Genode is a free and open-source operating system framework consisting of a microkernel abstraction layer and a collection of userspace components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS.
The desktop system Sculpt based on Genode
|Working state||Stable release|
|Source model||Open source|
|Latest release||19.11 / August 29, 2019|
|Marketing target||Desktop, embedded|
|Platforms||ARM, RISC-V, x86, x86-64|
Genode can be used as a basis for a desktop or tablet OS or as a virtual machine monitor for guest operating systems. The framework has been used as trusted component of secure virtualization systems for both x86 and ARM.
The small codebase of Genode makes it a flexible alternative to more complex Unix-derived operating systems. For this reason the framework has been used as a base system for research in such fields as virtualization, inter-process communication, IP stack isolation, monitoring, and software development.
Genode was first conceived as the Bastei OS Architecture research report at the Technical University of Dresden. The focus of the report was to determine the practicality of a component-based OS using capability-based security. This report was motivated in part by research into L4 microhypervisors conducted during the same period. Following the success of an early prototype, the authors of the report founded the company Genode Labs to develop Bastei as the Genode OS Framework.
The project is developed publicly as an open source project released under the terms of the GNU Affero General Public License with a commercial entity offering alternative licensing. Releases are scheduled at three-month intervals to make changes to the OS ABI and APIs and issue documentation. The OS framework is available in source code form and following the 18.02 release a general purpose derivative called Sculpt is provided with on-target binary deployment.
Genode builds on the general philosophy of microkernels – the smaller and simpler the code, the easier it is to verify for trustworthiness and correctness. Genode extends this philosophy to userspace by composing complex applications from small components. Each component exists in a strict hierarchy of parent-child relationships. Any component acting as a parent may apply resource and inter-process communication (IPC) access policies to its children. This hierarchical system layout yields intuitive partitioning and privilege deescalation as specialized subsystems are nested within more general subsystems, mitigating the confused deputy problem endemic to centralized or superuser system policy.
The framework is designed to be hosted by microkernels, however the features of any given microkernel fall mostly within a common set, and monolithic kernels implement a superset of those features. Abstracting these features allows Genode to act as userland for variety of L4 microkernels as well as Linux.
Genode is often criticized for the choice of its implementation language, C++ (a few other operating systems implemented in C++ include BeOS, Fuchsia, Ghost, Haiku, IncludeOS, OSv, Palm OS, ReactOS, Syllable, and all the major browser engines). This critique usually asserts that C++ is a poor choice for implementing system libraries and APIs because of the inherent complexity of C++ and the difficulty in analyzing code for correct behavior. While Genode does make use of multiple inheritance and templates in its system library, the use of the C++ Standard Library is not allowed and language features that rely on implicit global state, such as thread-local storage and the global allocator, have been removed from the language runtime. Comprehensive static analysis of C++ is not possible. However, the Genode project publishes unit tests for empirical analysis.
Genode components consume and publish state using structured data serialized in XML, in contrast to the plain text model of UNIX derivatives. The Genode framework makes use of XML in effectively all of its components because XML is easily parsed and generated programmatically while still being possible to understand and edit manually.
Genode is without any practical global namespaces; there is no global file-system or registries of processes or IPC endpoints. This is in contrast to systems such as UNIX which feature a ubiquitous file-system and allow a superuser context to arbitrarily manage any process within the system. Explicitly declaring the permissions and routing of components may be perceived as labor intensive relative to UNIX. However, compartmentalization of administration allows subsystems to be managed by mutually untrusted administrators on the same machine without resorting to virtualization, a common isolation method.
The Genode project publishes a desktop operating system called "Sculpt" that targets contemporary consumer laptops. Sculpt is a small base system with automatic device detection and configuration, some GUI control interfaces, and frontends to the Genode package manager. The system does not feature a full desktop environment, but requires users to deploy virtual machines hosting traditional OSes for a fully featured desktop. Sculpt is distinguished from the Genode operating system framework in that it relies heavily on dynamic reconfiguration using privileged control components in opposition to specialized systems with static policies.
- HelenOS, a desktop microkernel based operating system.
- QNX, a proprietary Unix-like operating system hosted by a microkernel.
- Qubes OS, a desktop operating system that provides security through virtualization.
- Subgraph (operating system), a Linux distribution that provides security through sandboxing.
- Capability-based security
- Secure by default
- "Genode OS Framework latest release".
- "Genode OS adds RISC-V support".
- Larabel, Michael. "Genode Is Developing A GPU Multiplexer For Intel Graphics Hardware". Phoronix.
- "Introduction of the Genode OS Framework". archive.fosdem.org/2012.
- "L4 Based Operating Systems". L4hq.org.
- Larabel, Michael. "Redox OS, MINIX, Hurd & Genode Had Their Time At FOSDEM Too". Phoronix.
- Baader, Hans-Joachim. "Genode 2018.2 mit Sculpt OS". pro-linux.de.
- Larabel, Michael. "Sculpt Aims To Be A General-Purpose OS Built Atop Genode".
- Tarasikov, Alexander (2013-05-11). "Porting Genode to commercial hardware". allsoftwaresucks.blogspot.com.
- "Muen - An x86/64 Separation Kernel for High Assurance".
- Williams, John. "Inspecting data from the safety of your trusted execution environment" (PDF).
- "Embassies: Radically Refactoring the Web" (PDF). USENIX.
- Martin Wegner, Sönke Holthusen (2014-12-11). "Contract Specification and language". ccc-project.org.
- Hamad, Mohammad (2016-01-06). "The Secure Communication Module of CCC". ccc-project.org.
- Hamad, Mohammad. "A communication framework for distributed access control in microkernel-based systems" (PDF).
- B.PRUTHIVIRAJ, G.S.MADHUSUTHUN, S.VIJAYASARATHY, K.CHAKRAPANI. "A MICROKERNEL BASED SECURE OPERATING SYSTEM USING GENODE FRAMEWORK" (PDF). jatit.org.CS1 maint: multiple names: authors list (link)
- Hähne, Ludwig. "Empirical Comparison of SCons and GNU Make" (PDF).
- Millo-Sánchez, Reinier & Paz Rodríguez, Waldo & Fajardo-Moya, Alexis. "Genode OS Framework, un framework para el desarrollo de sistemas embebidos". ResearchGate.CS1 maint: multiple names: authors list (link)
- "TU Dresden technical report TUD-FI06-07" (PDF).
- "NOVA Microhypervisor".
- "L4 Based Operating Systems". L4hq.org.
- "SeL4 Community Projects". sel4.systems.
- "Genode's Conscious C++ dialect". genodians.org. Retrieved 2019-11-29.
- "Release notes 18.02".
|Wikimedia Commons has media related to Genode.|
- Official webpages
- Research projects
- KV-Cache: A Scalable High-Performance Web-Object Cache for Manycore
- TrApps: Secure Compartments in the Evil Cloud
- Development of an Embedded Platform for Secure CPS Services
- Secure-OS project of IIT Madras
- Kernel isolation of a Capability-based security Operating System
- Mobile Device Security with ARM TrustZone