genode/repos/gems/recipes/pkg/sculpt
2018-05-31 12:28:13 +02:00
..
archives sculpt: add NVMe support 2018-05-03 15:32:00 +02:00
hash depot: update recipe hashes 2018-05-03 15:32:01 +02:00
README sculpt: update list of ports in README 2018-05-31 12:28:13 +02:00


                      ==============================
                      Sculpt for Early Adopters (EA)
                      ==============================


                               Norman Feske



Introduction
############

Sculpt is a component-based desktop operating system that puts the user in
the position of full control. It is empowered by the Genode OS Framework,
which provides a comprehensive set of building blocks, out of which custom
system scenarios can be created. The name Sculpt hints at the underlying
idea of crafting, molding, and tweaking the system interactively. Starting
from a fairly minimalistic and generic base system, this tour through the
Sculpt system will cover the following topics:

* A boot image that is a live system, rescue system, and bootstrap system
  all in one,
* Ways to tweak and introspect the system,
* Formatting a SATA disk and storing files on the file system,
* Connecting to a wireless network and downloading content from the internet,
* Installation of additional software,
* Deployment of the installed software, and
* Running a guest operating system inside a virtual machine.


Feedback and contact
--------------------

Your feedback is appreciated!

:Join the Genode mailing list for discussion:

  [https://genode.org/community/mailing-lists]

:Get in touch with the developers at GitHub:

  [https://github.com/genodelabs/genode]

:Contact Genode Labs for commercial inquiries:

  [https://www.genode-labs.com]

A printable PDF version of this document is available at
[https://genode.org/documentation/sculpt-ea.pdf].


Prerequisites
#############

Sculpt for Early Adopters (EA) is the first of a series of revisions with a
successively increased ease of use, which is actually just a subtle way of
admitting that it is currently rather difficult to use.

Sculpt EA expects that you already know your way around Genode's source tree
and tool chain. Should this not be the case, please consider the "Getting
started" section of the Genode Foundations book that is available as a free
download at [https://genode.org].


Vim skills required
===================

Sculpt EA leverages (a subset of) GNU coreutils, bash, and Vim as the user
interface for sculpting the system. If you are not yet familiar with using
Vim, you may take Sculpt EA as a welcome chance to get your toes wet. To
enjoy the experience, you should be comfortable with the following
operations:

* Opening and navigating within a text file (moving the cursor,
  using '/' to search),
* Using the insert mode to make modifications,
* Reverting accidental modifications ('u' undo),
* Saving a modified file (':w'),
* Opening a file in a secondary buffer (':e'),
* Switching between buffers (':bn' for next, ':bp' for previous),
* Copy and paste ('v' start selection, 'V' start line selection,
  'y' remember selection, 'p' paste remembered selection),
* Exiting Vim (':x' save and exit, ':q!' discard changes).


Hardware requirements and preparations
======================================

Sculpt EA should be compatible with recent Intel-based PC hardware
featuring Intel graphics, E1000 networking, Intel wireless, and AHCI.

It is tested best on laptops of the Lenovo X and T series (X220, X250,
X260, T430, T460). For experimenting with Sculpt, we recommend getting a
refurbished version of one of these. You may also find the unofficial
hardware compatibility list [http://usr.sysret.de/jws/genode/hcl.html]
helpful for finding Genode-compatible hardware.

The machine is expected to have a single SATA disk drive attached to an
AHCI controller. NVMe is not supported. The content of the disk will be
wiped in the process of following this guide. Sculpt has been tested with
screen resolutions up to 2560 x 1440. Displays with a higher resolution
are not expected to work. The sweet spot is a full-HD display.

Please revisit the BIOS settings of your machine in the following respects:

:VT-d enabled: Even though Sculpt is able to run without an IOMMU, we
  advise to enable this option for the sandboxing of device drivers.

:VT-x enabled: Hardware-assisted virtualization is needed to run VirtualBox
  on top of Sculpt.

:Boot from USB enabled: Sculpt is booted from a USB stick.

:Legacy boot enabled (recommended): Needed to boot from USB in legacy BIOS
  mode, which is the default when building the Sculpt boot image.

:Optimize for performance when battery powered: If the latter is not set,
  the hardware may behave erratically (e.g., non-working trackpoint when on
  battery).


Building the boot image
#######################

The following steps assume that you have the Genode tool chain installed on a
GNU/Linux system. For reference, Ubuntu 16.04 is known to work well.

# Clone Genode's Git repository:

  ! git clone https://github.com/genodelabs/genode.git
  ! cd genode
  ! git checkout 18.02

# Download the support for the NOVA microkernel

  ! ./tool/depot/download genodelabs/bin/x86_64/base-nova/2018-02-26

  The content is downloaded to the _public/_ directory and extracted to
  the _depot/_ directory.

