
Genode OS: A tool kit for highly secure special-purpose operating systems - doener
https://genode.org/about/index
======
mewmew
I've been following the Genode project for quite some time, and first got the
chance to meet the Genode team when they presented their work at FOSDEM in
2012. I've since been amazed, both at the pace of development they've kept up
while keeping to their principles of a small trusted code base that is kept
clean by refactoring when common concepts are outlined.

My friend Daniel and I were invited to join their Hack n' Hike event a few
years back, and it was just the loveliest! We hiked together during the days,
sharing a barbecue around the camp fire in the evenings and hacking together
at night. The people on the Genode team are among the friendliest I've come
across in the open source community.

I wish you all the best of futures, both with the Genode project and in life
in general.

Cheerful regards, Robin

 __Edit: __the slides from FOSDEM 2012 introducing Genode (in the state of the
project back then):[https://genode-labs.com/publications/nfeske-genode-
fosdem-20...](https://genode-labs.com/publications/nfeske-genode-
fosdem-2012-02.pdf)

------
im_down_w_otp
The fine people on the Genode project did yeoman's work for constructing
something sufficiently complex atop seL4. Without their exploring, mailing-
list cajoling, implementation, and write-ups our seL4 work would be
significantly more painful, and it's already unpleasantly painful as-is.

~~~
mey
sel4.systems appears to be down currently

~~~
doener
Now it's up again: [http://sel4.systems/](http://sel4.systems/)

------
akavel
It's worth to note they now have a downloadable USB image, which is notably
dogfed (dogfooded? dogfeeded?) by the Genode developers:

[https://genode.org/download/sculpt](https://genode.org/download/sculpt)

And some eye candy:

[https://genode.org/about/screenshots](https://genode.org/about/screenshots)

~~~
lsofzz
> It's worth to note they now have a downloadable USB image, which is notably
> dogfed (dogfooded? dogfeeded?) by the Genode developers:
> [https://genode.org/download/sculpt](https://genode.org/download/sculpt)

I fetched their `sculpt-vc.img` and create qcow out of it to directly boot in
qemu.

$ qemu-img convert -f raw -O qcow2 sculpt-vc.img
/var/lib/libvirt/images/sculpt-vc.qcow2

The resulting image is not bootable. It fails on boot showing _Genode_ logo
and goes into a reboot cycle.

$ file sc*

sculpt-vc.img: DOS/MBR boot sector, extended partition table (last)

sculpt-vc.qcow2: QEMU QCOW2 Image (v3), 24375296 bytes

~~~
chelmuth
Genode uses PCI MMCONFIG, so you have to use 'qemu -machine q35' not 'pc'.

~~~
lsofzz
Nice. This got me going

$ qemu-system-x86_64 -name guest=humbug,debug-threads=on -drive
file=/var/lib/libvirt/images/sculpt-vc.qcow2 -machine q35 ....

------
nickpsecurity
They implement a Nizza-like architecture to let you choose how much risk you
want for each part of your stack:

[https://os.inf.tu-dresden.de/papers_ps/nizza.pdf](https://os.inf.tu-
dresden.de/papers_ps/nizza.pdf)

It's also designed to allow separation kernels to be used in foundation.
There's been quite a few of them:

[https://arxiv.org/pdf/1701.01535](https://arxiv.org/pdf/1701.01535)

~~~
posix_me_less
Do you think it is feasible, for a poweruser who can setup and debug linux
installations, to setup and use GenodeOS or sel4 as of today as a main
workstation with X applications on the level of Xfce, Firefox? (days, or
months, or not at all?)

~~~
nickpsecurity
I haven't used the recent version. Try it out. Tell us how well it works or
doesnt. Preferably on hardware you know is supported.

------
AnaniasAnanas
An obligatory mention when we talk about secure operating systems is the seL4
microkernel ([https://github.com/seL4/seL4](https://github.com/seL4/seL4))
where they have formally verified every line of code using the proof assistant
Isabelle/HOL.

~~~
martin1975
Always made me curious why Google didn't decide to use seL4 as a base for
Fuchsia and instead went with Zircon...

~~~
casual_slacker
There might be license issues between AGPLv3 of GenodeOS and the Apache 2.0 or
GPLv2 that Android components use.

~~~
renox
? I know that this is a GenodeOS topic, but the GP wondered about _seL4_ which
has some parts in GPLv2 and other BSD (2-clause).

IMHO the reason that few use seL4 is that it isn't ready: AFAIK seL4 isn't
able to use efficiently multiple core with power savings, which is mandatory
for usage in phones (and phones can use complex CPU with big and little
cores).

------
Timothycquinn
I was wondering what the fit with Qubes OS was. Found this entry on Genode
challenges page:

"Genode as virtualization layer for Qubes OS - ...This exploration project
pursues the goal of replacing Xen by Genode as virtualization layer for
Qubes."

~~~
DyslexicAtheist
_> I was wondering what the fit with Qubes OS was._

Rootkovska has been (imvho rightfully) criticized in the past for selling
isolation but dismissing the attack surface in Xen. I think Genode can help
here:

[https://twitter.com/rootkovska/status/949297922998489088](https://twitter.com/rootkovska/status/949297922998489088)

Though I believe thegrugq / ioerror have a point when they say that hardware
compartmentalization is superior than layers of SW virtualization:

[https://twitter.com/thegrugq/status/515085244198703105](https://twitter.com/thegrugq/status/515085244198703105)

The threat model is relevant though: In that aspect QubesOS has some problem
finding an audience. I personally like it (I'm an active user) ... but mostly
because I have a fetish for privacy+security and I like to play with new
stuff. However if you push a journalist or activist or anyone facing real risk
to learn QubesOS (the learning curve is huge for the general user), it makes
more sense to just invest in HW based compartmentalization instead. HW
compartmentalization can easier be trained and there is less likely a chance
of shooting yourself in the foot. It's not a tech that anybody whose life is
under threat should be using. First rule here not to use tech in the first
place, and for cases where the risk is marginal use HW based isolation ...
then there is nothing for a long time followed by things like QubesOS, Signal
etc. These things are just good enough to hide an affair but it's reckless
selling them as serious solution to tech-illiterate folk who have something to
loose.

~~~
heavenlyhash
I think the linked Rootkovska tweet (or more specifically, her own
thread/replies to it) actually gracefully acknowledges that Xen is not
magically free of attack surfaces.

She's also written some fairly long-form articles about Xen security and the
(sometimes significant) room for improvement, including, for example, this
Black Hat talk (from 2008!) about breaking Xen:
[https://invisiblethingslab.com/resources/bh08/part3.pdf](https://invisiblethingslab.com/resources/bh08/part3.pdf)

I don't disagree with the rest of your comment :) I just have the impression
that any discussion about Qubes+Xen is less "dismissal" and more that
supporting a variety of hypervisors is "a small matter of programming" (where
"small" is used to mean "absolutely not small").

------
lsofzz
I want to run this on qemu/kvm Linux. How?

