Guest post by The just released version 17.02 of the Genode OS framework comes with greatly enhanced virtual file-system capabilities, eases the creation of dynamic system compositions, and adds a new facility for processing user input. Furthermore, the components have become binary-compatible across kernel boundaries by default such that entire system scenarios can be moved from one kernel to another without recompiling the components.
Genode’s virtual file-system (VFS) infrastructure has a twisted history. Originally created as a necessity for enabling command-line-based GNU programs to run within Genode’s custom Unix runtime, the VFS was later extracted as a separate library. This library eventually became an optional and later intrinsic part of Genode’s C runtime. It also happened to become the basis of a file-system-server component. If this sounds a bit confusing, it probably is. But the resulting design takes the notion of virtual file systems to an new level.
First, instead of providing a system-wide VFS like Unix does, in Genode each component can have its own VFS. Technically, it is a library that turns a number of Genode sessions into a file-system representation according the component’s configuration. Via those sessions, the component is able to access services provided by other components such as file systems, terminals, or block devices. Furthermore, several built-in file systems are provided locally from within the component. Since the VFS is local to each component, the view of the component’s world can be shaped by its parent in arbitrary ways.
By default, each component runs in isolation. Whenever two components are meant to share a certain part of their VFS with one another, both mount a file-system session of the same server into their local VFS. This sharing is a deliberate decision by the component’s common parent and thereby subjected to the parent’s security policy. One particularly interesting file-system server is the so-called VFS server. It uses an arbitrarily configured VFS internally and exports its content as a file-system service, which can then be mounted in other components. This way, the VFS server can be used to emulate a “global” VFS, or to multiplex access to any file-system types supported by the VFS.
Speaking of supported file-system types, this is where the VFS becomes literally infinitely flexible. The VFS features a plugin interface that incorporates file system types provided in the form of shared libraries. If the VFS configuration refers to a file system type not known by the VFS, a corresponding plugin is loaded. For example, there exists a plugin for generating random numbers based of the jitter of CPU execution time. The file system, when mounted, hosts only a single read-only file that produces random numbers. But VFS plugins can become much more creative. Via the rump-kernel VFS plugin, one can incorporate the file systems of the NetBSD kernel into any VFS-using component. Genode 17.02 furthermore comes with a Plan-9-inspired VFS plugin that makes the Linux TCP/IP stack available as a file system. The C runtime then translates BSD-socket API calls to file-system operations on the socket file system, which, in turn, are handled by the Linux TCP/IP stack. The fascinating part is that this all happens within a single component. Such a component is in fact quite similar to a unikernel.
If two applications ought to share the same TCP/IP stack, the VFS server comes in handy. The Linux TCP/IP stack is then mounted once in the VFS server, which, in turn, provides file-system sessions to the applications. Each application then accesses the TCP/IP stack indirectly through those file-system sessions. In this scenario, the VFS server suddenly becomes a network multiplexer.
The VFS is not the only topic of the current release. Another highlight is the introduction of a application binary interface that makes all components binary compatible across kernel boundaries by default. Combined with the new kernel-independent build directories, it has become possible to move complete system scenarios from kernels as different as L4, NOVA, seL4, or Linux in matter of seconds. Further improvements of Genode 17.02 are the addition of a generic input-event processor, new SD-card drivers, the update to the version 0.8 of the Muen separation kernel, and a new mechanism for managing dynamic subsystems. All the improvements are described in detail in the release documentation.
I think the most significant aspect of the Genode 17.2 release isn’t any of the new features or the other improvements to the code-base.
With version 17.2 Genode is changing their licencing. They are moving from GPLv2 to AGPLv3 (plus a linking-exception).
http://genode.org/news/open-source-license-update
This has to be one of the most interesting projects going on in OS these days.
I sure wish I had time to really investigate this project because I think it has the potential to pay high dividends in the area of security.
I am surprised that more sites don’t keep an eye on this project.
I could not agree more! And, once again, they have made impressive progress in a short time.
As I see it, the ABI and framework-independent build process are probably the most important change, and the VFS and dynamic reconfiguration features will really help with more complex scenarios. In general, the most impressive thing to me is the way they keep the design clean, even while adding new features, and this release continues that trend.
After the previous release, I took a little time to read the “Foundations” e-book and play around with it a little bit. At some point, I hope to tinker a little more, then write up a few observations from the hobbyist developer’s perspective.