Genode is a

free and open-source software Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source ...

operating system (OS) framework consisting of a microkernel abstraction layer and a set of user space components. The framework is notable as one of the few open-source operating systems not derived from a proprietary OS, such as Unix. The characteristic design philosophy is that a small trusted computing base is of primary concern in a security-oriented OS. Genode can be used as a basis for a

desktop computer A desktop computer (often abbreviated desktop) is a personal computer designed for regular use at a single location on or near a desk due to its size and power requirements. The most common configuration has a case that houses the power supply ...

or tablet OS or as a virtual machine monitor for guest operating systems. The framework has been used as a trusted component of secure virtualization systems for both x86 and ARM. The small codebase of Genode makes it a flexible alternative to more complex Unix-derived operating systems. For this reason the framework has been used as a base system for research in such fields as virtualization,

inter-process communication In computer science, inter-process communication or interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categori ...

IP stack The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

isolation, monitoring, and

software development Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components. Software development invol ...

History

Genode was first conceived as the Bastei OS Architecture research report at the Technical University of Dresden ( TU Dresden). The focus of the report was to determine the practicality of a component-based OS using capability-based security. This report was motivated in part by research into L4 microhypervisors conducted during the same time. Following the success of an early prototype, the authors of the report founded the company Genode Labs to develop Bastei as the Genode OS Framework.

Releases

The project is developed publicly as an open source project released under the terms of the GNU Affero General Public License with a commercial entity offering alternative licensing. Releases are scheduled at three-month intervals to make changes to the system application binary interface (ABI),

application programming interface An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...

(API), and issue documentation. The OS framework is available in source code form and following the 18.02 release a general purpose derivative named Sculpt is provided with on-target binary deployment.

Architectural features

Genode builds on the general philosophy of microkernels: the smaller and simpler the code, the easier it is to verify for trustworthiness and correctness. Genode extends this philosophy to user space by composing complex applications from small components. Each component exists in a strict hierarchy of parent-child relationships. Any component acting as a parent may apply resource and

(IPC) access policies to its children. This hierarchical system layout yields intuitive partitioning and privilege deescalation as specialized subsystems are nested within more general subsystems, mitigating the confused deputy problem endemic to centralized or

superuser In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of t ...

system policy. The framework is designed to be hosted by microkernels, however the features of any given microkernel fall mostly within a common set, and monolithic kernels implement a superset of those features. Abstracting these features allows Genode to act as user space for a variety of L4 microkernels, and Linux.

Criticism

C++

Genode is often criticized for the choice of its implementation language, C++ (a few other operating systems implemented in C++ include

BeOS BeOS is an operating system for personal computers first developed by Be Inc. in 1990. It was first written to run on BeBox hardware. BeOS was positioned as a multimedia platform that could be used by a substantial population of desktop users a ...

, Fuchsia,

Ghost A ghost is the soul or spirit of a dead person or animal that is believed to be able to appear to the living. In ghostlore, descriptions of ghosts vary widely from an invisible presence to translucent or barely visible wispy shapes, to rea ...

, Haiku, IncludeOS,

OSv OSV may be: * OSV-96, a Russian anti-materiel rifle * Object–subject–verb word order * Offshore vessel * Old Sturbridge Village * Open-source voting * ''Our Sunday Visitor Our Sunday Visitor (OSV) is a Catholic publishing company in Hunti ...

, Palm OS,

ReactOS ReactOS is a free and open-source operating system for amd64/i686 personal computers intended to be binary-compatible with computer programs and device drivers made for Windows Server 2003 and later versions of Windows. ReactOS has been noted a ...

Syllable A syllable is a unit of organization for a sequence of speech sounds typically made up of a syllable nucleus (most often a vowel) with optional initial and final margins (typically, consonants). Syllables are often considered the phonological "bu ...

, and

Symbian Symbian is a discontinued mobile operating system A mobile operating system is an operating system for mobile phones, tablets, smartwatches, smartglasses, or other non-laptop personal mobile computing devices. While computers such as typic ...

). This critique usually asserts that C++ is a poor choice for implementing system libraries and APIs because of the inherent complexity of C++ and the difficulty in analyzing code for correct behavior. While Genode does make use of multiple inheritance and templates in its system library, the use of the C++ Standard Library is not allowed and language features that rely on implicit global state, such as thread-local storage and the global allocator, have been removed from the language runtime. Comprehensive static analysis of C++ is not possible. However, the Genode project publishes unit tests for empirical analysis.

XML

Genode components consume and publish state using structured data serialized in XML, in contrast to the plain text model of Unix derivatives. The Genode framework makes use of XML in effectively all of its components because XML is easily parsed and generated programmatically while still being possible to understand and edit manually.

Local namespacing

Genode lacks any practical global namespace; there is no global

file system In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...

or registry of

processes A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management *Business process, activities that produce a specific se ...

or IPC endpoints. This is in contrast to systems such as Unix which feature a ubiquitous file system and allow a superuser context to arbitrarily manage any process within the system. Explicitly declaring the permissions and routing of components may be perceived as labor-intensive relative to Unix. However, compartmentalizing administration allows subsystems to be managed by mutually untrusted system administrators on the same machine without resorting to virtualizing, a common isolation method.

Sculpt

The Genode project publishes a desktop operating system named ''Sculpt'' that targets contemporary consumer

laptop A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. Laptops typically have a clam shell form factor with the screen mounted on the inside of the upper li ...

s. Sculpt is a small base system with automatic device detection and configuration, some GUI control interfaces, and frontends to the Genode package manager. The system does not feature a full desktop environment, but requires users to deploy virtual machines hosting traditional OSes for a fully featured desktop. Sculpt is distinguished from the Genode operating system framework in that it relies heavily on dynamic reconfiguration using privileged control components in contrast to specialized systems with static policies.

References

External links

; Official websites * ; Research projects
KV-Cache: A Scalable High-Performance Web-Object Cache for Manycore

TrApps: Secure Compartments in the Evil Cloud

Development of an Embedded Platform for Secure CPS Services

Secure-OS project of IIT Madras

Kernel isolation of a Capability-based security Operating System

Mobile Device Security with ARM TrustZone
{{Operating systems ARM operating systems Capability systems Free software operating systems Free software programmed in C++ Microkernel-based operating systems Operating system security X86 operating systems X86-64 operating systems