Norman Feske

The PinePhone appeals to those of us who seek autonomy from dominant platform corporations. The talk introduces a new operating system for the PinePhone that is not based on Linux but on Genode. With such an unorthodox underpinning, we found ourself inspired to reimagine the dual notion of the phone as a highly dependable and secure appliance, and as a host for general-purpose applications. The talk will give an overview of Genode, present technical tidbits, and of course demonstrate the OS.

It is hard to imagine our society without smartphones. With the convenience of those handy companions, however, comes the dependence from platform providers who curate, manage, and update the devices for us. This central role has become an incredible leverage for the platform vendors, like Google and Apple. Those of us who want to escape the reach of those powerful corporations find the prospect of openness and transparency of the PinePhone hard to resist.

Even though the PinePhone is primarily meant for the use with Linux, it deserves more than one operating system kernel! Driven by the vision of a truly trustworthy smartphone, we have built a custom operating system for the PinePhone. Its uncompromising architecture is a radical departure from existing Linux-based systems. It combines microkernel technology, capability-based security, sandboxed device drivers, and custom system-control-processor firmware with a new user interface that diverges from the beaten track in interesting ways.

The talk by Genode developer Norman Feske will present the outcome of the past two years of intensive development, touching topics ranging from energy management, over voice telephony and mobile-data connectivity, up to applications like the Morph web browser. It goes without saying that the talk wouldn't be complete without showing the new OS in action.

Driven by the vision of a truly trustworthy smartphone, I dedicated the past year to bringing the component-based Genode OS to the Pinephone. The talk presents my experience story, touching on the hardware, booting, the porting of the kernel, component-architecture concerns, and device drivers.

Smartphones have become a commodity almost everyone relies on. With the convenience, however, comes complexity that is impossible to comprehend and constantly changing. The opaqueness of hardware and software puts the user in a subordinate position, making their devices - and by extension many aspects of their life - dependent on the decisions of a few dominant corporations. Our personal devices are constantly changing under our fingertips. Steady updates are presumably needed to stay secure, similar to how medicine is needed to stay healthy. But are the incentives of the platform providers aligned with my interests?

I want my digital life healthy without a constant supply of medicine! To reinforce trust, both hardware and software must become transparent, traceable, and tractable. The Pinephone satisfies the urge for transparency of the hardware, thanks to publicly available schematics and documentation. However, the predominant software stacks - even though based on the open-source Linux kernel - are practically inscrutable because of their immense complexity. Genode's rigid component architecture promises to bring order and clarity - and thereby trustworthiness - to the software.

Over the course of the past year, I pursued the combination of Genode with the Pinephone, diving deep into the Pinephone schematics, the SoC, booting, Genode's kernel, and device drivers. In my talk, I present the experiences made, touch on the use of Linux drivers directly on Genode, and draft a plan forward. The talk will be garnished by a demonstration.

Panel discussion and an extended Q&A session on the state of microkernel-based operating systems in 2021 and related topics. The panelists (in order of acceptance):

• Martin Decky (HelenOS, Huawei)
• Jakub Jermar (Kernkonzept, HelenOS)
• Norman Feske (Genode Labs)
• Julian Stecklina (Cyberus)
• Udo Steinberg (BedRock Systems)
• Matthias Lange (Kernkonzept)
• Gernot Heiser (seL4)

The discussion will smoothly evolve into the traditional and less formal "microkernel dinner". Please bring your own food and beverages.

Other people: Jakub Jermář Martin Děcký Julian Stecklina Udo Steinberg Matthias Lange Gernot Heiser

Resilience is often touted as the biggest advantage of component-based systems over monolithic architectures. The catchy part of the story often told is the containment of faults via sandboxing. However, the story has another inconvenient side that often remains untold. Components are interdependent. Whenever a central low-level component fails, dependent software stacks suffer under the outage. The talk presents Genode's recent breakthroughs to address this second part of the story, in particular making the system resilient against flaky device drivers.

Component-based operating systems promise the containment of software faults and vulnerabilities by separating functionality into sandboxed components. In practice however, a contained fault is still a fault. Whenever a fault happens in a central server component, clients have to suffer under the outage of the server.

