with the current version of Sculpt - global keys as defined in_
_the nitpicker configuration are not affected by the lock screen, i.e.,_
_as is the case with the screen key assigned to the window manager._
:desktop background: allows a component to present its graphical output
in a dedicated layer behind all other applications. The desktop background
cannot receive keyboard focus. But it can respond to pointer events
(mouse clicks and motion).
:system GUI server: allows a component to perform graphical output and
handle pointer events, but no keyboard input. It is designated as a
base mechanism for the window manager, or for implementing GUI features
like global overlays or status displays.
By the way, the configuration of the low-level GUI server can be found at
_/config/nitpicker_ and can be modified on the fly.
ROM
~~~
ROM stands for read-only memory. A ROM service reveals information to
its clients but a client cannot change the information. Note that the
provided information does not need to be static. It can potentially
change over time. Whenever that happens, the ROM service informs its
clients about the availability of a new version. The base system provides
the following built-in ROM resources:
:global capslock state: the system-global state of the capslock key.
It can be handed out to components like virtual machines to keep the
capslock state of guest operation systems consistent with the host.
:default vim configuration: the configuration of the Vim text
editor as used in the Leitzentrale's inspect window and managed at
_/config/vimrc_. It allows you to customize one vim configuration at a
central place and use this configuration consistently across Sculpt's
inspect window and manually deployed components.
:system font configuration: is the default font configuration managed
by Sculpt according to the current screen resolution. It is of course
customizable by the user. By using this configuration, components can
foster a consistent user experience regarding the display of text.
:platform information: provides details about the underlying kernel and
hardware. Some drivers and virtual machine monitors need this information to
take platform intrinsics like the concrete flavor of virtualization hardware
into account. Normal applications should never need this information.
:system status: reflects the system-global power state. It is used by the
optional ACPICA driver to respond to requests for a system reset or
power-down.
:global clipboard: provides the current content of the global clipboard.
The content can be accessed by a component only when the user interacts
with the component. This prevents overly nosey components from snooping the
clipboard content.
Report
~~~~~~
Report services play the counterpart of ROM services. They allow clients
to report information in a fire-and-forget fashion, but not to retrieve
information. As explained in Section [System overview], the base system
includes a report service that aggregates incoming reports into the in-memory
report file system. The incoming reports are organized according to their
origin (their session labels). By granting a component access to the _system_
_reports_, the component can contribute to this knowledge base. However,
keep in mind that Sculpt's built-in report file system is limited in size.
A misbehaving component may put the system in jeopardy by producing overly
sized reports.
:pointer shape: Reports labeled with 'shape' play a special role.
They are routed to the mouse pointer and thereby enable graphical
applications to suggest context-specific pointer shapes. The
application-provided shape is shown whenever the corresponding application
is hovered.
:global clipboard: enables components to write new content to the
system-global clipboard. This operation, however, is restricted to the
single component that the user currently interacts with. This prevents
rogue components from spamming the global clipboard.
File system
~~~~~~~~~~~
A file-system service offers the storage and retrieval of data organized in
a hierarchical directory structure. Access to a file system can be restricted
to be read only. The distinction between read-only and read-writable does
not exist per file but for the entire file-system resource.
Of course, many use cases call for finer-grained access control. This is
where intermediate _chroot_ file-system components come into play. Such
a component reduces the view on an existing file system to a specific
sub directory, which then appears as a new file system to the application.
For examples, please review the launchers at _/config/launcher/_ such as the
_shared_fs_.
The Sculpt base system has two built-in file systems.
:writeable system configuration: corresponds to the config file system
described in Section [System overview]. The ability to access this file
system equals to total control over the system. Hence, never assign
this file system to components that you don't fully trust.
:read-only system reports: allows the client to inspect the global state of
the system. The reports found in this file system are organized in a
directory structure that corresponds to the system structure. For example,
all reports generated by the runtime sub system reside within the _runtime/_
directory. Note that this global state may contain sensible information.
