mirror of
https://github.com/genodelabs/genode.git
synced 2025-01-03 20:44:11 +00:00
1127 lines
51 KiB
Plaintext
1127 lines
51 KiB
Plaintext
|
|
|
|
===============================================
|
|
Release notes for the Genode OS Framework 16.08
|
|
===============================================
|
|
|
|
Genode Labs
|
|
|
|
|
|
|
|
The formal verification of software has become an intriguing direction to
|
|
overcome the current state of omnipresent bug-ridden software. The seL4 kernel
|
|
is a landmark in this field of research. It is a formally verified
|
|
high-performance microkernel that is designed to scale towards dynamic yet
|
|
highly secure systems. However, until now, seL4 was not accompanied with a
|
|
scalable user land. The seL4 user-land development is primarily concerned with
|
|
static use cases and the hosting of virtual machines. With Genode 16.08, we
|
|
finally unleash the potential of seL4 to scale to highly dynamic and flexible
|
|
systems by making the entirety of Genode components available on this kernel.
|
|
Section [Interactive and dynamic workloads on top of the seL4 kernel] explains
|
|
this line of work in detail.
|
|
|
|
Speaking of formal verification, the developers of the Muen separation kernel
|
|
share the principle convictions with the seL4 community, but focus on static
|
|
partitioned systems and apply a different tool set (Ada/SPARK). With Genode
|
|
16.08, users of the Muen separation kernel become able to leverage Genode to
|
|
run VirtualBox 4 on top of Muen.
|
|
Section [VirtualBox 4 on top of the Muen separation kernel] tells the story
|
|
behind this line of work. As we consider VirtualBox a key feature of
|
|
Genode, we continuously improve it. In particular, we are happy to make a
|
|
first version of VirtualBox 5 available on top of the NOVA kernel (Section
|
|
[Experimental version of VirtualBox 5 for NOVA]).
|
|
|
|
Another focus of the current release is the framework's network
|
|
infrastructure. Section [Virtual networking and support for TOR] introduces a
|
|
new network-routing component along with the ability to use the TOR network.
|
|
Section [Network-transparent ROM sessions to a remote Genode system] presents
|
|
the transparent use of Genode's ROM services over the network.
|
|
|
|
Further highlights of the current release are new tools for statistical
|
|
profiling (Section [Statistical profiling]), profound support for Xilinx Zynq
|
|
boards (Section [Execution on bare Zynq hardware (base-hw)]), and new
|
|
components to support the use of Genode as general-purpose OS (Section
|
|
[Utility servers for base services]).
|
|
|
|
|
|
Interactive and dynamic workloads on top of the seL4 kernel
|
|
###########################################################
|
|
|
|
[https://sel4.systems - seL4] is a modern microkernel that undergoes formal
|
|
verification and promises to be a firm foundation for trustworthy systems.
|
|
Genode - as operating system framework - on top of a microkernel pursues goals
|
|
of the same direction. Even though seL4 is designed to accommodate dynamic
|
|
systems in principle (in contrast to static separation kernels), so far the
|
|
seL4 community focused on static workloads on top of their kernel. Most
|
|
current seL4-related projects employ the
|
|
[https://wiki.sel4.systems/CAmkES - CAmkES] framework, which allows the
|
|
creation of static component-based systems. The combination of seL4 with
|
|
Genode would unleash the full potential of seL4 by enabling seL4-based systems
|
|
to scale to dynamic application domains. With far more than a hundred
|
|
ready-to-use components, Genode provides a rich library of building blocks,
|
|
starting from native device drivers, resource multiplexers, over protocol
|
|
stacks, application frameworks (e.g., Qt), to applications (e.g., web browser
|
|
Arora).
|
|
|
|
With the potential synergies of both projects in mind, we already added basic
|
|
Genode/seL4 platform support in the past releases. The existing experimental
|
|
support was sufficient to showcase the principal feasibility of this
|
|
combination - admittedly mainly to technical enthusiasts. With the current
|
|
release, we ramp up the platform support of Genode/seL4 to a degree that most
|
|
interactive and dynamic workloads of Genode can be executed on seL4 out of the
|
|
box.
|
|
|
|
We updated the seL4 kernel to version 3.2.0 and enabled all available
|
|
time-tested x86 Genode drivers for this kernel. The main working items have
|
|
been the implementation of interrupts, I/O port access, memory-mapped I/O
|
|
access, the support for asynchronous notifications, and the lifetime
|
|
management (freeing) of resources in Genode's core component.
|
|
|
|
We tested many of our existing system scenarios on Qemu and on native x86
|
|
hardware and are happy to report that the following drivers are fully
|
|
functional for Genode/seL4: the PIT timer, PS/2, USB stack, AHCI driver, ACPI
|
|
driver, VESA driver, audio driver, Intel wireless stack, and Intel graphics
|
|
driver. All automated test scenarios are now routinely executed nightly on
|
|
QEMU and on native hardware as done by Genode Labs for all supported kernels.
|
|
|
|
[image sel4_screenshot]
|
|
Screenshot of various Genode components running directly on seL4. The Noux
|
|
environment on the bottom left allows the use of GNU software such as bash,
|
|
coreutils, and vim as one subsystem. Each of noux, the Qt5 application on
|
|
the right, and the front-most 3D demo application are independent subsystems
|
|
that cannot interfere with each other unless explicitly permitted by the
|
|
system policy. Under the hood, the scenario is supported by several device
|
|
drivers (e.g., USB, PS/2, VESA) whereby each driver is executed in a
|
|
dedicated protection domain.
|
|
|
|
Minor adjustments and patches to the seL4 kernel were necessary, which we are
|
|
currently contributing back to the seL4 community. The changes concern device
|
|
memory required by ACPI, VESA, and Intel graphics; the IRQ IOAPIC handling,
|
|
and the system-call bindings. As Genode facilitates the use of shared
|
|
libraries, the system-call bindings had to be adjusted to be usable from
|
|
position-independent code. A minor seL4 extension to determine the I/O ports
|
|
for the serial cards via the BIOS data area has already reached the upstream
|
|
seL4 repository.
|
|
|
|
|
|
Limitations
|
|
-----------
|
|
|
|
Still, some working areas for Genode/seL4 remain open for the future, namely:
|
|
|
|
* Message signaled interrupt (MSI) support
|
|
* Support of platforms other than 32-bit x86
|
|
* Multi-processor support
|
|
* Complete Genode capability integrity support (currently, there exist a few
|
|
corner cases where Genode cannot determine the integrity of a capability
|
|
supplied as an RPC argument)
|
|
* All-encompassing capability lifetime management (currently, not all
|
|
kernel capability selectors are freed)
|
|
* Thread priorities
|
|
* IOMMU support
|
|
* Virtual machine monitor support
|
|
* Limit of physical memory: The usable physical memory must be
|
|
below a kernel constant named PADDR_TOP (0x1fc00000, ~508 MB).