Device drivers are especially problematic because they tend to be fragile while being a hard dependency for critical software stacks on running on top. Even though a bug in the driver cannot subvert the information security of the dependent components, it cuts the lifelines of those components.

This fundamental problem calls for an architectural solution. We found the key in the reversal of the dependency relationships for several classes of device drivers. During this line of work, we re-stacked Genode's low-level GUI stack and turned network device drivers into disposable components. Thanks to these changes, drivers for framebuffer, input, network, and wireless devices can now be started, killed, updated, and restarted at anytime without disrupting applications.

The talk provides a holistic view of Genode's recent architectural changes, gives insights into the though process, outlines the methodology applied for turning big parts of the system upside down, presents limitations, and gives an outlook to the future of Genode and Sculpt OS.

Sculpt OS is a novel general-purpose operating system designed from the ground up and implemented using the building blocks of the Genode OS framework. It started with the vision of a truly trustworthy OS that combines a completely new system structure with microkernels, capability-based security, sandboxed device drivers, and virtual machines. The talk is a live demonstration of the current incarnation of Sculpt.

The Genode OS framework is an operating-system technology created from scratch. Over the past decade, it steadily evolved from a fairly obscure research prototype to a practical day-to-day operating system.

Being a component-based system designed after the principle of least privilege from the very beginning, it breaks with many concepts that we take for granted in traditional operating systems, e.g., the central role of files. Instead, Genode introduces a novel way of composing system scenarios out of building blocks where the building blocks are able to cooperate without ultimately trusting each other. Those building blocks include not only applications but also all classical OS functionalities including kernels, device drivers, file systems, and protocol stacks.

In 2018 - after more than 10 years of developing Genode in a shadowy corner of the open-source community - the project created Sculpt OS, which is a Genode-based general-purpose OS for commodity PC hardware. Since it is not derived from any existing OS, Sculpt re-approaches established concepts like the installation, configuration, and spawning of programs from a new angle. This is reflected by its custom user interface.

Besides presenting the motivation and the fundamental ideas behind Genode, the talk will introduce and demonstrate the current state of Sculpt OS, draw connections to related open-source projects, and give a glimpse on the project's future plans.

Due to a cancellation, the Microkernel devroom will offer a lightning talk session in the field of Microkernels, Unikernels, and component based systems on Sunday from 15:25-15:55. Feel free to offer proposals.

Current proposals:

15:25 - 15:45 Norman Feske - Genode's Sculpt OS - A general purpose microkernel based OS in daily use

15:45 - 16:00 Jakub Jermar - What is new in HelenOS

Please note this session replaces Jiří Svoboda's talk "Evolution of file system and disk management in HelenOS" due to illness. We wish him a speedy recovery.

Other people: Jakub Jermář

The talk demonstrates the Genode-based operating system as routinely used by the Genode developers. The starting point is a generic and fairly minimalistic base system, which is then live shaped into different forms using a plain text editor. Along the way, many features of Genode come into play, eventually forming a usable system.

Over the past decade, the Genode OS Framework has evolved from a research prototype to a practical operating-system foundation. This is evidenced by the Genode developers who use the system day to day. Being a component-based system designed after the principle of least privilege from the very beginning, it breaks with many concepts that we take for granted in traditional operating systems, e.g., the central role of files. Instead, Genode introduces a novel way of composing system scenarios out of building blocks where the building blocks are able to cooperate without ultimately trusting each other.

The composition of Genode systems used to be defined at system-integration time before booting the system. However, Genode also allows completely dynamic compositions where the system's behavior and structure can be changed at runtime. This ability is the basis for the use of Genode as a general-purpose OS. The talk introduces Sculpt, which is the designated blue-print for interactive and fully dynamic Genode systems.

Genode recently gained the ability to execute the same binary executables on kernels as different as seL4, NOVA, or Linux. Such kernel-independent executables are created via a regular tool chain and executed natively on the machine. The talk explains how it works, presents the challenges that had to be overcome, and gives an outlook of how Genode will leverage this ability in the future. The talk will be presented on a laptop running a Genode system and will be accompanied with live demonstrations.