For this reason, the system reports should not be handed out to components
that are suspected of information leakage.
The two built-in file systems reside in memory. In order to access persistent
storage, additional file-system services can be started as regular components
within the runtime subsystem. Those components, in turn, need to be connected
to the corresponding block devices.
:used file system: is the file system selected for the use of Sculpt.
In principle, the specific file system such as "usb-1-10.3.fs" can be
selected directly. But when moving configurations from one device to
another, the generic "used file system" option avoids tying the component to
a particular physical file-system name. The resulting configuration works
regardless of where it is deployed.
Block device
~~~~~~~~~~~~
A block-device resource allows for the block-level storage and retrieval
of data whereas a block-device can be read-only or read-writable. The base
system's built-in block service hands out the devices listed at
_/report/drivers/block_devices_ according to the label of the client's session.
The label must correspond to the name of the block device. Typically, the
built-in block service is used via manually created launchers by using a route
like this:
! <route>
! <service name="Block"> <parent label="ahci-1"/> </service>
! </route>
Device access
~~~~~~~~~~~~~
With Sculpt, device drivers can be installed and used like any regular
component. In contrast to plain applications, however, device drivers need
to access the corresponding device hardware. This access is guarded by the
so-called platform driver hosted in the _drivers_ subsystem. The platform
driver has two purposes.
First, it uses the IOMMU to isolate devices from each other and to restrict
the reach of each device to the memory explicitly assigned to the device
(DMA buffers).
Second, it arbitrates the access of device-driver components to devices.
Regarding the latter, the platform driver differentiates four categories
of drivers, namely wifi, network, audio, and ACPI. When assigning one
of those resources to a driver component, the driver will see a virtual
PCI bus with only the devices that fall in the chosen category.
Note that USB, AHCI, NVMe, and PS/2 are handled differently as those
devices are driven by Sculpt's _drivers_ subsystem.
USB
~~~
By connecting a component to USB, the component becomes able to access
individual USB devices. The device is selected by the component by specifying
a session label that corresponds to a name of a device listed at
_/report/drivers/usb_devices_. The most prominent use case for the USB
resource is the direct assignment of USB devices to virtual machines
as described in Section
[Updating the USB boot device from within VirtualBox].
Real-time clock
~~~~~~~~~~~~~~~
The real-time clock enables a component to know what time it is. The service is
optionally provided by a package called system clock.
GPU
~~~
Access to the GPU (graphics processing unit) service allows a component to
utilize hardware-accelerated graphics on machines that feature a GPU supported
by Sculpt. Supported are Intel GPUs of generation 8 (Broadwell) or newer.
_Note that GPU support is a very recent feature and has thereby not_
_received intensive testing yet. Please regard it as experimental and_
_use it with caution._
Region maps
~~~~~~~~~~~
The region-map service of the base system gives components a flexible way to
manage their virtual address spaces manually. This mechanism is used by a few
advanced components only, most specifically virtual machine monitors. Access
to the region-map service is not security critical. But as it is rarely
needed, it is not granted by default to limit the potential (attack) surface
of the base system as far as possible by default.
Direct memory-mapped I/O, port I/O, and device interrupts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
These low-level services are provided by Genode's core component. They
should never be needed by any regular component. Even device drivers
don't use those services directly but rather rely on the higher-level
device-access service described in Section [Device access].
However, a few special use cases demand for such low-level access. In
particular the use of ACPI functionality.
As a rule of thumb, never grant access of those resources to any component
except you know exactly what you are doing and you completely trust the
provider of the component.
Tracing
~~~~~~~
The low-level tracing interface allows a component to observe and to
manipulate all activities in the system. It should only be granted to
components that are fully trusted.
Hardware virtualization
~~~~~~~~~~~~~~~~~~~~~~~
The hardware-virtualization service allows virtual machine monitors to
leverage virtualization technology (Intel VT).