# Download all ingredients for the Sculpt boot image

  ! ./tool/depot/download genodelabs/pkg/x86_64/sculpt/2018-02-27

# Create a build directory

  ! ./tool/create_builddir x86_64

# Configure the build directory by editing _build/x86_64/etc/build.conf_.
  Most importantly, enable the 'gems' source-code repository where the
  sculpt scenario resides. In addition the 'ports', 'dde_linux' and 'dde_ipxe'
  repository are needed as well.

# Create the sculpt boot image (defined by the run script at
  _repos/gems/run/sculpt.run_)

  ! make -C build/x86_64 run/sculpt KERNEL=nova

  The boot image is created at _build/x86_64/var/run/sculpt.iso_.

# Write the boot image to a USB stick:

  ! sudo dd if=build/x86_64/var/run/sculpt.iso of=/dev/sdx bs=1M conv=fsync

  Here, '/dev/sdx' refers to the device node of your USB stick. To determine
  it, you may inspect the output of 'dmesg' after plugging it in.


Base system
###########

Unless customized, the sculpt base system resides as a self-contained live
operating system on a USB stick, not installed on disk. This has two
advantages. First, it makes the update of the base system straight-forward
and completely risk-free. Simply install the new version on a second USB
stick. Should the new version cause any trouble, one can fall back to the
original one by swapping the USB sticks. Second, it alleviates the need to
install any boot-loader infrastructure on disk. In fact, we will not create
a partition table and use the entire disk as one file system.

_Note that Genode is not limited to booting from USB. It also supports_
_the use of partitions. But for this guide, we keep things as simple as_
_possible._


System overview
===============

;        Drivers    |    Leitzentrale    |    Runtime
;       subsystem   |     subsystem      |   subsystem
;    ---------------+--------------------+---------------
;                  static part of the system
;    ----------------------------------------------------
;                     microkernel / core

[image sculpt_overview]
  System overview

The sculpt system consists of four parts living on top of the microkernel
(Figure [sculpt_overview]).


Static system
-------------

The first - static - part of the system is baked-in the boot image. It
contains components that must be shared by the upper - dynamic - parts and
defines the relationships between the upper parts via a static policy that
is fixed by the creator of the boot image.

;         Drivers      |   Leitzentrale   |     Runtime
;    --------------------------------------------------------
;                            :     :
;       Nitpicker    Report  :     :  ROM    [global policy]
;      GUI server         :  :     :  :
;                         v  v     v  v
;                        Report   Config
;                          FS       FS

[image sculpt_static]
  Detailed look at the static part of the system

Besides a low-complexity GUI multiplexer called Nitpicker, the static
system contains two in-memory file systems. The _config_ file system stores
configuration data whereas the _report_ file system stores information
reported by components. These file systems are invisible to regular
components. Components obtain their configuration data from a (read-only
memory) ROM service, and report their state to a (write-only) report
service.

At boot time, the config file system is pre-populated with information from
the boot image. It stays in memory. Hence, after rebooting the system, any
changes are gone.


Drivers subsystem
-----------------

The drivers subsystem provides all the basic services needed to realize an
interactive system scenario: a framebuffer service for the graphical
output, an input service to obtain user input, and a block service to
access a storage device. All other drivers like networking or audio drivers
are not covered by the drivers subsystem. They will enter the picture at a
later stage and will use the platform service and USB service to access
device resources.

;                                        Framebuffer     AHCI
;                                          Driver       Driver
;                                             :  \     /  :
;   ACPI --- Platform ------- USB      Driver :  Dynamic  :
; discover    driver -- PS/2 :   :    Manager :    Init   :
;               :        :   :   :            :           :
;               :        :   :   :            :           :
;               :        Input   :            :           :
;               :       Filter   :            :           :
;               :          :     :            :           :
;               :          :     :            :           :
;          (platform)  (input) (USB)    (framebuffer)  (block)

[image sculpt_drivers 80%]
  Services provided by the drivers subsystem

As illustrated by Figure [sculpt_drivers], some drivers like the framebuffer
driver live in a dynamically managed subsystem that depends on runtime
discovery of the hardware by the so-called driver-manager component.
Whenever an Intel graphics device is present, the Intel framebuffer driver
is spawned. Otherwise, a generic VESA driver or a driver for a
boot-time-initialized framebuffer is used.

Several components of the drivers subsystem report their state. E.g., when
the Intel framebuffer is used, it reports the list of connectors present.
Most importantly, the driver manager reports the available block devices.

As user input may enter the system in multiple ways - most prominently PS/2
and USB HID - the drivers subsystem contains a so-called input-filter
component that merges these event streams and applies transformations like
key remappings or mouse acceleration.


Leitzentrale subsystem
----------------------

The Leitzentrale gives you - the user - full control over the config file
system and the report file system. You are free to inspect and
manipulate the system in any way you wish. The German term Leitzentrale
refers to a control center that requires a certain degree of sophistication
from the operator, which would be you. A typo at the wrong place may
render your system temporarily inaccessible, eventually requiring a reboot.
But don't be afraid. Since all manual changes performed in the Leitzentrale
occur in memory only, you are not at risk of permanently bricking your machine.