|
|
Additionally, some allocators for memory and capabilities in Genode/seL4 are
|
|
statically dimensioned, which may not suit x86 machines with a lot of
|
|
memory.
|
|
* Support for page-table attributes (currently, the seL4 version of Genode
|
|
cannot benefit from write-combined access to the framebuffer, which
|
|
yields rather poor graphics performance)
|
|
|
|
|
|
Try Genode/seL4 at home
|
|
-----------------------
|
|
|
|
For those who like to give the scenario depicted above a try, we have prepared
|
|
a ready-to-use ISO image:
|
|
|
|
:Download the ISO image of the Genode/seL4 example scenario:
|
|
|
|
[https://genode.org/files/release-16.08/sel4.iso]
|
|
|
|
# Download the sel4.iso file
|
|
|
|
# Copy the ISO image to the USB stick,
|
|
e.g., on Linux with the following command:
|
|
|
|
! sudo dd if=sel4.iso of=/dev/sdx bs=10M
|
|
|
|
_(where /dev/sdx must be replaced with the device node of your USB stick)_
|
|
|
|
# Change the BIOS setting to boot from USB and reboot
|
|
|
|
We tested the scenario on Lenovo Thinkpads such as x201, x250, or T430. Note
|
|
that the scenario uses the VESA driver (as opposed to the native Intel
|
|
graphics driver), which may not work on all machines.
|
|
|
|
Due to the missing support for write-combined framebuffer access, the graphics
|
|
performance is not optimal. To get an idea about the performance of Genode
|
|
with this feature in place, you may give the same scenario on NOVA a spin:
|
|
|
|
:Download the ISO image of the Genode/NOVA example scenario:
|
|
|
|
[https://genode.org/files/release-16.08/nova.iso]
|
|
|
|
Alternatively to using real hardware, you may boot either ISO image in a
|
|
virtual machine such as VirtualBox. You can find a working VM configuration
|
|
here (the IOAPIC must be enabled):
|
|
|
|
:Download a VM configuration for seL4 on VirtualBox:
|
|
|
|
[https://genode.org/files/release-16.08/sel4.ova]
|
|
|
|
# Import the OVA file as VirtualBox appliance
|
|
|
|
# Edit the configuration to select the ISO image as boot medium
|
|
|
|
|
|
Virtual networking and support for TOR
|
|
######################################
|
|
|
|
For sharing one network interface among multiple applications, Genode comes
|
|
with a component called NIC bridge, which multiplexes several IP addresses
|
|
over one network device. However, in limited environments where a device is
|
|
restricted to a particular IP address, or where the IP address space is
|
|
exhausted, the NIC-bridge component is not the tool of choice. To share one IP
|
|
address between different network components that use their individual TCP/IP
|
|
stack, functionality was missing. The idea of a component for virtual Network
|
|
Address Translation (NAT) between multiple NIC sessions came up and has been
|
|
repeatedly discussed in the past. We eventually started to work on an
|
|
implementation of this idea. During the development, we continued the
|
|
brain-storming, looked at the problem from different perspectives and use
|
|
cases, and iteratively refined the design. We ultimately realized that the
|
|
concept would have potential beyond common NAT. The implementation and
|
|
configuration of the NAT component seemed to be easy to combine with features
|
|
of managed switches and layer-3 routers such as:
|
|
|
|
* Routing without NAT
|
|
* Client-bound routing rules
|
|
* Translation between virtual LANs
|
|
* Port forwarding
|
|
|
|
This is why at some point, we renamed the component to NIC router and treated
|
|
the initial NAT functionality merely as a flavour of the new feature set. One
|
|
use case that influenced the development of the NIC router in particular was
|
|
the integration of TOR into Genode scenarios.
|
|
|
|
[image nic_router_tor]
|
|
|
|
The TOR component is a NIC-session client that comprises its own TCP/IP stack,
|
|
and listens to SOCK5 proxy connections of clients. It uses the same TCP/IP
|
|
stack to establish connections to the TOR network. To protect applications
|
|
that shall access the internet through TOR only, it is crucial that they can
|
|
communicate to the TOR component itself, but to no other network component.
|
|
Here the NIC router comes into play. Its configuration allows TCP connections
|
|
from a web client to port 9050 of the TOR component only. The TOR component
|
|
itself does not have a route to the web client but can respond to SOCK5
|
|
connection requests from it. The "uplink" - meaning the NIC session - to the
|
|
NIC driver and the outer network shall not send anything to either the web
|
|
client or the TOR component, except for responses to TCP requests of the TOR
|
|
component to the TOR network. The following NIC-router configuration depicts
|
|
how to achieve this routing setup:
|
|
|
|
! <config>
|
|
! <policy label="uplink" src="10.1.1.2"/>
|
|
! <policy label="tor" src="10.1.2.1" nat="yes" nat-tcp-ports="100">
|
|
! <ip dst="0.0.0.0/0" label="uplink" via="10.1.1.1"/>
|
|
! </policy>
|
|
! <policy label="web-client" src="10.1.3.1" nat="yes" nat-tcp-ports="100">
|
|
! <ip dst="10.1.3.1/32">
|
|
! <tcp dst="9050" label="tor" to="10.1.2.2"/>
|
|
! </ip>
|
|
! </policy>
|
|
! </config>
|
|
|
|
The configuration states that all connected components use disjoint IP
|
|
subnets. The NIC router acts as a NAT gateway between them, and - dependent on
|
|
its role - uses the IP addresses 10.1.1.2, 10.1.2.1, or 10.1.3.1 as its
|
|
gateway address. Moreover, it states that the web client can open up to
|
|
hundred TCP connections concurrently to the TOR component restricted to port
|
|
9050, and the TOR component in turn can open up to hundred TCP connections to
|
|
the outer network regardless of the target IP address or port number. For a
|
|
detailed explanation of all configuration items, you may refer to the README
|
|
of the NIC router at _repos/os/src/server/nic_router/README_.
|
|
|
|
Having the TOR port and the new NIC router available in Genode's components
|
|
kit, we are now able to move single network applications, or even whole
|
|
virtual machines into the TOR network. In contrast to existing approaches, the
|
|
crucial code base needed to anonymize the network traffic, namely the TOR
|
|
proxy component, depends on a much less complex code base. As it directly runs
|
|
on top of Genode and does not depend on a virtualization environment, or a
|
|
legacy monolithic kernel OS, we can reduce its TCB by orders of magnitude. The
|
|
above-mentioned example scenario, whose run-script can be found in the
|
|
Genode-world repository under _run/eigentor.run_ comprises approximately 460K
|
|
compiled lines of code when running on top of the NOVA kernel. Thereby the
|
|
lion's share of the quantity is introduced by the TOR software itself, and its
|
|
library dependencies like OpenSSL. If we do not consider the TOR component
|
|
itself, the trusted computing base sums up to 60K lines-of-code in our
|
|
example. Compare this to for instance 1500K compiled lines of Linux kernel
|
|
code when using an Ubuntu 14.04 distribution kernel alone, not to mention init
|
|
process, Glibc, etc..