Protection domain
~~~~~~~~~~~~~~~~~
By default, each component implicitly relies on the protection-domain (PD)
mechanism provided by the operating-system kernel. However, Sculpt OS allows
for the optional interception of a component's interplay with this low-level
mechanism through another component. This is useful for dynamic CPU-load
balancing, debugging, or statistical profiling.
The option to select a protection-domain service is only displayed in the
presence of at least one component that provides a PD service. Note that
a PD service is able to exercise full control over each component that uses
the service.
Network
~~~~~~~
Network services provide an interface for sending and receiving network
packets. Sculpt's Leitzentrale conveniently manages drivers for wireless (wifi
drv) and wired (nic drv) networking as well as the user-level network routing
component (nic router). So you usually see the NIC router as an option. The
NIC router multiplexes the network access among multiple network applications.
By default, it acts as a virtual NAT router, handing out a distinct IP address
to each client.
Terminal, audio input, and audio output
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Terminal services allow for the input and output of streams of text. Examples
are a graphical terminal, or a UART driver. The base system has no built-in
terminal service.
As the names suggest, audio input and output enable components to record
and play audio. The base system does not provide such services. Instead,
audio infrastructure like drivers and a mixer can be installed as regular
components.
Capture and event
~~~~~~~~~~~~~~~~~
The capture and event interfaces serve as counter parts of the GUI interface.
Whereas the GUI interface allows a client to put pixels on screen and receive
input events, the capture and event interfaces allow a client to capture the
screen and inject user-input events into the system. Normally, these
interfaces are used by graphics and input-device drivers. However, they
are also useful for remote-desktop scenarios, virtual keyboards, or for
taking screen shots.
Note that those interfaces are _security critical_. When handing out a
capture interface to a component, the component becomes able to observe the
screen content of all applications present at the GUI server. Vice versa, by
handing out an event interface to a component, the component becomes able to
inject user-input events to the GUI server, acting on behalf of the user. The
built-in choices allow a component to be connected to either the system-global
GUI server, or specifically to the management GUI.
CPU-resource assignment
~~~~~~~~~~~~~~~~~~~~~~~
[image sculpt_21_03_affinity 40%]
You may already have noticed the additional item "Resource assignment ..."
in the component-configuration dialog (Figure [sculpt_21_03_affinity]).
It leads to a sub menu for restricting the CPU usage of the new component. The
configuration dialog shows a matrix of CPU cores where the x-axis denotes the
physical cores and the y-axis the hyperthreads. By default, all available CPU
cores are selected. You can toggle the nodes by clicking on them. The dialog
ensures that the selection is always a rectangular area. So one click may
affect nodes other than only the clicked one.
Below the CPU-affinity matrix, the dialog allows for the selection of the
component's scheduling priority. Note that here the notion of priority refers
to hard static priorities as opposed to nice levels. That is, a high-priority
activity prevents all lower-level priorities from executing. Consequently, the
assignment of a high priority comes at the risk of starving lower-priority
components. The dialog presents four options:
:Driver:
The highest priority should be preserved to latency-critical device drivers
such as audio drivers. This option is also a sensible choice for trusted
components that must stay somewhat responsive under any condition. For
example, the components of the leitzentrale GUI operate on this priority to
preserve the user's control over the system even in the event of a rampaging
high-priority device driver.
:Multimedia:
The second-highest priority is recommended for latency-sensitive
applications such as audio and video players as well as their dependencies.
For example, it is the appropriate priority for window-management
components.
:Default:
The default priority is suitable for all regular applications as well as
storage and networking components.
:Background:
The lowest priority is designated for non-interactive best-effort workloads
such as long-running computations. By assigning the background priority to
such components, they won't impede the user's perception of the
responsiveness of the system.