[image noux 45%]
  Noux runtime environment for executing Unix tools

The Leitzentrale can be toggled at any time by pressing F12 and will be enabled
right after boot. It uses a small Unix runtime called noux (Figure [noux])
as user interface. Don't let the presence of a Unix shell mislead you.
Sculpt is not a Unix system. It merely uses Unix subsystems in the form of
noux instances as convenient tools for managing and editing files.

[image sculpt_leitzentrale 62%]
  Leitzentrale subsystem

The Leitzentrale employs two noux instances (Figure [sculpt_leitzentrale]).
With the instance on the left, you can interact with both the report and
config file systems using familiar commands such as the bash shell, a
subset of coreutils, and Vim. The right side gives you a quick glance at the
current log messages. The log is also available at _report/log_ and can be
browsed with Vim.

_Noux is not bullet-proof. Should you get stuck, you may re-spawn it at_
_any time by pressing F11._


Tweaking and inspecting the system
==================================

The Leitzentrale subsystem empowers you to interactively inspect and tweak
the running system. Let's take a walk next.


Adjusting the user-input handling
---------------------------------

By default, Sculpt uses the US-English keyboard layout with a functioning
capslock key. You may possibly want to adjust the former and - as a Vim
user - most likely discharge the latter. As mentioned in Section
[Drivers subsystem], user input is processed by the input-filter component.
You can edit this component's configuration via

! genode:/> vim /config/input_filter.config

To change the keyboard layout to German, change "en_us.chargen" to
"de.chargen" and save the file. The change becomes effective immediately at
saving time.

_Note that the terminal does not display umlaut characters._
_Please stick to using plain ASCII characters._

To remap the capslock key to escape - a key often needed while using Vim -
uncomment the corresponding '<remap>' rule

! <key name="KEY_CAPSLOCK" to="KEY_ESC"/>

After saving the file, a Vim user's life suddenly becomes much more
pleasant.

[image input_filter 80%]
  Filter chain for user-input events

Take the time to review the remaining parts of the input-filter
configuration. The nested configuration nodes define a hierarchy of
filters that are applied in the order from the inside to outside
(Figure [input_filter]). There are filters for merging events ('<merge>'),
remapping buttons and keys ('<remap>'), supplementing symbolic character
information ('<chargen>'), pointer acceleration ('<accelerate>'), and
emulating a scroll wheel by moving the pointer while pressing the middle
mouse button ('<button-scroll>').


Display settings
----------------

If you are running the Intel graphics driver, you can inspect the connected
displays and their supported resolutions by taking a look at the report at
_/report/drivers/dynamic/intel_fb_drv/connectors_. This report is updated
whenever a display is connected or disconnected. You can use this
information to enable or disable a display in the driver's configuration,
which you can find at _/config/fb_drv.config_. Please don't forget to
correctly specify all attributes including the 'hz' attribute. Otherwise,
the driver will not consider the '<connector>' setting.

For a quick test, change the attribute 'height="768"' to 'force_height="768"'
(you may modify 'width' analogously). When saving the file, the screen
real-estate will forcibly be limited to the specified size. This is helpful
during presentations where the beamer has a lower resolution than the
laptop's internal display. By specifying the beamer's resolution, both the
laptop and the beamer show the same content.


Exploring the drivers and Leitzentrale subsystems
-------------------------------------------------

You can review the construction plan of the drivers subsystem by opening the
file _/config/drivers/config_ in Vim. In particular, it is interesting to
follow the '<route>' rules to see how the various components are connected.
But there is more. The configuration is live. It enables you to reconfigure
individual components on-the-fly. For example, search for the '<start>' node
of the PS/2 driver and add the attribute 'verbose_keyboard="yes"' to the
embedded '<config>' node. By saving the file, the changed configuration
becomes effective. Any key pressed or released on the PS/2 keyboard will
result in a log message on the right. You may revert this change (vim: 'u')
and save the original version of the file.

_Note that not all components are dynamically reconfigurable but many_
_modern ones - in particular the init component and most long-running_
_server components - are._

_It is possible to forcibly restart a component by adding a 'version'_
_attribute to the '<start>' node. Whenever the 'version' value is changed,_
_the component is re-spawned._

_The component-specific configuration options are documented in the README_
_files accompanying the respective components in the source tree._

Analogously to the drivers subsystem, you can find the construction plan
for the Leitzentrale subsystem at _/config/leitzentrale/config_. Try out
the following tweaks:

* Change the transparency of the two noux instances by modifying the
  'alpha' attributes of the 'control_fader' and 'log_fader' components.

* Change the position and size of the two noux instances by tweaking
  the coordinates ('xpos', 'ypos', 'width', 'height') of the
  'control_nit_fb' and 'log_nit_fb' components.

* Show a simple CPU-load display by uncommenting the '<start>' node of
  the 'cpu_load_display' component.