|
|
|
|
Especially in combination with virtualization this scenario might become an
|
|
interesting technological base for approaches like TAILS or Whonix.
|
|
|
|
|
|
VirtualBox on top of the Muen and NOVA kernels
|
|
##############################################
|
|
|
|
The ability to run VirtualBox on top of a microkernel has become a key feature
|
|
of Genode. For this reason, the current release pushes the VirtualBox support
|
|
forward in two interesting ways. First, VirtualBox has become available on top
|
|
of the Muen separation kernel. This undertaking is described in Section
|
|
[VirtualBox 4 on top of the Muen separation kernel]. Second, we explored the
|
|
use of VirtualBox 5 on top of the NOVA kernel - to a great success! This
|
|
endeavour is covered in Section [Experimental version of VirtualBox 5 for NOVA].
|
|
|
|
|
|
VirtualBox 4 on top of the Muen separation kernel
|
|
=================================================
|
|
|
|
_This section was written by Adrian-Ken Rueegsegger and Reto Buerki who_
|
|
_conducted the described line of work independent from Genode Labs._
|
|
|
|
Overview
|
|
--------
|
|
|
|
As briefly mentioned in the Genode
|
|
[https://genode.org/documentation/release-notes/16.05 - 16.05 release notes],
|
|
we have been working on VirtualBox support for 'hw_x68_64_muen'. The
|
|
implementation has finally reached a stage where all necessary features have
|
|
been realized and it has been integrated into Genode's mainline. This means
|
|
that you can now run strongly isolated Windows VMs on the Muen separation
|
|
kernel offering a user experience that is on par with VirtualBox on NOVA.
|
|
|
|
When we started our work on Genode, our initial plan was to leverage its
|
|
VirtualBox support as a means to run Windows on Muen. As a first step we ported
|
|
the base-hw kernel - back then ARM-only - to the 64-bit Intel architecture. The
|
|
resulting 'hw_x86_64' platform was included in the
|
|
[https://genode.org/documentation/release-notes/15.05#Principal_support_for_the_64-bit_x86_architecture - 15.05 release].
|
|
|
|
Building on top of 'hw_x86_64', we then implemented support for running the
|
|
base-hw kernel as guest on the Muen separation kernel. As the porting work
|
|
progressed quite quickly, this line of work became part of Genode
|
|
[https://genode.org/documentation/release-notes/15.08#Genode_on_top_of_the_Muen_Separation_Kernel - 15.08].
|
|
|
|
Having laid the groundwork, we could then tackle the task we initially set out
|
|
to do: bringing VirtualBox to Muen.
|
|
|
|
|
|
Architecture
|
|
------------
|
|
|
|
[image muen_virtualbox_architecture]
|
|
|
|
On Muen, Genode runs as a guest in VMX non-root mode without special
|
|
privileges. VirtualBox is executed as a user-level component, which makes the
|
|
architecture special in the sense that the virtual-machine monitor (VMM)
|
|
itself is running inside a strongly isolated VM.
|
|
|
|
The guest VM managed by VirtualBox is a separate Muen subject with statically
|
|
assigned resources. Access to the guest VM memory is enabled by mapping it
|
|
into the VMM's address space at a certain offset specified in the Muen system
|
|
policy. Similarly, the guest subject state is mapped at a predefined address
|
|
so VirtualBox can manipulate e.g., register values etc. After the initial
|
|
setup, hardware-accelerated execution of the guest VM is started by triggering
|
|
a handover event defined in the Muen system policy. The guest VM is then
|
|
executed in place of the Genode subject.
|
|
|
|
Control is handed back to VirtualBox when a trap occurs during the execution
|
|
of the guest VM, e.g., the guest accesses resources of a device that is
|
|
emulated by a VirtualBox device model. Furthermore a handover back to the VMM
|
|
can be forced by using the Muen timed event mechanism. This prevents CPU
|
|
monopolization by the guest VM and ensures that VirtualBox gets its required
|
|
share of execution time.
|
|
|
|
Even though the VirtualBox support on Muen draws largely from the existing
|
|
NOVA implementation, there are some key differences. One aspect, as mentioned
|
|
above, is that VirtualBox and its managed VM are never executed
|
|
simultaneously. From the perspective of the base-hw kernel, switching to and
|
|
from the guest VM is similar to the normal/secure world switch of
|
|
[https://genode.org/documentation/articles/trustzone - ARM TrustZone]. This
|
|
enabled us to reuse the existing base-hw VM session interface.
|
|
|
|
Whereas on NOVA, guest VM memory is donated by the VirtualBox component, the
|
|
guest has its own distinct physical memory specified in the Muen system
|
|
policy. Thus the guest-VM resources, including memory, are all static and
|
|
VirtualBox does not need to map and unmap resources at runtime.
|
|
|
|
Since guests on Muen run in hardware-accelerated mode as much as possible,
|
|
VirtualBox does not need to emulate entire classes of instructions. One
|
|
important example is that the guest VM directly uses the hardware FPU and the
|
|
VMM does not emulate floating point instructions. Therefore, it does not need
|
|
to have access to the FPU state. This greatly reduces the implementation
|
|
complexity and avoids potential issues due to the loading of an invalid FPU
|
|
state.
|
|
|
|
As mentioned above, the most intriguing peculiarity is that on
|
|
'hw_x86_64_muen', VirtualBox itself is running in VMX non-root mode and thus
|
|
as a guest VM. This means that the VMM is executed like any other Muen subject
|
|
without special privileges, retaining the strong isolation properties offered
|
|
by the Muen SK. Despite this architectural difference, there is no noticeable
|
|
performance hit due to the extensive use of hardware accelerated
|
|
virtualization.
|
|
|
|
|
|
Implementation
|
|
--------------
|
|
|
|
The necessary extensions to the 'hw_x86_64_muen' kernel primarily consist of
|
|
the implementation of the VM session interface. A VM session is a special
|
|
base-hw kernel thread that represents the execution state of the guest VM. It
|
|
is scheduled when the guest VM is ready to continue execution.
|
|
|
|
The 'Vm::proceed' function implements the switch to the mode-transition
|
|
assembly code declared at the '_vt_vm_entry' label. The entry enables
|
|
interrupts and initiates a handover to the guest VM by invoking the event
|
|
specified in the Muen system policy. On return from the guest VM, the VM
|
|
thread is paused and the VM session client (VirtualBox) is signaled. Once
|
|
VirtualBox has performed all necessary actions, the guest VM is resumed via
|
|
invocation of the VM session 'run' function.
|
|
|
|
Another adjustment to the kernel is the use of Muen timed events for guest VM
|
|
preemption. The timer driver writes the tick count of the next kernel timer to
|
|
the guest timed events page. This causes the guest VM to be preempted at the
|
|
requested tick count and ensures that the guest VM cannot monopolize the CPU
|
|
if no traps occur.