Runtime management
==================
[image sculpt_runtime_highlighted]
In contrast to the drivers subsystem and the Leitzentrale, which have a
predefined purpose, the runtime subsystem is shaped by the user. The
components present in the runtime subsystem are displayed by the components view.
Some of them are managed by the Leitzentrale. For example, while inspecting a
file system, the corresponding "inspect" component appear automatically. Other
components correspond to subsystems deployed from installed packages, in
particular the ones created via the "+" menu.
The current configuration of the runtime subsystem is available at the
_config_ file system at _managed/runtime_. It is not recommended to modify
this file manually. However, in some situations, it is useful to take manual
control over the runtime configuration. This is possible by copying the file
to the root of the config file system.
Note that this will inhibit the management functionality of the Leitzentrale.
You can yield back the control to the Leitzentrale by removing the _runtime_
file from the root of the config file system.
As a prerequisite for deploying user-selected components, a default storage
location must be defined by selecting the "Use" button of a file system
in the menu. For the start, it is best to select the "ram" file system as
storage location. Once you are comfortable with Sculpt, you may make the
installation and customizations permanent by using a real storage device
instead.
The selection of a "used" file system has two immediate effects. First, any
files present at _config/<VERSION>/_ at the selected file system are copied to
the config file system. As the RAM file system is empty, no files are copied.
Second, the so-called _depot/_ is initialized at the selected file system. The
depot is the designated place for the installation of software packages. By
default, the depot is initialized such that the Sculpt system accepts software
from Genode Labs as well as from a few members of the Genode community. You
may inspect the content of _/ram/depot_ using the inspect window.
With a file system and an Internet connection selected, additional software
can be installed and run. The most convenient way is the interactive use of
the '+' menu to browse the catalogues of packages provided by software
providers and to configure new component instances.
Additionally, the deployment can be controlled by the _deploy_ file of the
_config_ file system and the so-called launchers located at the _launcher/_
sub directory.
The _deploy_ file contains a '<start>' node for each running component.
Such a <start> node specifies the package, the assigned resources,
and the rules of how the component is connected with other components.
Alternatively, a <start> node may refer to a launcher that encapsulates
this policy as a separate file at the _launcher/_ directory.
By default, the launcher corresponds to the 'name' attribute of the start node.
It is possible to explicitly refer to a differently named launcher by
specifying a 'launcher' attribute. This way, one launcher can be instantiated
multiple times.
The files within the _launcher/_ directory are monitored by Sculpt and
therefore can be edited on the fly. This is especially useful for editing
'<config>' nodes of already running components.
A '<config>' node within a launcher - when present - overrides the one
provided by the package. In turn, a '<config>' node within a node of the
deploy config overrides any other '<config>' node. Both the launcher and a
'<start>' node may contain a '<route>' node. The routing rules defined in the
'<start>' node have precedence over the ones defined by the launcher. This
way, the routing of a launcher can be parameterized at the deploy
configuration.
Each time the _deploy_ file or a launcher file is written, the change
takes immediate effect. In particular, the Sculpt manager will automatically
kick off the download of the referenced packages and its dependencies and
thereby populates the depot. Once the download has completed, the packages are
started.
Interplay of the deploy configuration and interactive changes
-------------------------------------------------------------
The content of the _deploy_ file is taken as the starting point for the
interactive use via the '+' menu. All interactive changes to the deployment
are reflected in the _managed/deploy_ file.
Note that any modification of _deploy_ resets _managed/deploy_ to the state
defined in the _deploy_ file.
Launchers appear at the top level of the '+' menu. So they are a convenient
mechanism to quickly add often-used components with specific policies to the
system.
Storage device access and preparation
=====================================
Whereas the RAM file system is practical for quick tests, it goes without
saying that we want to persistently store data, programs, and configuration
information on a storage device. Sculpt supports SATA disks, NVMe devices,
and USB-storage devices. The storage and USB nodes of the components view list
all devices detected by the drivers subsystem. A click on a device reveals
possible operations or - if a partition table is present - more details about
the device structure.