* Change the font size of the 'control_terminal' component from "16"
  to "12".

You may also enjoy tinkering with the configuration of the nitpicker GUI
server, which is located at _/config/nitpicker.config_. For example, you
may change the background color or the labeling color of the "default"
domain.


Storage, networking
###################

[image sculpt_runtime_highlighted]

So far, we have not lost any word about the third subsystem called
"runtime" that lives besides the drivers and Leitzentrale subsystems.
The runtime subsystem has no predefined purpose but can be filled with
life as you wish. In the following, we successively reshape the content of
the runtime subsystem to perform a form of system installation.

Analogously to the drivers subsystem, the live configuration of the runtime
subsystem is located at _/config/runtime/config_. Initially, it is almost
empty.


Preparing the disk
==================

It goes without saying that we want to persistently store data, programs,
and configuration information on our machine. So we need to access a block
device. Let us see if the drivers subsystem has successfully detected the
SATA disk of your machine:

! genode:/> cat /report/drivers/block_devices

The report should contain one '<device>'. The 'label' attribute denotes the
physical name, under which the drivers subsystem will hand out a block
session for this device (e.g., 'ahci-1'). If there is only one device, the
'<block_devices>' report features a 'default' attribute, which should
correspond to the label of the '<device>'. Regardless of its label, this
block device is handed out as block session under the label 'default'. This
relieves the runtime subsystem from dealing with the physical label of the
device. If more than one devices are present, there is no default device.
For this guide, we assume that a 'default' block device is present.

[image sculpt_block_runtime]
  Runtime for accessing a block device

To format the default block device, there exists a template runtime
configuration at _/config/runtime/block.config_. Take a moment to review it
(Figure [sculpt_block_runtime]). The interesting part is a noux instance
that has a block session mounted at '/dev/block' and a few tar archives
containing bash, coreutils, Vim, and e2fsprogs mounted at '/'. Here we
have a special-tailored Unix enviroment with the sole purpose of formatting
the disk. To bring this runtime to life, simply overwrite the live
configuration with the template:

! genode:/> cp /config/runtime/block.config /config/runtime/config

After issuing this copy operation, the new noux instance becomes visible in
the background of the Leitzentrale. Hide the Leitzentrale by pressing F12
to interact with noux. You need to click on noux to set the input focus.
Within noux, you can issue the following command to format your default
block device with an ext2 file system. Note that this command wipes the
original content from your block device:

! block:/> mkfs.ext2 /dev/block

After a few seconds, your disk should be ready to use. The block runtime is
also useful to check the consistency of your file system:

! block:/> fsck.ext2 -pv /dev/block


File-system access
==================

[image sculpt_fs_runtime 68%]
  Runtime for accessing a file system

With the default block device formatted, we can in principle store data as
files and directories. All we need is a file-system component that
translates the notion of files and directories to block-device accesses.
To fill this gap, we use a NetBSD rump kernel. More specifically, we mount
a rump kernel as a plugin into a dedicated VFS server component
(Figure [sculpt_fs_runtime].

As we will need the same construct in several runtime configurations, it
is convenient to wrap it inside a dedicated init instance, which can be
instantiated as a child within the runtime configuration. The configuration
for this sub init is located at _/config/subinit/default_fs.config_. It
nicely hides the technicalities of how the default file system is accessed
and is the natural hook for using more advanced disk layouts (as indicated
by the commented-out parts).

Following the same line of thoughts, there also is a building block for an
often used noux configuration at _/config/subinit/default_noux.config_.
This noux instance has both the on-disk file system and the in-memory
config file system mounted.

The runtime-configuration template _/config/runtime/fs.config_ combines
both building blocks. Activate it via the Leitzentrale:

! genode:> cp /config/runtime/fs.config /config/runtime/config

The previous (block) noux instance is replaced by a new one, which allows
you to interact with the on-disk file system mounted at _/rw/_. At this
point, you can copy data back and forth between the in-memory config file
system and the on-disk file system.


Making customizations permanent
===============================

Using the _/config/runtime/fs.config_ runtime template, you can easily
backup your customizations of the config file system to disk. By
convention, we create a directory _/rw/config/_ on the default file system:

! noux:> mkdir /rw/config

[image sculpt_save 60%]
  Saving customizations

We can now selectively copy modified configurations from the config file
system to this location, e.g.:

! noux:> cp /config/input_filter.config /rw/config/


Restoring customizations after boot
===================================

After rebooting the system, the saved customizations won't take any
immediate effect because the boot image does not touch the default file
system. However, there is a convenient template for a runtime configuration
that copies configuration data from the default file system to the in-
memory config file system.

As you may have guessed: _/config/runtime/load.config_ utilizes a
dedicated noux instance for this job. This noux instance starts the bash
shell with the '--login' argument, which prompts bash to execute the
commands provided by the '.bash_profile' file. These commands perform the
actual copy operations.