|
|
|
|
On the VirtualBox side, we implemented the hwaccl layer for Muen. The main
|
|
task of this layer is keeping the guest VM machine state between VirtualBox
|
|
and the hardware accelerated execution on Muen in sync.
|
|
|
|
Depending on the guest VM exit reason, the hwaccl code decides whether to use
|
|
instruction emulation or to resume the guest VM in hardware accelerated mode.
|
|
If a trap occurred that cannot be handled by the virtualization hardware,
|
|
execution is handed to VirtualBox's recompiler that then emulates the next
|
|
instruction.
|
|
|
|
Furthermore, this code also takes care of guest VM interrupts. Pending
|
|
interrupts are injected via the Muen subject pending interrupts mechanism.
|
|
IRQs are transferred from the VirtualBox trap manager state to the pending
|
|
interrupts region. If an IRQ remains pending upon returning from the guest VM,
|
|
it is copied back to the trap manager state and cleared in the subject
|
|
interrupts region.
|
|
|
|
|
|
Taking VirtualBox on Muen for a spin
|
|
------------------------------------
|
|
|
|
Follow the [https://genode.org/documentation/platforms/muen - tutorial section]
|
|
to prepare your system for Muen.
|
|
|
|
As a next step, create a VirtualBox VM with a 32-bit guest OS of your choice
|
|
and install the guest additions
|
|
[http://download.virtualbox.org/virtualbox/4.3.36/VBoxGuestAdditions_4.3.36.iso].
|
|
In this tutorial, we chose Windows 7.
|
|
|
|
Note: use guest additions close to the VirtualBox version of Genode. We have
|
|
successfully tested versions 4.3.16 and 4.3.36.
|
|
|
|
Name the virtual disk image 'win7.vdi' and create an (empty) overlay VDI as
|
|
follows:
|
|
|
|
! vboxmanage createhd --filename overlay_win7.vdi --size $size --format vdi
|
|
|
|
The VDI size (in MiB) must match the capacity of the 'win7.vdi':
|
|
|
|
! vboxmanage showhdinfo win7.vdi
|
|
|
|
* Setup a hard disk with 4 partitions
|
|
* Format the fourth partition with an ext2 file system
|
|
* Copy 'win7.vdi' to the root directory of the ext2 partition
|
|
* Copy 'overlay_win7.vdi' to the _ram/_ directory of the ext2 partition
|
|
|
|
The directory structure of partition 4 should look as follows:
|
|
|
|
! /win7.vdi
|
|
! /ram/overlay_win7.vdi
|
|
|
|
Adjust the VDI UUIDs to match the ones of the Genode
|
|
[https://github.com/genodelabs/genode/blob/master/repos/ports/run/vm_win7.vbox#L12 - repo/ports/run/vm_win7.vbox]
|
|
file:
|
|
|
|
! vboxmanage internalcommands sethduuid win7.vdi 8e55fcfc-4c09-4173-9066-341968be4864
|
|
! vboxmanage internalcommands sethduuid ram/overlay_win7.vdi 4c5ed34f-f6cf-48e8-808d-2c06f0d11464
|
|
|
|
Prepare the necessary ports as follows:
|
|
|
|
! tool/ports/prepare_port dde_bsd dde_ipxe dde_rump dde_linux virtualbox libc stdcxx libiconv x86emu qemu-usb muen
|
|
|
|
Create and enter the Muen build directory:
|
|
|
|
! tool/create_builddir hw_x86_64_muen
|
|
! cd build/hw_x86_64_muen
|
|
! sed -i 's/#REPOSITORIES +=/REPOSITORIES +=/g' etc/build.conf
|
|
! echo 'MAKE += -j5' >> etc/build.conf
|
|
|
|
Build the 'vbox_auto_win7' scenario:
|
|
|
|
! make run/vbox_auto_win7
|
|
|
|
This produces a multiboot system image, which can be found at
|
|
_var/run/vbox_auto_win7/image.bin_.
|
|
|
|
|
|
Limitations
|
|
-----------
|
|
|
|
The current implementation of the 'hw_x86_64_muen' VirtualBox support has the
|
|
following limitations:
|
|
|
|
* No 64-bit Windows guest support
|
|
* No multicore guest support
|
|
|
|
Apart from these restrictions, the implementation of VirtualBox on Muen offers
|
|
the same functionality and comparable performance as VirtualBox on NOVA.
|
|
|
|
|
|
Conclusion
|
|
----------
|
|
|
|
While implementing VirtualBox support for 'hw_x86_64_muen', we encountered
|
|
several issues which required some effort to resolve. The visible effects
|
|
ranged from VirtualBox's guru meditation, over guest kernel panics, to stalled
|
|
guests and erratic guest behavior (e.g., guest execution slow-down after some
|
|
time). To make things worse, these errors were not deterministically
|
|
reproducible and instrumenting the code could change the observable error.
|
|
|
|
One particular source of problems was the correct injection of guest
|
|
interrupts. The first approach was to define a Muen event for each guest
|
|
interrupt within the policy. When VirtualBox had a pending guest interrupt,
|
|
the corresponding event was triggered to mark it for injection upon guest VM
|
|
resumption. This approach revealed several problems.
|
|
|
|
One such issue was that interrupts could get lost due to a mismatch between
|
|
effective guest VM and VirtualBox machine state, e.g., the guest VM had
|
|
interrupts disabled and execution was handed back to the recompiler before the
|
|
pending interrupt could be injected.
|
|
|
|
Scalability raised another issue, since all possible guest interrupts needed
|
|
to be specified in advance in the Muen system policy. The problem was further
|
|
compounded as guest interrupts vary depending on the operating system.
|
|
|
|
We resolved the issue by enabling monitor subjects (VirtualBox) to access the
|
|
Muen pending interrupts data structure of the associated guest VM. This simple
|
|
enhancement of Muen allows VirtualBox to directly mark guest interrupts
|
|
pending without having to trigger a Muen event or having to extend the Muen
|
|
kernel. Furthermore, keeping the pending interrupt state of the guest VM and
|
|
the VirtualBox machine state in sync has become trivial and thus no interrupts
|
|
are lost.
|
|
|
|
[image hw_x86_64_muen-virtualbox-win7-bsod]
|
|
|
|
Another cause for grief was that, by default, VirtualBox scenarios on Genode
|
|
are configured to use multiple CPUs. This could lead to guest state corruption
|
|
since multiple emulation threads (EMT) were operating on the same subject
|
|
state. Once we had discovered the underlying cause for this problem, we
|
|
remedied the issue by clamping the guest processor count to one.
|
|
|
|
Looking back at the adventurous journey beginning with the base-hw x86_64 port
|
|
and culminating in the VirtualBox support for Muen, we are quite happy on how
|
|
we were able to achieve the goal we initially set out to accomplish. We would
|
|
like to thank the always helpful guys at Genode Labs for their support and the
|
|
rewarding collaboration!