Depending on the operation selected by the user, the Sculpt manager will
automatically spawn helper components in the runtime to perform the selected
operation.
For example, by selecting the "Format device" operation, the Sculpt manager
will create a tiny Unix-like subsystem with the selected block device mounted at
'/dev/block' and e2fsprogs mounted at '/'. This Unix-like subsystem runs
'mkfs.ext2' as init process. Likewise, an existing EXT2 file system
can be checked by activating the "Check" button, which triggers the execution
of 'fsck.ext2' for the selected file system.
A particularly interesting option is presented at the last partition of the
Sculpt USB stick. Initially - right after copying Sculpt's tiny disk image to
the USB stick - the partition is only a few MiB in size. However, using the
"Expand" operation, the partition can be extended to the full size of the USB
stick, which makes enough room to use the USB stick as Sculpt file system.
This clears the way for sculpting a custom live system stored entirely on
the USB stick.
All file systems supported by Sculpt present an "Inspect" button. By toggling
this button, the selected file system becomes accessible in the "Inspect"
tab. Note that more than one file system can be inspected at a time.
Each file system will appear as a directory at the root of the inspect
directory tree, named after the corresponding device and partition number.
This way, the inspect window becomes a convenient tool for copying files
between file systems. Under the hood, the Sculpt manager spawns a file-system
component for each inspected file system, which translates the notion of files
and directories to block-device accesses.
Making customizations permanent
===============================
It is possible to make any customization of the _config_ file system
permanent by copying the modified files to a directory named
_config/<VERSION>_ on a persistent file system where _<VERSION>_ corresponds
to the Sculpt version number as found in the _/VERSION_ file.
Each time this file system is selected for "Use", those files will be
automatically copied to the in-memory config file system.
The most important customization is the system composition, usually created
via the '+' menu. To make it permanent, copy the current state of
_/config/managed/deploy_ to _/<DISK>/config/<VERSION>/deploy_ where _<DISK>_
corresponds to your Sculpt partition. This deploy configuration will take
effect whenever the Sculpt partition is selected for "Use".
To streamline the boot procedure into a customized Sculpt system even more,
it is possible to mark one file system as default. At boot time - when the
Sculpt manager discovers the attached storage devices - it automatically
selects a file system for use according to the following order of preference:
# Partition named "GENODE*" on a USB device in a GPT (GUID Partition Table),
# Partition named "GENODE*" on a SATA or NVMe storage device in a GPT,
# An entire SATA or NVMe device used as a single EXT2 file system (as devised
by Sculpt EA).
The storage dialog hosts a convenient "Default" button that allows one
to toggle a partition label between "GENODE" and "GENODE*". For example,
the last partition of the Sculpt USB stick can be marked as default or
non-default using this button.
Advanced usage
##############
Manual configuration
====================
Thanks to the Sculpt-manager component of the Leitzentrale, many typical
work flows and configuration tweaks are largely automated. For example,
* The management of storage devices,
* The creation of file-system components for used or inspected file systems,
* The selection and configuration of network access,
* Font size selection depending on the screen resolution,
* Keyboard-layout selection, or
* Triggering the download of missing depot content on demand.
This convenience comes at the price of built-in policy, which may stand in
the way of sophisticated scenarios. For this reason, almost all policies
of the Sculpt manager can be overridden by manually managed configuration
files.
The Sculpt manager interacts with the rest of the system solely by
monitoring reports aggregated in the report file system, and writing
configuration files into the config file system. All files generated
by the Sculpt manager are located at the _managed/_ sub directory of the
config file system. By manually creating a same-named file at the root of the
config file system, one can supply a custom managed configuration to the
Sculpt manager. A useful practice is taking a snapshot of the generated
configuration as a starting point for the custom version. For example, by
copying the NIC router configuration while it is connected to a network:
! cp /config/managed/nic_router /config
Now, the copy at _/config/nic_router_ can be edited. Note that changes
usually take immediate effect.