[image sculpt_load 50%]
  Restoring customizations

In the daily routine of using Sculpt, issuing the following command in the
Leitzentrale right after system boot does the trick:

! genode:/> cp /config/runtime/load.config /config/runtime/config

To give this a try, you may reboot your machine by editing _/config/system_.
Set the attribute 'state' to the value "reset" and save the file.


Connecting to a wireless network
================================

The drivers subsystem does not contain any support for networking. However,
the boot image provides all the building blocks needed to establish network
connectivity at the level of the runtime subsystem. Those building blocks
are drivers for wired and wireless network devices, a component for routing
network traffic, a TCP/IP stack, and an application for downloading
content.

Following the pattern used for the default file system where the technical
details are nicely wrapped in the _default-fs_ building block, there exists
the sub-init configuration _/config/subinit/default_nic.config_. By
default, it contains the wireless driver, which is a port of the Intel
wireless stack from the Linux kernel and the accompanying WPA supplicant.

[image sculpt_wifi_runtime]
  Hosting a wireless driver within the runtime subsystem

When started, the driver requests a session to the platform driver of the
drivers subsystem. Through this session, the driver becomes able to
interact with the networking device. All other devices remain hidden from
the driver. The driver continuously scans for wireless access points at a
fixed interval and reports the results in the form of a _wlan_accesspoints_
report. Furthermore, it requests the ROM module _wlan.config_, which
contains the authentication information needed to connect to a selected
access point (Figure [sculpt_wifi_runtime]). To give the driver a spin,
you may use the _/config/runtime/download.config_ runtime template:

! genode:/> cp /config/runtime/download.config /config/runtime/config

Depending on the platform, the driver may spill the log with a lot of
frightening messages. Don't let them intimidate you. Better look for the
interesting information:

! genode:/> vim /report/runtime/nic/nic/wlan_accesspoints

You should see a list of access points including their SSIDs and signal
qualities. To establish a connection to one of the access points, open
the file _/config/wlan.config_ (vim: ':e /config/wlan.config'). By opening
the _wlan.config_ file in a separate buffer, you may conveniently copy the
SSID from the _wlan_accesspoints_ report. Don't forget to specify your WPA2
password as 'psk' (pre-shared key) attribute value. After writing the file,
the driver should become active as indicated by an influx of new log
messages. To check for the connection state, take a look at the
corresponding report:

! genode:/> cat /report/runtime/nic/nic/wlan_state

If everything went well, it should tell you 'state="connected"'.

Alternatively to using the wireless driver, you may use a wired networking
driver. A snippet for a corresponding start node is provided in the
_default_nic.config_ file. Comment out the wireless driver and uncomment
the wired driver.

_Note that the successive starting, killing, and restarting of the drivers_
_does not work reliably on all platforms. Sometimes the device ends up_
_in an inconsistent state, unable to establish a network connection._
_If this happens, you'll have to reboot your machine to properly reset the_
_device._

_By default, the 11N mode of the wireless driver is disabled because the_
_wireless hardware of a few modern platforms behave unreliably otherwise._
_You may try to set the 'use_11n' attribute in the default_nic.config_
_to "yes" to improve the networking throughput._


Downloading files
=================

With both network connectivity and persistent storage, it is time to
download content from the internet. If you followed the steps above, the
_download_ runtime _/config/runtime/download.config_ should already be
in place.

;   default    default                             default
;    Noux  --->  FS  <--- chroot <--- fetchurl ---> NIC
;      :          :                                  :
;      :          :                                  :
;      v          v                                  v
;  Nitpicker    Block                             Platform
;                                               (PCI device)

[image sculpt_download_runtime]
  Runtime for downloading content from the network

Figure [sculpt_download_runtime] illustrates the scenario that builds upon
the _default_noux_, _default_fs_, and _default_nic_ building blocks. The
fetchurl component should raise our concern. It has access to the file
system and is at the same time exposed to the network. A remote attacker
may exploit it as a gateway to our persistent storage. What makes matters
worse is the enormous complexity of the component, which includes protocol
implementations for TCP/IP and HTTPS (via libcurl). Vulnerabilities should
be expected. For this reason, the scenario shields the real file system
from fetchurl by using a *chroot* component, which presents the local
download directory as the file system to fetchurl. In the worst case - if
fetchurl falls completely into the hands of an attacker - the reach of the
attack is limited to the download directory.

In the _/config/runtime/download.config_ template that we installed in the
runtime subsystem, fetchurl is commented out. Take a minute to study the
configuration of the chroot and fetchurl components. These components are
readily configured to download the ISO image of the Debian installer to the
location _/vm/debian/installer.iso_. We will use this ISO image in the
subsequent steps.

Let's start downloading the file by uncommenting the fetchurl start node in
the runtime configuration _/config/runtime/config_ directly and saving the
file. The download of the circa 300 MiB may take a while. You may inspect
the progress by using the accompanied noux instance.