|
|
|
|
|
|
Experimental version of VirtualBox 5 for NOVA
|
|
=============================================
|
|
|
|
We experimented with upgrading our VirtualBox 4 port to the newer VirtualBox 5
|
|
version in order to keep up with the current developments at Oracle.
|
|
Additionally, we used this experimental work as an opportunity to explore the
|
|
reduction of the number of Genode-specific modifications of VirtualBox. We
|
|
found that we could indeed use most of the original PGM source code (Page
|
|
Manager and Monitor), which we originally replaced by a custom Genode
|
|
implementation. This is a great relief for further maintenance. One major
|
|
benefit using the original code is that it enabled us to use the IEM component
|
|
of VirtualBox - an instruction emulator - as virtualization back end for the
|
|
handling of I/O operations. The IEM has far less overhead than the
|
|
traditionally used QEMU-based REM (Recompiled Execution Monitor).
|
|
|
|
The current state is sufficient to execute 32-bit Windows 7 VMs on 64-bit
|
|
Genode/NOVA. Since the port is still incomplete and largely untested for other
|
|
VMs, and to avoid trouble with the newly added VirtualBox 4 Genode/Muen
|
|
support, we decided to make this port available as separate VMM besides the
|
|
VirtualBox 4 VMM and the Seoul VMM on Genode/NOVA.
|
|
|
|
To test-drive VirtualBox 5 on NOVA, please refer to the run script at
|
|
_ports/run/vbox_auto_win7_vbox5.run_.
|
|
|
|
|
|
Functional enhancements
|
|
=======================
|
|
|
|
Virtual AHCI controller
|
|
-----------------------
|
|
|
|
By adding the device model for the AHCI controller to our version of
|
|
VirtualBox, virtual machines become able to use virtual SATA disks. This way,
|
|
we can benefit from the more efficient virtualization of AHCI compared to IDE
|
|
and - at the same time - Genode's version of VirtualBox becomes more
|
|
interoperable with existing VirtualBox configurations.
|
|
|
|
|
|
Configuration option to enable the virtual XHCI controller
|
|
----------------------------------------------------------
|
|
|
|
The virtual XHCI controller, which is used for passing-through host USB
|
|
devices to a VM, is now disabled by default and can be enabled with the new
|
|
|
|
! <config xhci="yes">
|
|
|
|
configuration option.
|
|
|
|
|
|
Configuration option to enforce the use of the IOAPIC
|
|
-----------------------------------------------------
|
|
|
|
The virtual PCI model delivers IRQs to the PIC by default and to the IOAPIC
|
|
only if the guest operating system selected the IOAPIC via ACPI method calls.
|
|
When running a guest operating system which uses the IOAPIC, but does not call
|
|
these ACPI methods (for example Genode on NOVA), the new configuration option
|
|
|
|
! <config force_ioapic="yes">
|
|
|
|
enforces the delivery of PCI IRQs to the IOAPIC.
|
|
|
|
|
|
Base framework
|
|
##############
|
|
|
|
Cultivation of the new text-output API
|
|
======================================
|
|
|
|
The
|
|
[https://genode.org/documentation/release-notes/16.05#The_great_API_renovation - previous release]
|
|
overhauled the framework's API in several areas to ease the development of
|
|
components that are robust, secure, and easy to assess. One of the changes was
|
|
abolishing the use of format strings in favour of a much simpler and more
|
|
flexible text-output facility based on C++11 variadic templates.
|
|
|
|
During the past release cycle, we adapted almost all Genode components to the
|
|
new text-output API. In the process (we reworked over 700 source files), we
|
|
refined the API in three ways.
|
|
|
|
First, we supplemented the log output functions provided by _base/log.h_ with
|
|
the new 'Genode::raw' function that prints output directly via a low-level
|
|
kernel mechanism, if available. Since the implementation of this function does
|
|
not rely on any Genode functionality but invokes the underlying kernel
|
|
directly, it is ideal for instrumenting low-level framework code. Since it
|
|
offers the same flexibility as the other output functions with respect to the
|
|
printable types, it supersedes any formerly used kernel-specific debugging
|
|
utilities.
|
|
|
|
Second, we added overloads of the 'print' function for the basic types
|
|
'signed', 'unsigned', 'bool', 'float', and 'double'. Individual characters can
|
|
be printed using a new 'Char' helper type.
|
|
|
|
Third, we supplemented types that are often used by components with 'print'
|
|
methods. Thereby, objects of such types can be directly passed to an output
|
|
function to produce a useful textual representation. The covered types include
|
|
'Capability' (which reveals the kernel-specific representation), 'String',
|
|
'Framebuffer::Mode', and 'Mac_address'.
|
|
|
|
While adjusting the log messages, we repeatedly stumbled over the problem that
|
|
printing 'char *' arguments is ambiguous. It is unclear whether to print the
|
|
argument as pointer or null-terminated string. To overcome this problem, we
|
|
introduced a new type 'Cstring' that allows the caller to express that the
|
|
argument should be handled as null-terminated string. As a nice side effect,
|
|
with this type in place, the optional 'len' argument of the 'String' class
|
|
could be removed. Instead of supplying a pair of ('char const *', 'size_t'),
|
|
the constructor accepts a 'Cstring'. This, in turn, clears the way to let the
|
|
'String' constructor use the new output mechanism to assemble a string from
|
|
multiple arguments (and thereby getting rid of 'snprintf' within Genode in the
|
|
near future).
|
|
|
|
To enforce the explicit resolution of the 'char *' ambiguity at compile time,
|
|
the 'char *' overload of the 'print' function is marked as deleted.
|
|
|
|
*Note* that the rework prompted us to clean up the framework's base headers at
|
|
a few places that may interfere with components using those headers. I.e., we
|
|
removed unused includes from _root/component.h_, specifically _base/heap.h_
|
|
and _ram_session/ram_session.h_. Hence, components that relied on the implicit
|
|
inclusion of those headers have to manually include those headers now.
|
|
|
|
|
|
Revised utilities for the handling of session labels
|
|
====================================================
|
|
|
|
We changed the construction argument of the 'Session_label' to make it more
|
|
flexible to use. Originally, the class took an entire session-argument string
|
|
as argument and extracted the label portion. The new version takes the
|
|
verbatim label as argument. The extraction of the label from an argument
|
|
string must be manually done via function 'label_from_args' now. This way, the
|
|
label operations become self-descriptive in the code. At the same time, this
|
|
change will ease our plan to eventually abandon the ancient session-argument
|
|
syntax in the future.
|
|
|
|
Note that this *API change* affects the semantics of existing code but
|
|
unfortunately does not trigger a compile error for components that rely on the
|
|
original meaning! Of course, we updated all mainline Genode components, but
|
|
custom components outside the Genode source tree should be revisited with
|
|
respect to the use of the 'Session_label' utility.