Genode is a component-based operating system developed from the ground up to counter most security issues that plague us today, like spyware, viruses, and zero-day exploits. It combines microkernel technology, capability-based security, and virtualization with a unique component architecture. Developed over the course of 8 years, the project has finally evolved to a state where its developers use it as their desktop OS. The talk will give an introduction into Genode and demonstrate its unique takes on desktop computing.

In the free-software community, there is very little competition that challenges the predominant POSIX-based operating systems like Linux and FreeBSD. It's a universal truth that the creation of a new general-purpose operating system from scratch is infeasible due to the enormous amount of work needed to develop device drivers, libraries, and applications. Since most users seem to be content with the current POSIX-based state of the art, good arguments would be needed to justify such an effort.

Security and privacy are such arguments. In times when threats like identity theft, the leakage of personal information, business espionage, spyware, and even targeted attacks become prevalent, the current generation of commodity OSes remain inherently vulnerable to zero-day exploits and privilege escalation, and leave the end user largely unprotected.

Genode is a new operating-system architecture that promises to prevent most classes of security problems by design. Genode-based systems are created out of surprisingly simple primitives: Each program runs in a dedicated sandbox and gets granted only those rights and resources that are needed for its actual task. Programs can create and manage sub-sandboxes out of their own resources, thereby forming hierarchies where policies can be enforced at each level. Thanks to this rigid regime, the attack surface of security-critical functions can be reduced by orders of magnitude compared to contemporary operating systems.

After 8 years of development, the project has reached a state where a small group of enthusiasts use it as their primary OS. This was made possible by the virtue of embedding a wealth of open-source projects as components into the new system. For the use as desktop OS, Genode integrates Qt5, VirtualBox, Intel KMS, the GNU utilities, the Linux USB stack, the Intel wireless stack, Rump kernels, and a number of custom components into a completely new system composition.

The talk will first introduce the basic concepts behind Genode, contrasting its architecture to current-generation OSes. The second part of the talk will demonstrate how Genode approaches desktop computing and how it is used as day-to-day OS on the speaker's laptop.

The seL4 microkernel is the world's first OS kernel that is formally verified to contain no bugs. After several years of development as a proprietary technology, the kernel was eventually released as open source in summer 2014. This prompted me to explore the use of seL4 as base platform for the Genode OS framework. The talk will introduce seL4, explain the interplay of Genode with the kernel, and present the current state of development.

The Genode OS framework is a tool kit for building component-based operating systems. It combines microkernel technology, capability-based security, and virtualization with a unique component architecture that allows it to scale from static embedded systems to highly dynamic general-purpose workloads.

Since its inception in 2008, Genode was designated as user land for the L4 family of microkernels. In that spirit, it supports most members of the family including L4ka::Pistachio, L4/Fiasco, OKL4, NOVA, and Fiasco.OC. Each of those kernels has different pros and cons. Genode enables software developers to target all of them at once, and allows system integrators to pick the kernel that fits best.

The seL4 kernel is the latest and supposedly greatest member of the L4 family. What sets it apart from all the others is the premise, under which it was designed and developed: The formal verification of the kernel's correctness while achieving high performance. Similarly to NOVA and Fiasco.OC, it employs capability-based security as the fundamental mechanism for guarding the access to kernel objects. But in contrast to the existing kernels, it also attacks the fundamental problem of managing kernel memory from the user land - a problem that used to be conveniently ignored by all prior L4 kernels.

After several years of development behind the closed doors of NICTA, seL4 was finally set free under the GPL license in 2014. From Genode's perspective, this sounded almost too good to be true: An open-source microkernel that is formally verified to be correct, well documented, backed by an enthusiastic community, and equipped with all the basic functionality required by Genode!

It goes without saying that - as a Genode developer - I was thrilled to bring both projects together. After conducting a series of experiments exercising the kernel interface, I started adapting Genode to seL4 as a personal side project. Even though the seL4 kernel and the Genode user land should intuitively fit perfectly together on paper, the devil lies in the details. In the talk, I'd like to share those details, the challenges that had to be overcome, and the solutions I came up with. It provides insights into both the seL4 kernel interface and Genode's underpinnings, and gives a glimpse of the future direction.

Modern graphical user interfaces must be both extremely versatile and beautiful to be appealing for users. Current GUIs try to fulfil those requirements at the cost of extremely high complexity, which puts the privacy and security of the user at risk. The talk will introduce a new component-based GUI architecture that puts security in the front seat while aiming at highly customizable user experiences.