Examples of manual customization are:
* Adding custom NIC router policies such as port-forwarding rules,
* Installing depot content manually by managing _/config/installation_
by hand. This includes the ability to download the source code for
any package.
* Disarming the automated update mechanism by using a _/config/installation_
file with no '<archive>' entries.
* Fixing the current state of the runtime subsystem by copying
_/config/managed/runtime_ to _/config/runtime_. This allows one to
manually tweak and inspect the runtime in any way, e.g., to enable
additional reporting when troubleshooting.
* Manually defining the default font sizes by creating a custom _config/fonts_
configuration.
* Managing Wifi credentials manually by supplying a custom _config/wifi_ file.
To revert any manual customization, delete the corresponding file. In this
case, the Sculpt manager will take over again. Note that all manual
customizations can be made permanent by following the steps explained in
Section [Making customizations permanent].
Building the boot image
=======================
The following steps assume that you have the Genode tool chain installed on a
GNU/Linux system. For reference, Ubuntu 18.04 is known to work well. If you
don't know your way around Genode's source tree yet, please consider the
"Getting started" section of the Genode Foundations book that is available as
a free download at [https://genode.org].
# Clone Genode's Git repository:
! git clone https://github.com/genodelabs/genode.git
! cd genode
! git checkout -b sculpt-21.10 sculpt-21.10
# Download the support for the NOVA microkernel
! ./tool/depot/download genodelabs/bin/x86_64/base-nova/2021-10-14
The content is downloaded to the _public/_ directory and extracted to
the _depot/_ directory.
# Download all ingredients for the Sculpt boot image
! ./tool/depot/download genodelabs/pkg/x86_64/sculpt-pc/2021-10-14
# Create a build directory
! ./tool/create_builddir x86_64
# Configure the build directory by editing _build/x86_64/etc/build.conf_.
Most importantly, enable the 'gems' source-code repository where the Sculpt
scenario resides. In addition, the 'libports', 'ports', 'dde_linux' and
'dde_ipxe' repository are needed as well. Second, change the default
configuration of the 'QEMU_RUN_OPT' variable to 'image/disk' instead of
'image/iso'. This way, the build process will produce a valid disk image
with a GPT partition table instead of a legacy ISO image.
# Prepare GRUB 2, which is needed for booting from the disk image
! ./tool/ports/prepare_port grub2
# Create the Sculpt boot image (defined by the run script at
_repos/gems/run/sculpt.run_)
! make -C build/x86_64 run/sculpt KERNEL=nova BOARD=pc
The boot image is created at _build/x86_64/var/run/sculpt.img_.
# Write the boot image to a USB stick:
! sudo dd if=build/x86_64/var/run/sculpt.img of=/dev/sdx bs=1M conv=fsync
Here, '/dev/sdx' refers to the device node of your USB stick. To determine
it, you may inspect the output of 'dmesg' after plugging it in.
Reproducing the system from source
==================================
Section [Building the boot image] presents the creation of the boot image
from pre-built packages. You may want to build those packages from source,
in particular for customizing the system.
Before building the packages, various ports of 3rd-party software need to
be prepared. The following command prepares all of them at once:
! <GENODE-DIR>/tool/ports/prepare_port \
! acpica ada-runtime bash cbe coreutils curl \
! dde_bsd dde_ipxe dde_linux dde_rump e2fsprogs-lib \
! expat freetype gnupg grub2 jitterentropy jpeg \
! libarchive libc libdrm libgcrypt libiconv libpng \
! libsparkcrypto libssh libusb libuvc libyuv mesa \
! ncurses nova openssl qemu-usb qoost qt5 stb \
! stdcxx ttf-bitstream-vera vim virtualbox5 \
! virtualbox6 x86emu xz zlib
To be able to compile components that are dependent on the QT5-library, the
corresponding toolchain needs to be installed in addition to the base Genode
toolchain. You can build and install it by using the following commands:
! <GENODE-DIR>/tool/tool_chain_qt5 build
! <GENODE-DIR>/tool/tool_chain_qt5 install
The ingredients of the boot image are subsumed by the 'pkg/sculpt-pc' package.