|
|
|
|
|
|
Low-level OS infrastructure
|
|
###########################
|
|
|
|
Network-transparent ROM sessions to a remote Genode system
|
|
==========================================================
|
|
|
|
For building Genode-based distributed systems, a communication mechanism that
|
|
interconnects multiple Genode devices is required. As a first step, we added
|
|
proxy components to the world repository that transparently forward ROM
|
|
sessions to a remote Genode system. As "ROM" represents one of the most common
|
|
session interfaces, the proxy components already enable the distribution of
|
|
many existing Genode applications.
|
|
|
|
[image remote_rom]
|
|
|
|
The basic usage scenario comprises two hosts (A and B) that are connected to
|
|
the same network and are both running a NIC driver. One of the hosts (A) is
|
|
running the application that shall communicate with the ROM service running on
|
|
the other host (B). In order to establish this communication transparently,
|
|
init is configured such that the application component connects to the ROM
|
|
client proxy, which acts as a proxy ROM service. On host B, init is configured
|
|
such that the ROM service proxy connects to the actual ROM service. Both proxy
|
|
components connect to the corresponding NIC driver and use a minimalistic
|
|
IP-based protocol to transport the data and signals of the ROM session.
|
|
Furthermore, the proxy components must be configured with static IP addresses
|
|
and the module name of the ROM session. Optionally, the ROMs can be populated
|
|
with default content.
|
|
|
|
For testing purposes you can use the _ROM logger_ as an application and the
|
|
_dynamic-ROM_ component as a ROM service.
|
|
|
|
!<start name="rom_logger">
|
|
! <resource name="RAM" quantum="4M"/>
|
|
! <config rom="remote"/>
|
|
! <route>
|
|
! <service name="ROM"> <child name="remote_rom_client"/> </service>
|
|
! <any-service> <parent/> </any-service>
|
|
! </route>
|
|
!</start>
|
|
!
|
|
!<start name="remote_rom_client">
|
|
! <resource name="RAM" quantum="8M"/>
|
|
! <provides><service name="ROM"/></provides>
|
|
! <config>
|
|
! <remote_rom name="remote" src="192.168.42.11" dst="192.168.42.10">
|
|
! <default> <foobar/> </default>
|
|
! </remote_rom>
|
|
! </config>
|
|
!</start>
|
|
!
|
|
!<start name="dynamic_rom">
|
|
! <resource name="RAM" quantum="4M"/>
|
|
! <provides><service name="ROM"/></provides>
|
|
! <config verbose="yes">
|
|
! <rom name="remote">
|
|
! <sleep milliseconds="1000"/>
|
|
! <inline description="disable">
|
|
! <test enabled="no"/>
|
|
! </inline>
|
|
! <sleep milliseconds="5000"/>
|
|
! <inline description="enable">
|
|
! <test enabled="yes"/>
|
|
! </inline>
|
|
! <sleep milliseconds="10000"/>
|
|
! <inline description="finished"/>
|
|
! </rom>
|
|
! </config>
|
|
!</start>
|
|
!
|
|
!<start name="remote_rom_server">
|
|
! <resource name="RAM" quantum="8M"/>
|
|
! <route>
|
|
! <service name="ROM"> <child name="dynamic_rom"/> </service>
|
|
! <any-service> <any-child/> <parent/> </any-service>
|
|
! </route>
|
|
! <config>
|
|
! <remote_rom name="remote" src="192.168.42.10" dst="192.168.42.11">
|
|
! <default> <foobar/> </default>
|
|
! </remote_rom>
|
|
! </config>
|
|
!</start>
|
|
|
|
Note that the implementation is not inherently tied to the NIC session or the
|
|
IP-based protocol but is actually intended to be modular and extensible e.g.,
|
|
to use arbitrary inter-system communication and existing protocols. In order
|
|
to achieve this, the implementation is split into a ROM-specific part and a
|
|
back-end part. The back end is implemented as a library and used by both the
|
|
client and server proxies. In summary, the client proxy implements the
|
|
'Rom_receiver_base' and registers an instance at the back end, whereas the
|
|
server proxy implements the 'Rom_forwarder_base' and registers it at the back
|
|
end. You can find the base classes at _include/remote_rom/_.
|
|
|
|
Thanks to Johannes Schlatow for this implementation.
|
|
|
|
|
|
Statistical profiling
|
|
=====================
|
|
|
|
The new CPU-sampler component implements a CPU service that samples the
|
|
instruction pointer of configured threads on a regular basis for the purpose
|
|
of statistical profiling. The following image illustrates the integration of
|
|
this component in an interactive scenario:
|
|
|
|
[image cpu_sampler]
|
|
|
|
The CPU sampler provides the CPU service to the subsystem under test. Even if
|
|
this subsystem consists only of a single component, it must be started by a
|
|
sub-init process to have its CPU session routed correctly. The CPU sampler
|
|
then collects the instruction pointer samples and writes these to an
|
|
individually labelled LOG session per sampled thread. The FS-LOG component
|
|
receives the sample data over the LOG session and writes it into separate
|
|
files in a RAM file system, which can be read from an interactive Noux shell.
|
|
|
|
This scenario, as well as a simpler scenario - without FS LOG, the RAM file
|
|
system, and Noux - can be built from a run script in the _gems_ repository.
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
The CPU-sampler component has the following configuration options:
|
|
|
|
! <config sample_interval_ms="100" sample_duration_s="1">
|
|
! <policy label="init -> test-cpu_sampler -> ep"/>
|
|
! </config>
|
|
|
|
The 'sample_interval_ms' attribute configures the sample rate in milliseconds.
|
|
The 'sample_duration_s' attribute configures the overall duration of the
|
|
sampling activity in seconds. The policy label denotes the threads to be
|
|
sampled.
|
|
|
|
|
|
Evaluation
|
|
----------
|
|
|
|
At the moment, some basic tools for the evaluation of the sampled addresses are
|
|
available at
|
|
|
|
[https://github.com/cproc/genode_stuff/tree/cpu_sampler-16.08]
|
|
|
|
These scripts should be understood as a proof-of-concept. Due to a Perl
|
|
dependency, they do not yet work with noux.
|
|
|
|
* Filtering the sampled addresses from the Genode log output
|
|
|
|
! filter_sampled_addresses_from_log <file containing the Genode log output>
|
|
|
|
This script extracts the sampled addresses from a file containing the Genode
|
|
log output and saves them in the file 'sampled_addresses.txt'. It is not
|
|
needed when the addresses have already been written into a separate file by
|
|
the 'fs_log' component. The match string (label) in the script might need to
|
|
be adapted for the specific scenario.
|
|
|
|
* Filtering the shared library load addresses from the Genode log output
|
|
|
|
! filter_ldso_addresses_from_log <file containing the Genode log output>
|
|
|
|
This script extracts the shared library load addresses from a file
|
|
containing the Genode log output and saves them in the file
|
|
'ldso_addresses.txt'. To have these addresses appear in the Genode log
|
|
output, the sampled component should be configured with the
|
|
'ld_verbose="yes"' XML attribute if it uses shared libraries. If multiple
|
|
components in a scenario are configured with this attribute, the script
|
|
needs to be adapted to match a specific label.