! noux:/> ls -l /rw/vm/debian/


Extending the system
####################

The base system discussed so far is just an intermediate step towards a real
operating system. It contains only the components necessary to reach the
second stage where software is hosted on the file system. In contrast to
the base system, which is meant to stay constant over a long time or even
used as firmware instead of a BIOS, the second stage is designed to be
expandable in arbitrary ways. The software of the second stage comes in the
form of packages facilitating a custom package-management concept that is
inspired by Git as well as the Nix package manager.

:Non-destructive:
  Installing or updating software has no effect on the already installed
  software. You can always roll back your system to a previous state.
  There are no install script that could mutate the system globally.

:Multiple versions can peacefully co-exist:
  Updating one package does not force you to update other, unrelated,
  packages.

:Simplicity:
  There is no domain-specific language and no database. All meta data is
  in plain sight.

:Decentralized software provisioning:
  There can be any number of software providers. The potential reach of
  each software provider is limited to one directory each. One can even
  install software from an untrusted party without any fear.

:Accountability:
  Software cannot enter the system without a proper OpenPGP signature that
  attests its authenticity and integrity.

:Low-complexity trusted computing base:
  The installation mechanism sandboxes all components that are potentially
  exposed to an attacker, e.g., the code that decompresses and extracts
  archives, or any network-facing code.


Installing software
===================

To install software, we need the following prerequisites:

* Storage location for downloads,
* Storage location for installed software,
* Download URL, and
* Public key of software producer.

By convention, software is downloaded to the _/public_ directory of the
default file system whereas installed software will reside in the _/depot_
directory. The latter also hosts the information about download URLs and
public keys. To prepare the depot, we can use a _default_noux_ instance
as featured in the _fs_ or _download_ runtime templates.

* Create the download location

  ! noux:/> mkdir /rw/public

* Initialize the depot for hosting the installed software. The example
  provided at _/config/examples/depot/_ is equipped with the public key
  and the download URL for packages originating from Genode Labs.

  ! noux:/> cp -r /config/examples/depot /rw/

[image sculpt_update_runtime]
  Runtime for installing / updating software

With these preparations in place, the _/config/runtime/update.config_
runtime template can be used to install software (Figure
[sculpt_update_runtime]). Following the pattern used by the download
runtime, the access to the file system is mediated via chroot components.
The software to install is defined by _/config/installation_, which
contains a list of archives. By default, it contains a meta package called
"sculpt-installation", which contains all components needed to host a
virtual machine on top of Sculpt. To trigger the installation:

! genode:/> cp /config/runtime/update.config /config/runtime/config

;      What's missing? <-----------------------.
;             |                                |
;             | archive list                   | content
;             v                                |
;      Get download info                    Extract
;             |                                ^
;             | URL, pubkey                    | good/bad
;             v                                |
;           Fetch -------------------------> Verify
;                    archives, signatures

[image depot_download 60%]
  System installation as an iterative procedure

The update runtime contains a so-called depot-download subsystem that
orchestrates the dependency tracking, downloading, verification, and
extraction of depot content. Internally, the depot-download subsystem is
composed of several components that are dynamically spawned and disposed as
needed. As illustrated by Figure [depot_download], the installation is an
iterative process, which will eventually finish with the log message
"Installation complete".


Deploying installed software
============================

Once the local depot is populated with installed software, we need to steer
Sculpt to use the new installed components instead of the ones found on the
base image. This is accomplished with the _/config/runtime/deploy.config_
runtime template as illustrated in Figure [sculpt_deploy_runtime].

[image sculpt_deploy_runtime]
  Runtime for deploying installed software

The deploy runtime spawns a dynamically configured init as a subsystem.
Like any init instance, it obtains the binaries for the hosted components
as ROM modules from a ROM service. But unlike the instances we encountered
so far, which obtained ROM modules from the ROM service of the base system,
this init instance is directed to a FS-ROM component that fetches
ROM-module content from the depot.

The last missing piece of the puzzle is a component that configures the
dynamic init instance while supplementing the information of where to look
inside the depot for the required ROM modules. This is the role of the
depot-deploy component. It takes a high-level description of the
to-be-deployed system scenario in the form of the _/config/deploy/config_
ROM module, queries the depot for the details and ingredients of the
scenario, and generates the configuration for the dynamic init instance.
Like init, the depot-deploy component is able to dynamically respond to
updates of the _/config/deploy/config_ ROM. This enables you to dynamically
shape the deployed scenario. The configuration looks similar to init's
configuration but at higher level of abstraction. In particular, start
nodes refer to so-called runtime packages, which are provided by the depot
and nicely wrap all the low-level details into easy-to-use building blocks.