GUIs face the challenge to appeal to users with vastly different tastes. Visually, each user seems to have different preferences, which current-generation GUIs try to address with theming engines. But also conceptually, different groups of users prefer different concepts. For example, a window manager might support floating windows, tiled windows, tabbed windows, and virtual desktops. In order to be appealing to a large user base, it has to support as many of those concepts as possible. As another example, modern widget tool kits such as Qt5 try to accommodate all kinds of applications with a huge library of features. The richness of features, however, comes at a price, which is the overwhelming complexity of current-generation GUI systems. Large parts of the GUI are shared among graphical applications including both privacy-sensitive as well as potentially malicious programs. In the presence of malware, the complexity becomes a large attack surface. But how can this be avoided?

The talk will introduce a new architecture that applies microkernel construction principles to split the GUI into an arrangement of components such that the highly complex elements are stuffed away in sand boxes where they cannot do any harm. The security-critical parts are encapsulated into tiny components that do not even rely on a C runtime. Their ultra-low complexity and rigid interfaces mitigate the chance for attacks. At the same time, the architecture provides large degrees of freedom with respect to the virtual presentation and the window-layout management.

The key components and their relationship will be explained and demonstrated live during the talk.

NOVA is both a microkernel and a hypervisor. With only 10,000 lines of code, it is able to host virtual machines and applications securely side by side. In contrast to mature virtualization solutions like VirtualBox, however, the range of supported virtual machines used to be limited to a few fine-tuned guest OSes. The talk explains and demonstrates how VirtualBox became able to run on top of Genode/NOVA, and presents the benefits of combining NOVA with VirtualBox.

Commodity open-source virtualization solutions like Qemu/KVM and VirtualBox have received tremendous work and hand-crafted heuristics to enable a wide range of unmodified guest operating systems to run flawlessly inside virtual machines. On the other hand, those commodity virtualization solutions rely on a highly complex trusted computing base. Speaking of VirtualBox, the user has to ultimately trust the VirtualBox application in addition to the host OS kernel because VirtualBox exercises all-encompassing control over the host system. This high complexity comes with a high likelihood for bugs and thereby represents a large attack surface that puts the security and privacy of the user at risk.

With the NOVA virtualization architecture, there exists an alternative approach where the complex parts of the virtualization platform are executed in the form of unprivileged components on top of a low-complexity hybrid microkernel/hypervisor. The hypervisor solely provides mechanisms to segregate platform resources, to enable secure inter-component communication, and to reflect virtualization events to user-level virtual-machine monitors. This way, the effective isolation between virtual machines as well as components that run beside virtual machines depends on a trusted computing base of less than one percent compared to commodity virtualization solutions. On the downside, the beauty of the architecture has not gained much attention because NOVA's existing user-level virtual machine monitor lacked the feature set and out-of-the box experience of mature virtualization products.

The talk will present how the feature-rich VirtualBox virtual machine monitor was brought to the NOVA microhypervisor using the Genode OS framework as user-level infrastructure. It will start with an overview of the VirtualBox architecture on the traditional platforms, followed by a brief introduction into the world of NOVA and Genode. The main part of the talk will explain the methodology of the transplantation work and the challenges that had to be overcome. Finally, it will outline the benefits and possible future directions of combining both technologies.

The presentation will be held using a Genode/NOVA system, which will also be used for a live demonstration.

Most provisions against the steadily growing threats imposed by malware, viruses, and directed attacks are fighting symptoms rather than addressing the root of the problem, which lies in the operating system. Genode is an open-source OS technology that promises to give an answer to those threats. By organizing the system as nested sandboxes and consequently applying the principle of least privilege, it protects the privacy of the user and renders most classes of malware ineffective. The talk will be presented on a Genode-based system, which allows the demonstration of the concepts live during the talk.

The effects of malware and client-side attacks seem to have become a prevalent part of our inter-connected world and increasingly affect individuals, businesses, and governmental institutions alike. The topic has even managed to capture the attention of main-stream media, prompting vocal calls for counter-measures. Governments invest large sums in forming cyber-defense departments. Computer users are urged to invest money in anti-virus software and install a steady stream of security updates. However, those actions are just reactive, fighting symptoms, and merely relieve the problem rather than solving it. For example, none of those measures is effective against zero-day exploits.