|
|
|
|
* Generating statistics
|
|
|
|
! generate_statistics <ELF image> <file with sampled addresses> [<file with ldso addresses>]
|
|
|
|
This script generates the files 'statistics_by_function.txt' and
|
|
'statistics_by_address.txt'.
|
|
|
|
The first argument is the name of the ELF image of the sampled component.
|
|
The second argument is the name of a file containing the sampled addresses.
|
|
The third argument is the name of a file containing the shared library load
|
|
addresses. It is required only if the sampled component uses shared
|
|
libraries.
|
|
|
|
The 'statistics_by_function.txt' file lists the names of the sampled
|
|
functions, sorted by the highest sample count. Each line encompasses all
|
|
sampled addresses that belong to the particular function.
|
|
|
|
The 'statistics_by_address.txt' file is more detailed than the
|
|
'statistics_by_function.txt' file. It lists the sampled addresses, sorted by
|
|
the highest sample count, together with the name and file location of the
|
|
function the particular address belongs to.
|
|
|
|
The 'generate_statistics' script uses the 'backtrace' script to determine the
|
|
function names and file locations. The best location to use the scripts is the
|
|
'build/.../bin' directory, where all the shared libraries can be found.
|
|
|
|
|
|
Init configuration changes
|
|
==========================
|
|
|
|
We refined the label-based server-side policy-selection mechanism introduced in
|
|
[http://genode.org/documentation/release-notes/15.11#Label-dependent_session_routing - version 15.11]
|
|
to limit the damage of spelling mistakes in manually crafted configurations.
|
|
I.e., consider the following policy of a file-system server with a misspelled
|
|
'label_prefix' attribute:
|
|
|
|
! <policy prefix_label="trusted_client" root="/" writeable="yes"/>
|
|
|
|
Because the file-system server does not find any of the 'label',
|
|
'label_prefix', or 'label_suffix' attributes, it would conclude that this
|
|
policy is a default policy, which is certainly against the intention of the
|
|
policy writer. We now enforce the presence of at least one of those
|
|
attributes. An all-matching policy can be explicitly expressed by the new
|
|
'<default-policy>' node, which is intuitively clearer than an empty '<policy>'
|
|
node. When editing a configuration by hand, one would need to take a
|
|
deliberate effort to specify such a policy. A spelling mistake would not yield
|
|
an overly permissive policy.
|
|
|
|
|
|
Configurable mapping of ACPI events to input events
|
|
===================================================
|
|
|
|
With the previous release, we added support for the detection of dynamic ACPI
|
|
status changes like some Fn * keys, Lid close/open, and battery status
|
|
information. Unfortunately, not all state changes are reported the same way on
|
|
different notebooks, e.g., Fn * keys may get reported as ordinary PS/2 input
|
|
events, or are reported via the embedded controller. Lid close/open changes
|
|
may be reported by a ACPI Lid event or by the embedded controller.
|
|
|
|
To be able to handle those different event sources uniformly in Genode
|
|
applications, we added a component that transforms ACPI events to Genode
|
|
input-session events. The component is located at
|
|
_repos/libports/server/acpi_input_ and can be configured as shown below:
|
|
|
|
! <start name="acpi_input">
|
|
! <resource name="RAM" quantum="1M"/>
|
|
! <provides><service name="Input"/></provides>
|
|
! <config>
|
|
! <!-- example mapping - adapt to your target notebook !!! -->
|
|
! <!-- as="PRESS_RELEASE" is default if nothing specified -->
|
|
! <map acpi="ec" value="25" to_key="KEY_VENDOR"/>
|
|
! <map acpi="ec" value="20" to_key="KEY_BRIGHTNESSUP"/>
|
|
! <map acpi="ec" value="21" to_key="KEY_BRIGHTNESSDOWN"/>
|
|
! <map acpi="fixed" value="0" to_key="KEY_POWER" as="PRESS_RELEASE"/>
|
|
! <map acpi="lid" value="CLOSED" to_key="KEY_SLEEP" as="PRESS"/>
|
|
! <map acpi="lid" value="OPEN" to_key="KEY_SLEEP" as="RELEASE"/>
|
|
! <map acpi="ac" value="ONLINE" to_key="KEY_WAKEUP"/>
|
|
! <map acpi="ac" value="OFFLINE" to_key="KEY_SLEEP"/>
|
|
! <map acpi="battery" value="0" to_key="KEY_BATTERY"/>
|
|
! ...
|
|
|
|
The ACPI event source can be the embedded controller (ec), a fixed ACPI event
|
|
(fixed), the notebook lid (lid), an ACPI battery (battery), or the ACPI
|
|
alternating current (ac) status. The value of the event source can be
|
|
mapped to a Genode input session key as either a single press or release
|
|
input event or as both.
|
|
|
|
|
|
Utility servers for base services
|
|
=================================
|
|
|
|
Four new servers were added to the world repository. These so-called "shim
|
|
servers" do not provide services by themselves but are imposed between clients
|
|
and true servers to provide some additional feature.
|
|
|
|
The _ROM-fallback_ server was created for scenarios where a system is expected
|
|
to be populated with new components in a dynamic and intuitive way. ROM
|
|
requests that arrive at the _ROM-fallback_ server are forwarded through a list
|
|
of possible routes and the first successfully opened session is returned. An
|
|
example use would be to fetch objects remotely that are not present initially
|
|
using a networked ROM server, or in the future to override objects provided by
|
|
a package manager with local versions.
|
|
|
|
:ROM fallback at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/server/rom_fallback]
|
|
|
|
When using the framework as a primary operating system, there is a need to
|
|
view log information both in real-time and retrospectively without the aid of
|
|
an external host. The new _LOG-tee_ server can be used to duplicate and
|
|
reroute log streams at arbitrary points in the component tree. As an example,
|
|
this allows information to be simultaneously directed on-screen and to local
|
|
storage.
|
|
|
|
:LOG-tee at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/server/log_tee]
|
|
|
|
Users occasionally need to remap keys and buttons. While traditional operating
|
|
systems provide such facilities with very broad granularity, the _input-remap_
|
|
server allows arbitrary key-code remapping between any dedicated input server
|
|
and client.
|
|
|
|
:Input remapper at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/server/input_remap]
|
|
|
|
When emulating gaming hardware, there is often a need to resize original
|
|
display hardware to modern outputs. This is typically implemented in emulation
|
|
software or at worst the entire native display resolution is downgraded to
|
|
match an original output. The _framebuffer-upscale_ server performs scaling of
|
|
small client framebuffers to larger framebuffers servers, isolating this task
|
|
to a general and reusable component.
|
|
|
|
:Framebuffer upscaler at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/server/fb_upscale]
|
|
|
|
Thanks to Emery Hemingway for contributing the components described!