For example, the "pkg/noux-system" package as featured in
_/config/deploy/config_ is a noux subsystem similar to the _default_noux_
subinit. When activating the depot runtime template, the noux instance
appears. This time, however, the noux subsystem is created out of the
installed depot content:

! genode:/> cp /config/runtime/deploy.config /config/runtime/config


Hosting a guest operating system
################################

The default scenario found at _/config/deploy/config_ contains all the
pieces needed to host a virtual machine on top of Sculpt. A virtual machine
is a convenient stop-gap solution for running programs that are not yet
available natively on Genode. It ultimately enables us to use Sculpt as
day-to-day OS today.

By convention, we host the content of each virtual machine in a dedicated
directory _/vm/<guest-os>/_ at the default file system. In Section
[Downloading files], we already downloaded the ISO image with the installer
for the Debian operating system. To run it within a virtual machine, we
additionally need a virtual disk image _(machine.vdi)_ where to install the
guest OS to, and a VirtualBox configuration file _(machine.vbox)_. You may
take the files provided at _/config/examples/vm/debian/_ as starting point,
using the noux-system instance that is already running after activating the
deploy runtime.

! noux:/> cp /config/examples/vm/debian/* /rw/vm/debian/

Please review and adjust the _machine.vbox_ file as needed, in particular
you may reconsider the amount of RAM by changing the 'RAMSize' attribute.
To start the virtual machine, uncomment the following commented-out parts
of _/config/deploy/config_:

# One of the two NIC drivers (either wifi or ipxe_nic_drv),
# The NIC router, which sits in-between the NIC driver and the virtual
  machine, and plays the role of a virtual NAT router, and
# The start nodes of "vm_fs", "shared_fs", "usb_devices_rom", and "vm".

After saving the file, VirtualBox should appear, starting the Debian
installer.

After the installation is finished and the guest system was rebooted, it is
time to install the guest additions of VirtualBox. To do that, the apt(1)
configuration has to be adjusted. Edit the file

! # vi /etc/apt/sources.list

and add the line

! deb http://ftp.debian.org/debian stretch-backports main contrib non-free

Afterwards update the package cache

! # apt update

and upgrade the packages

! # apt upgrade

and install the Linux kernel headers

! # apt install linux-headers-amd64

Just to be sure that the guest additions will use the newest kernel, reboot
the guest system. Next, install all needed packages for the guest
additions:

! # apt install virtualbox-guest-dkms virtualbox-guest-x11

Having the Linux-header package is mandatory as the needed modules will not
be built without it. After the packages are installed and the modules have
been built, certain features like the dynamic mode-setting and shared
folders can be used.

The example _machine.vbox_ file already provides a configured shared folder
called 'shared'. By executing

! # mount -t vboxsf shared /mnt/

it can be mounted and accessed via '/mnt'.


Advanced usage
##############

Reproducing the system from source
==================================

Section [Building the boot image] presents the creation of the boot image
from pre-built packages. You may want to build those packages from source,
in particular for customizing the system.

Before building the packages, various ports of 3rd-party software need to
be prepared. The following command prepares all of them at once:

! <genode-dir>/tool/ports/prepare_port \
!      bash coreutils curl dde_ipxe dde_linux \
!      dde_rump e2fsprogs gnupg grub2 jitterentropy \
!      libarchive libc libgcrypt libiconv libssh \
!      lwip_legacy ncurses nova openssl qemu-usb \
!      stdcxx vim virtualbox5 x86emu xz zlib libpng \
!      ttf-bitstream-vera stb

The ingredients of the boot image are subsumed by the 'pkg/sculpt' package.
The default set of software installed by the update runtime is defined by
the 'pkg/sculpt-installation' package. You can find the depot recipes for
these packages at _repos/gems/recipes/pkg/_.

The _repos/gems/run/sculpt.run_ script can be executed to build a boot image.
By default, the boot image refers to 'genodelabs/pkg/sculpt' and to
'genodelabs/pkg/sculpt-installation' for the runtime-installed software. You
may want to install your version of these packages instead by changing the
package provider from 'genodelabs' to '<you>' by adding the line

! RUN_OPT += --depot-user <you>

to your _<build-dir>/etc/build.conf_.

To build the packages for the boot image:

! <genode-dir>/tool/depot/create \
!      UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
!      <you>/pkg/x86_64/sculpt \
!      <you>/bin/x86_64/base-nova

The 'FORCE=1' argument ensures that source archives are re-created and
checked for the consistency with their versions. If the source code of any
of the archives changed, the 'UPDATE_VERSIONS=1' argument automatically
updates its version. Please don't forget to commit the updated 'hash'
files. The empty 'REBUILD=' argument limits the creation of binary packages
to those that do not yet exist in binary form. If not specified, the
command would recompile all packages each time. You may further add '-j<N>'
to parallelize the build process where '<N>' is the level of parallelism.

Building the 'sculpt-installation' package works analogously to the 'sculpt'
package.