The default set of software installed by the update runtime is defined by
the 'pkg/sculpt-installation' package. You can find the depot recipes for
these packages at _repos/gems/recipes/pkg/_.
The _repos/gems/run/sculpt.run_ script can be executed to build a boot image.
By default, the boot image refers to 'genodelabs/pkg/sculpt-pc' and to
'genodelabs/pkg/sculpt-installation' for the runtime-installed software. You
may want to install your version of these packages instead by changing the
package provider from 'genodelabs' to '<YOU>' by adding the line
! RUN_OPT += --depot-user <YOU>
to your _<build-dir>/etc/build.conf_.
To build the packages for the boot image:
! <GENODE-DIR>/tool/depot/create \
! UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
! <YOU>/pkg/x86_64/sculpt-pc \
! <YOU>/bin/x86_64/base-nova
The 'FORCE=1' argument ensures that source archives are re-created and
checked for the consistency with their versions. If the source code of any
of the archives changed, the 'UPDATE_VERSIONS=1' argument automatically
updates its version. Please don't forget to commit the updated 'hash'
files. The empty 'REBUILD=' argument limits the creation of binary packages
to those that do not yet exist in binary form. If not specified, the
command would recompile all packages each time. You may further add '-j<N>'
to parallelize the build process where '<N>' is the level of parallelism.
Alternatively to managing the depot manually, you may choose to let the build
system manage the versioning and updating of the depot content automatically
by enabling the following line in your _build.conf_ file. This slows down
the build time a bit but ensures that the depot content is consistent with
your source tree at all times.
! RUN_OPT += --depot-auto-update
Building the 'sculpt-installation' package works analogously to the 'sculpt-pc'
package.
! <GENODE-DIR>/tool/depot/create \
! UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
! <YOU>/pkg/x86_64/sculpt-installation
To make the 'sculpt-installation' available for download from within the
boot image, you must publish it. This involves the archiving, signing,
and uploading of the content. The former two steps are covered by the
_tool/depot/publish_ tool, which expects one to specify a concrete version.
The current version of the 'sculpt-installation' can be obtained via
! cat <GENODE-DIR>/repos/gems/recipes/pkg/sculpt-installation/hash
The first part is the version. The second part is the content hash of the
version. For more information about working with the depot tool, refer to
[https://genode.org/documentation/developer-resources/package_management].
The launchers integrated in the boot image are defined at
_gems/run/sculpt/launcher/_. Each file contains a node with a mandatory pkg
attribute. If the attribute value contains one or more '/' characters, it is
assumed to be a complete pkg path of the form '<USER>/pkg/<NAME>/<VERSION>'.
Otherwise it is assumed to be just the pkg name and is replaced by the current
version of the current depot user's pkg at system-integration time.
Updating the USB boot device from within VirtualBox
===================================================
The _/config/deploy_ example is prepared to assign USB storage
devices directly to a running virtual machine. You may inspect the report
_/report/drivers/usb_active_config_ to get a list of attached USB devices.
Use Vim to copy the '<policy>' node of the selected device into the
'<inline>' section within the _/config/launcher/usb_devices_rom_ file, and
adjust the line as follows:
* Replace the node type '<policy>' by '<device>', and
* Rename the attribute 'label_suffix' to 'label'.
The updated 'usb_devices' ROM prompts VirtualBox to open a USB session at
the drivers subsystem. Hence, when saving the modified
_/config/launcher/usb_devices_rom_ file, the guest OS should detect a new USB
device (check the output of 'dmesg'). You may now write a new version of the
Sculpt ISO image to the device by following the steps described in Section
[Building the boot image].