|
|
|
|
|
|
Libraries and applications
|
|
##########################
|
|
|
|
Ported 3rd-party software
|
|
=========================
|
|
|
|
The current release introduces _diffutils_ and _less_ to the Genode's runtime
|
|
environment for Unix software (called Noux).
|
|
|
|
Furthermore, the libraries _libxml2_ and _mbed TLS_ were added to the
|
|
[https://github.com/genodelabs/genode-world - Genode-world] repository. Thanks
|
|
to Menno Valkema for the initial port of mbed TLS!
|
|
|
|
|
|
File-downloading component based on libcurl
|
|
===========================================
|
|
|
|
A native front end to the curl library was crafted, _fetchurl_. This utility
|
|
is intended as a source or package management primitive.
|
|
|
|
:Fetchurl at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/app/fetchurl]
|
|
|
|
As a warning, fetchurl sidesteps the verification of transport layer security
|
|
and is expected to be used where content can be verified out-of-band.
|
|
|
|
|
|
Minimalistic audio player component based on libav
|
|
==================================================
|
|
|
|
This component is a simple front-end to libav. It will play all tracks from
|
|
a given playlist and can report the currently played track as well as its
|
|
progress.
|
|
|
|
:Audio player at the Genode-World repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/app/audio_player]
|
|
|
|
For more information on how to use and configure the audio player, please
|
|
have a look at its README file at _repos/world/src/app/audio_player/_.
|
|
|
|
|
|
RISC-V front-end server
|
|
=======================
|
|
|
|
In version
|
|
[http://genode.org/documentation/release-notes/16.02#New_support_for_the_RISC-V_CPU_architecture - 16.02],
|
|
Genode gained support for the RISC-V CPU architecture. Genode can be executed
|
|
on either a simulator or a synthesized FPGA softcore, e.g., on Xilinx Zynq
|
|
FPGAs. On the latter platform, the RISC-V core is a secondary CPU that
|
|
accompanies an ARM core built-in in the FPGA. The ARM core usually runs a
|
|
Linux-based system. The Linux-based system interacts with the RISC-V system
|
|
via a so-called front-end server, which allows the management of the RISC-V
|
|
core and the retrieval of log output.
|
|
|
|
Thanks to the added Zynq support described in Section
|
|
[Execution on bare Zynq hardware (base-hw)], it is possible to run Genode
|
|
on the ARM core of Zynq FPGAs as well. So a single Zynq FPGA can effectively
|
|
host two Genode systems at the same time: one running on a RISC-V softcore CPU
|
|
and one running on ARM. A ported version of the RISC-V front-end server
|
|
enables the ARM-based Genode system to interact with the RISC-V-based Genode
|
|
system. This scenario is described in detail in the README file of the port:
|
|
|
|
:RISC-V front-end server at the Genode-world repository:
|
|
|
|
[https://github.com/genodelabs/genode-world/tree/master/src/app/fesrv]
|
|
|
|
Thanks to Menno Valkema of [https://nlcsl.com/ - NLCSL] for contributing this
|
|
line of work!
|
|
|
|
|
|
Platforms
|
|
#########
|
|
|
|
Binary compatibility across all supported kernels
|
|
=================================================
|
|
|
|
Since its inception, Genode provides a uniform component API that abstracts
|
|
from the underlying kernel. This way, a component developed once for one
|
|
kernel can be easily re-targeted to other kernels by mere re-compilation. With
|
|
version 16.08, we go even a step further: Dynamically linked executables and
|
|
libraries have become kernel-agnostic. A single binary is able to run on
|
|
various kernels with no recompilation required.
|
|
|
|
To make this possible, two steps were needed:
|
|
|
|
* The Genode ABI - the binary interface provided by Genode's dynamic
|
|
linker - had to become void of any kernel specifics. The kernel-specific
|
|
code is now completely encapsulated within the dynamic linker and Genode's
|
|
core component.
|
|
|
|
* The Genode API - the header files as included by components during their
|
|
compilation - must not reveal any types or interfaces of a specific kernel.
|
|
The representation of all Genode types had to be generalized. By default,
|
|
any peculiarities of the underlying kernel remain invisible to components
|
|
now.
|
|
|
|
This effort required us to form a holistic view of the kernel interfaces of
|
|
all 8 kernels supported by Genode, which made the topic very challenging and
|
|
exciting. The biggest stumbling blocks were the parts of the API that were
|
|
traditionally mapped directly to kernel-specific data types, in particular the
|
|
representation of capabilities. The generalized capability type is based on
|
|
the version originally developed for base-sel4. All traditional L4 kernels and
|
|
Linux use the same implementation of the capability-lifetime management. On
|
|
base-hw, NOVA, Fiasco.OC, and seL4, custom implementations (based on their
|
|
original mechanisms) are used, with the potential to unify them further in the
|
|
future.
|
|
|
|
At the current stage, all dynamically linked programs (such as any program
|
|
that uses the C library) are no longer tied to a specific kernel but can be
|
|
directly executed on any kernel supported by Genode. E.g., a Qt5 application -
|
|
once built for Genode - can be run directly on Linux and seL4 with no
|
|
recompilation needed. This paves the ground for the efficient implementation
|
|
of binary packages in the near future.
|
|
|
|
It is still possible to create kernel-specific components that leverage
|
|
certain kernel features that are not accessible through Genode's API. For
|
|
example, our version of VirtualBox facilitates the direct use of the kernel.
|
|
Or Genode's set of pseudo device drivers for Linux interact directly with the
|
|
Linux kernel. But those components are rare exceptions.
|
|
|
|
|
|
Execution on bare Zynq hardware (base-hw)
|
|
=========================================
|
|
|
|
Support for Xilinx Zynq-based hardware has been added to the world repository
|
|
by the means of additional drivers and spec files. Due to the fact that there
|
|
is a rather large number of Zynq-based hardware available, adding these as
|
|
separate build targets to the main repository was not practical. Instead, we
|
|
went for the approach of adding SPECS for the different boards. Another
|
|
benefit of this is that these can be specified in a separate repository.
|
|
|
|
When creating a 'hw_zynq' build directory, 'zynq_qemu' is added to the SPECS
|
|
by default. You can replace this with one of the following in order to run the
|
|
image on an actual zynq-based board:
|
|
|
|
* zynq_parallella
|
|
* zynq_zedboard
|
|
* zynq_zc706
|
|
* zynq_zc702
|
|
|
|
Note that changing the SPECS might require a 'make clean'.
|
|
|
|
Furthermore, we added driver components for the SD card, GPIO, I2C and Video
|
|
DMA to the world repository.
|
|
|
|
Thanks to Timo Wischer, Mark Albers, and Johannes Schlatow!
|
|
|
|
|
|
Removal of stale features
|
|
#########################
|
|
|
|
We removed the *TAR file-system* server because it is superseded by the VFS
|
|
server with its built-in support for mounting TAR archives.
|
|
|