Following up from previous conversations with the committers, I am
appending a proposal for a new Xen Project sub-project aimed at embedded
and IoT. Let me know if you have questions or suggestions. Also,
sponsors are very welcome! :-)
FYI, I also have a presentation on ViryaOS at Xen Developer Summit, I am
looking forward to it!
To create and support open source Xen based tools that help users build
end-to-end secure embedded systems.
## The Problem
Xen enables highly secure, flexible architectures, suitable for widely
different embedded use-cases, from industrial to IoT and cloud. However,
putting a Xen based system together is still a complex endeavor. It is
even harder to configure it to be as secure as possible. In the Xen
ecosystem, we lack a unifying effort to help with the integration
challenges that anybody building Xen-based systems is facing. Setting up
a Xen based system takes too long and it is too hard for both users and
Today, many of us are spending time, effort and money to maintain their
own build systems and techniques for generating VM configurations,
resulting in significant duplication of efforts. These scripts and tools
could be more powerful if we worked on them together. It would cost
less to maintain them as a shared project, and eventually, they would be
more flexible and of better quality.
## The Solution
The solution is to unify our efforts behind a single open source
project, that will focus our collective development efforts on a shared
set of components.
The new project is ViryaOS, a multi-vendor open source collaborative
effort. ViryaOS will create a highly secure easy-to-use development
platform for Xen based systems aimed at IoT and embedded environments.
It will make it easier for engineers to develop secure Xen-based
platforms. In addition, ViryaOS will produce ready-to-use binary images
to help users and system integrators get started with Xen
on embedded systems.
ViryaOS will provide the space for us and others to collaborate. As a
unified group, it will be easier to approach hardware vendors and
partners to discuss support for ViryaOS.
Users will be able to build and deploy Xen-based disaggregated
architectures quickly and easily on x86 and ARM SoCs. ViryaOS will support
as many hardware platforms as possible, as many guest operating systems
as possible (including RTOSes and proprietary OSes), and highly
heterogeneous environments. ViryaOS will meet low power consumption
ViryaOS will be secure out of the box. Unlike traditional operating
system designs based on a monolithic kernel, ViryaOS takes a microkernel
approach. ViryaOS will come with driver and service domains. The
security and manageability of the platform are achieved through security
by compartmentalization and privilege separation to minimize the attack
surface of the "supervisor" component (the part of the system capable of
unconstrained access to the underlying hardware).
All workloads will be supported. Virtual machines, containers, baremetal
applications and unikernels will all be first-class "applications"
running on ViryaOS. ViryaOS will support running containers natively and
securely by transparently spawning Xen virtual machines for isolation.
## Build and Output
ViryaOS will come with the tools to build Xen, Dom0, multiple VMs (with
or without device assignement) and assemble the complete system. The
build will rely on containers to shorten the build time and to make it
easier to reuse any single component. The output will include the
* the Dom0 kernel (Linux)
* the Dom0 filesystem
* a disaggregated set of Service Domains, including their kernels,
disk images and configurations (Service Domains include drivers
domains and management VMs)
* any number of user-provided containers and VMs
The result will be a ready-to-use system image with all the pieces
already included. The image will be small, suitable for embedded systems
Users will be able to select different components and configurations at
build time, resulting in different outputs. Cross-compilation will be
ViryaOS will be able to use Yocto and/or existing distros such as Alpine
Linux to build some, or all, of its components. Anything could be used
as long as it can be built inside a container and the output follows a
As the key enabler for Service Domains, device assignment will be
supported on both ARM and x86 to the best of the capabilities of the
hardware. The image will contain all the necessary configurations
(device tree manipulations, Xen command line arguments, etc) to make
device assignment work out of the box.
Security is one of ViryaOS's key attributes. The hardware capabilities
can differ for different boards, with some having TPM support and other
TEE (trusted execution environment) support. When the hardware supports
it, ViryaOS will use secure/measured boot on Intel and ARM, using the
best technologies available in hardware (such as Intel TXT and ARM
## Hardware Support
ViryaOS will support as many hardware platforms as possible, x86 and ARM
(ARMv8). Given that TPM and VT-d are (almost) ubiquitous on Intel
platform, they can be requirements for ViryaOS. On the ARM side, many
SoCs don't have equivalent functionalities yet (SMMU and TEE). ViryaOS
will support running on them, although with limited functionalities.
### x86 Requirements
* Intel VT-x or AMD-V
* 1G RAM
* Intel VT-d or AMD-Vi
* Intel TPM
* 1 serial port for development
### ARM Requirements
#### Hard Requirements
* ARMv8 (Xen 64-bit)
* 1G RAM or better
* 1 network interface
#### Soft Requirements
* SMMU and a Xen driver, for device assignment (today only ARM
SMMUv1 and SMMUv2 are supported in Xen)
* TPM-like functionalities for secure key storage and secure boot
* 1 serial port for development
* Device Tree for firmware tables
## Open Source
ViryaOS is a multi-vendor collaborative open source project. ViryaOS
will consume other upstream projects, such as the Linux kernel, Xen
Project, Alpine Linux, and Yocto. For convenience, ViryaOS might use
private clones of these repositories, but ViryaOS will not diverge from
upstream in any meaningful way. Changes to ViryaOS's private clones of
upstream repositories will only be temporary, small-scoped and
inconsequential. ViryaOS will remain as close as possible to upstream
Xen and Linux.
For many ViryaOS use-cases safety certifications are critical. As an
open source project, ViryaOS will attempt at producing an easily
certifiable software stack.
A permissive license is the best fit for this project. Apache 2.0 is the
option of choice because of the clause covering patents.
Project Lead: Stefano Stabellini <sstabell...@kernel.org>
Xen-devel mailing list