Credits
#######
Sculpt is an example system scenario of the Genode project, which is an
operating-system technology designed and developed from scratch.
:Genode OS Framework:
[https://genode.org]
That said, Genode is not developed in a vacuum. It rather stands on the
shoulders of giants and greatly benefits from the free-software/open-source
community. The following projects play a particularly important role for
the Sculpt scenario.
:NOVA microhypervisor:
Sculpt's kernel is a derivate of NOVA, maintained by Genode Labs.
NOVA was originally created by Udo Steinberg [https://hypervisor.org].
:Linux kernel:
[https://kernel.org]
Sculpt reuses several Linux subsystems as individual components, in
particular the USB stack, the Intel wireless stack, the Intel graphics
driver, and the TCP/IP stack.
:NetBSD's rump kernel:
[https://wiki.netbsd.org/rumpkernel/]
The file-system support is based on NetBSD kernel code, which became
reusable on Genode thanks to the rump kernel project.
:FreeBSD:
[https://www.freebsd.org/]
The C runtime that is used by most 3rd-part software is based on FreeBSD's
libc.
Device drivers
--------------
:WPA supplicant:
[https://w1.fi/wpa_supplicant/]
_(used by the wireless driver)_
:iPXE:
[https://ipxe.org]
_(basis of the wired network driver)_
:xf86emu:
[https://xorg.freedesktop.org/]
_(used by the VESA driver)_
:OpenBSD:
[https://www.openbsd.org]
_(basis for the audio driver)_
:libusb:
[https://libusb.info]
_(used by the webcam driver)_
:libuvc:
[https://ken.tossell.net/libuvc/doc/]
_(used by the webcam driver)_
Programs and libraries used within the Unix-like subsystems
-----------------------------------------------------------
:Vim:
[https://www.vim.org]
:ncurses:
[https://www.gnu.org/software/ncurses/ncurses.html]
:GNU coreutils:
[https://www.gnu.org/software/coreutils/coreutils.html]
:GNU bash:
[https://www.gnu.org/software/bash/]
:E2fsprogs:
[http://e2fsprogs.sourceforge.net/]
Libraries used for the package-management infrastructure
--------------------------------------------------------
:curl:
[https://curl.haxx.se]
_(basis of the fetchurl tool)_
:libssh:
[https://www.libssh.org]
:OpenSSL:
[https://www.openssl.org]
:XZ Utils:
[https://tukaani.org/xz/]
_(support for tar.xz archives)_
:libarchive:
[https://www.libarchive.org]
_(basis of the extract tool)_
:zlib:
[https://www.zlib.net]
:GnuPG:
[https://www.gnupg.org]
_(basis of the verify tool)_
:Jitterentropy RNG:
[https://chronox.de/jent.html]
Applications
------------
:VirtualBox:
[https://www.virtualbox.org]
_(used for hosting virtual machines)_
Libraries used for the graphical user interface
-----------------------------------------------
:libpng:
[http://www.libpng.org/pub/png/libpng.html]
_(used for decoding PNG images)_
:stb:
[https://github.com/nothings/stb]
_(used for rasterizing TrueType fonts)_
:Mesa 3D:
[https://mesa3d.org]
_(used for hardware-accelerated 3D graphics)_
Crucial tools used during development
-------------------------------------
:GNU/Linux: (various distributions)
:Git:
[https://git-scm.com]
:GNU compiler collection:
[https://gcc.gnu.org]
:GNU binutils:
[https://www.gnu.org/software/binutils/]
:GNU make:
[https://www.gnu.org/software/make/]
:Tcl:
[https://www.tcl.tk]
:Expect:
[https://core.tcl-lang.org/expect/index]
:Qemu:
[https://www.qemu.org]
:GitHub issues:
[https://github.com]