The root of the problem is not the "dumb user", or "outdated anti-virus software", or "cyber terrorists" but the antiquated way of how today's operating systems are structured, how they implement security, and the chaotic way of how software components are allowed to interact with each other.

Genode is an operating-system architecture that promises to prevent most classes of security problems by design. Genode-based systems are created out of surprisingly simple primitives: Each program runs in a dedicated sandbox and gets granted only those rights and resources that are needed for its actual task. Programs can create and manage sub-sandboxes out of their own resources, thereby forming hierarchies where policies can be enforced at each level. Furthermore, programs are able to communicate and trade their resources, but only in a well-defined manner. Thanks to this rigid regime, the attack surface of security-critical functions can be reduced by orders of magnitude compared to contemporary operating systems.

This sounds pretty academic but there exists an Open-Source implementation in the form of the Genode OS Framework showing that those ideas translate to a general-purpose OS. In line with Unix philosophy, this framework is a collection of small building blocks, out of which complex systems can be composed. But unlike Unix, those building blocks include not only applications but all classical OS functionalities including kernels, device drivers, file systems, and protocol stacks.

During the talk, we will see several of those compositions demonstrated, hinting at the vast flexibility the architecture provides. At present, this makes Genode a rich playground for OS enthusiasts. The ultimate goal, however, is a fully-fledged operating system that protects the user's privacy and data, and relieves us from worrying about malware, virus infections, and directed attacks. The talk will show how Genode renders various classes of malware pointless and how the Genode developers envision their migration path from current-generation OSes to Genode.

The Genode OS project started 2006 as tool kit for building microkernel-based special-purpose operating systems. Over the course of the past years, it has grown to a state where it becomes feasible to be used as general-purpose OS for daily computing needs. This talk will present the many challenges that we faced on our way during the past year.

The topics range from making microkernels such as NOVA fit for highly dynamic workloads, over the creation of low-level OS infrastructure and the porting of existing software stacks, to the question of how the user interacts with a system that that largely deviates from the classical path of Unix-like OSes. In the line of the presentations of the past years, the talk will be garnished with various demonstrations.

The podium will consist of representatives of all the OS projects participating in the devroom. This is thought as an interactive event. The audience will have the opportunity to ask questions, which will be answered by all representatives.

Other people: Martin Děcký Stefan Kalkowski Samuel Thibault Björn Döbel Nils Asmussen

The Genode OS Framework is a tool kit for composing special-purpose OSes out of a growing number of ready-to-use components such as device drivers, protocol stacks, runtimes, and in particular microkernels. One year ago, we declared our goal to bring the framework to a level where its developers can use it as day-to-day OS. The talk will briefly introduce the fundamental ideas behind Genode's architecture followed by the presentation of the corner-stone for pursuing our goal to run GNU on Genode, namely the Noux runtime environment. Growing up is not easy. Hence, the second part of the presentation will be an experience report on the challenges we encountered at various levels of the software stack and the ways of how we overcame them.

Today's operating systems try to find a balance between seemingly conflicting goals. Ease of use is traded against security, resource utilization is traded against resource accountability, and system complexity is traded against scalability. For example, SELinux is ill famed as hard to use and consequently remains widely unused. As another example, isolation kernels minimize the complexity of critical system software but at the cost of limiting these solutions to static applications. The Genode OS architecture shows how these apparently inherent conflicts can be solved by operating-system design.

By combining a recursive system structure with capability-based security, mandatory access control becomes easy to deploy. At the same time, the trusted computing base can be minimized for each application individually such that the attack surface for security-critical system functions gets reduced by orders of magnitude compared to existing approaches. Furthermore, a concept for trading physical resources among processes allows for dynamic workloads while maintaining quality of service. That is not just theory - the system is ready for demonstration and its developers are planning to use it as development environment by the end of 2012. After a brief introduction of where Genode comes from, the main part of the talk will be focused on the OS architecture and give a glimpse at the implementation via live demonstrations. Finally, the talk will briefly discuss the planned steps towards using Genode as general-purpose OS.