Online / 6 & 7 February 2021


Pluggable device drivers for Genode

Resilience is often touted as the biggest advantage of component-based systems over monolithic architectures. The catchy part of the story often told is the containment of faults via sandboxing. However, the story has another inconvenient side that often remains untold. Components are interdependent. Whenever a central low-level component fails, dependent software stacks suffer under the outage. The talk presents Genode's recent breakthroughs to address this second part of the story, in particular making the system resilient against flaky device drivers.

Component-based operating systems promise the containment of software faults and vulnerabilities by separating functionality into sandboxed components. In practice however, a contained fault is still a fault. Whenever a fault happens in a central server component, clients have to suffer under the outage of the server.

Device drivers are especially problematic because they tend to be fragile while being a hard dependency for critical software stacks on running on top. Even though a bug in the driver cannot subvert the information security of the dependent components, it cuts the lifelines of those components.

This fundamental problem calls for an architectural solution. We found the key in the reversal of the dependency relationships for several classes of device drivers. During this line of work, we re-stacked Genode's low-level GUI stack and turned network device drivers into disposable components. Thanks to these changes, drivers for framebuffer, input, network, and wireless devices can now be started, killed, updated, and restarted at anytime without disrupting applications.

The talk provides a holistic view of Genode's recent architectural changes, gives insights into the though process, outlines the methodology applied for turning big parts of the system upside down, presents limitations, and gives an outlook to the future of Genode and Sculpt OS.


Photo of Norman Feske Norman Feske