! <genode-dir>/tool/depot/create \
!      UPDATE_VERSIONS=1 FORCE=1 REBUILD= \
!      <you>/pkg/x86_64/sculpt-installation

To make the 'sculpt-installation' available for download from within the
boot image, you must publish it. This involves the archiving, signing,
and uploading of the content. The former two steps are covered by the
_tool/depot/publish_ tool, which expects one to specify a concrete version.
The current version of the 'sculpt-installation' can be obtained via

! cat <genode-dir>/repos/gems/recipes/pkg/sculpt-installation/hash

The first part is the version. The second part is the content hash of the
version. For more information about working with the depot tool, refer to
[http://genode.org/documentation/developer-resources/package_management].


UEFI boot
=========

By default, the steps given in Section [Building the boot image] produce a
legacy-boot ISO image, which requires a BIOS. To create an UEFI image
instead, modify your '<build-dir>/etc/build.conf' by replacing 'image/iso'
by 'image/uefi'. When executing the _sculpt.run_ script now, an UEFI image
is created at _build/x86_64/var/run/sculpt.img_. It is a disk image
containing an UEFI partition with all the content needed. It can be
directly written to a USB stick.


Updating the USB boot device from within VirtualBox
===================================================

The _/config/deploy/config_ scenario is prepared to assign USB storage
devices directly to a running virtual machine. You may inspect the report
_/report/drivers/usb_active_config_ to get a list of attached USB devices.
Use Vim to copy the '<policy>' node of the selected device into the
'<inline>' section of the 'usb_devices_rom' start node within your
_/config/deploy/config_, and adjust the line as follows:

* Replace the node type '<policy>' by '<device>', and
* Rename the attribute 'label_suffix' to 'label'.

The updated 'usb_devices' ROM prompts VirtualBox to open a USB session at
the drivers subsystem. Hence, when saving the modified
_/config/deploy/config_ file, the guest OS should detect a new USB device
(check the output of 'dmesg'). You may now write a new version of the
Sculpt ISO image to the device by following the steps described in Section
[Building the boot image].


Credits
#######

Sculpt is an example system scenario of the Genode project, which is an
operating-system technology designed and developed from scratch.

:Genode OS Framework:
  [https://genode.org]

That said, Genode is not developed in a vacuum. It rather stands on the
shoulders of giants and greatly benefits from the free-software/open-source
community. The following projects play a particularly important role for
the Sculpt scenario.

:NOVA microhypervisor:

  Sculpt's kernel is a derivate of NOVA, maintained by Genode Labs.
  NOVA was originally created by Udo Steinberg [http://hypervisor.org].

:Linux kernel:
  [https://kernel.org]

  Sculpt reuses several Linux subsystems as individual components, in
  particular the USB stack, the Intel wireless stack, the Intel graphics
  driver, and the TCP/IP stack.

:NetBSD's rump kernel:
  [https://wiki.netbsd.org/rumpkernel/]

  The file-system support is based on NetBSD kernel code, which became
  reusable on Genode thanks to the rump kernel project.

:FreeBSD:
  [https://www.freebsd.org/]

  The C runtime that is used by most 3rd-part software is based on FreeBSD's
  libc.


Device drivers
--------------

:WPA supplicant:
  [https://w1.fi/wpa_supplicant/]
  _(used by the wireless driver)_

:iPXE:
  [http://ipxe.org]
  _(basis of the wired network driver)_

:xf86emu:
  [http://xorg.freedesktop.org/]
  _(used by the VESA driver)_


Programs and libraries used within the noux runtime
---------------------------------------------------

:Vim:
  [http://www.vim.org]

:ncurses:
  [https://www.gnu.org/software/ncurses/ncurses.html]

:GNU coreutils:
  [https://www.gnu.org/software/coreutils/coreutils.html]

:GNU bash:
  [https://www.gnu.org/software/bash/]

:E2fsprogs:
  [http://e2fsprogs.sourceforge.net/]


Libraries used for the package-management infrastructure
--------------------------------------------------------

:curl:
  [https://curl.haxx.se]
  _(basis of the fetchurl tool)_

:libssh:
  [https://www.libssh.org]

:OpenSSL:
  [https://www.openssl.org]

:XZ Utils:
  [https://tukaani.org/xz/]
  _(support for tar.xz archives)_

:libarchive:
  [https://www.libarchive.org]
  _(basis of the extract tool)_

:zlib:
  [https://www.zlib.net]

:GnuPG:
  [https://www.gnupg.org]
  _(basis of the verify tool)_


Applications
------------

:VirtualBox:
  [https://www.virtualbox.org]
  _(used for hosting virtual machines)_


Crucial tools used during development
-------------------------------------

:GNU/Linux: (various distributions)

:Git:
  [https://git-scm.com]

:GNU compiler collection:
  [https://gcc.gnu.org]

:GNU binutils:
  [https://www.gnu.org/software/binutils/]

:GNU make:
  [https://www.gnu.org/software/make/]

:Tcl:
  [https://www.tcl.tk]

:Expect:
  [http://expect.sourceforge.net]

:Qemu:
  [https://www.qemu.org]

:GitHub issues:
  [https://github.com]