* HW identification and configuration on Spectrum @ 2022-08-16 15:50 Ville Ilvonen 2022-08-17 7:52 ` Alyssa Ross 0 siblings, 1 reply; 7+ messages in thread From: Ville Ilvonen @ 2022-08-16 15:50 UTC (permalink / raw) To: discuss Hi, Now that we've been developing Spectrum ARM (aarch64) support with iMX8 boards, I'd like to get back to Spectrum HW configuration design. On x86 the generic image with kernel supporting most devices as modules can make sense. On ARM, the vendor specific BSP HW quirks are more common. As of now, the spectrum fork for aarch64 just adds another config after rpi configs and replaces the default config to use that to build. With small changes this could be handled like rpi configs. In addition, cloud-hypervisor accepts kernel only in EFI format for aarch64[1]. Anyway, this would allow us to build an aarch64 Spectrum installer - even make it with a more generic kernel. That takes us to ARM vendor/device specific HW quirks which would need to be handled anyway. I'll intentionally leave device specific kernel hardening and disabling kernel module loading for security reasons for now. As of now the vendor/device specifics are not supported unless one builds device specific Spectrum image with all configs build-time and skips installer altogether. The other option that I see. We discussed earlier nix-hardware and device specific modules. That would bring nixos configuration.nix and installation supporting scripts to Spectrum, though. Those could be called from the Spectrum installer but it would change the installer logic from writing an image to dynamically configuring the device during install based on user selections. Any thoughts which would be the preferred way? Maybe some other way? In the end, HW specifics are needed also on x86 as we saw with NUCs and different Lenovo laptops in the spring. I'm not convinced one image to rule them all is realistic or secure. Finally, this is by no means blocking the hardened iMX8 based Spectrum development but will keep that work in Spectrum fork until there's an agreed path to implement this. Integrating this sooner and making it more generic would make Spectrum more useful for a wider audience. Best regards, -Ville [1] https://github.com/tiiuae/spectrum/pull/3#issuecomment-1211834302 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: HW identification and configuration on Spectrum 2022-08-16 15:50 HW identification and configuration on Spectrum Ville Ilvonen @ 2022-08-17 7:52 ` Alyssa Ross 2022-08-17 13:25 ` Ville Ilvonen 0 siblings, 1 reply; 7+ messages in thread From: Alyssa Ross @ 2022-08-17 7:52 UTC (permalink / raw) To: Ville Ilvonen; +Cc: discuss [-- Attachment #1: Type: text/plain, Size: 6042 bytes --] On Tue, Aug 16, 2022 at 06:50:48PM +0300, Ville Ilvonen wrote: > Hi, > > Now that we've been developing Spectrum ARM (aarch64) support > with iMX8 boards, I'd like to get back to Spectrum HW configuration design. > > On x86 the generic image with kernel supporting most devices as modules can > make sense. On ARM, the vendor specific BSP HW quirks are more common. What impact will Google's Generic Kernel Image[1] efforts have on this? As I understand it, going forward Android devices won't be allowed to make arbitrary kernel changes, and will be restricted to adding extra modules. Which presumably means that SOCs aiming to be used for Android devices will have to work with the standard Android kernel, which is hopefully getting closer to mainline over time[2]. Regardless, I understand that there will always be some cases where a non-upstream kernel is a necessity (even if the Android situation gets better, there will always be a new MacBook that doesn't have upstream drivers yet!) so I am keen to figure out how to support that well in Spectrum. [1]: https://source.android.com/docs/core/architecture/kernel/generic-kernel-image [2]: https://lwn.net/Articles/830979/ > As of now, the spectrum fork for aarch64 just adds another config > after rpi configs > and replaces the default config to use that to build. With small > changes this could > be handled like rpi configs. In addition, cloud-hypervisor accepts > kernel only in > EFI format for aarch64[1]. Anyway, this would allow us to build an > aarch64 Spectrum installer > - even make it with a more generic kernel. That takes us to ARM > vendor/device specific HW > quirks which would need to be handled anyway. I'll intentionally leave > device specific > kernel hardening and disabling kernel module loading for security > reasons for now. > As of now the vendor/device specifics are not supported unless one builds device > specific Spectrum image with all configs build-time and skips > installer altogether. > > The other option that I see. We discussed earlier nix-hardware and > device specific modules. > That would bring nixos configuration.nix and installation supporting > scripts to Spectrum, > though. Those could be called from the Spectrum installer but it would > change the installer > logic from writing an image to dynamically configuring the device > during install based on user > selections. I don't think the full NixOS module system, with rebuilds, etc. belongs in Spectrum. Being able to treat images as immutable makes it easier to provide various strong security guarantees. But not wanting to integrate the full module system doesn't prevent us taking advantage of nixos-hardware. It's possible to evaluate NixOS modules standalone in a Spectrum build, in fact we already do that to reuse NixOS's list of all redistributable firmware packages[3]. We could do a similar thing to extract the kernel that nixos-hardware configures for a particular device, something like this: inherit (nixos { configuration = [ <nixos-hardware/pine64/pinebook-pro/default.nix> ]; }.config.boot.kernelPackages) kernel; And naturally which device that's pulling from should be configurable — we'll want to have a config file somewhere, just not a full NixOS one. In the medium term, I'd like to decouple nixos-hardware's custom kernel packages from NixOS configurations. But that would require somebody finding the time to sit down and make the change, and also convince other nixos-hardware users that it's the way to go. I don't think it would be a problem though, especially if it meant nixos-hardware getting more active maintenance, which it's lacking at the moment because it's not too well advertised and so not enough people are using it. I am intrigued by the idea of the installer being able to generate images, though. Using Nix with a substituter configured on the installer image would mean that it could download a pre-built image if one exists for that platform, or fall back to generating one if not. (And if there was a pre-built image, it would even still be able to properly Secure Boot with a trusted key once we're in a position to do that.) So I'm definitely keen on exploring that idea, but it might be something to do a bit down the road since the work to generate board-specific Spectrum images wouldn't be contingent on it. [3]: https://spectrum-os.org/git/spectrum/tree/host/rootfs/default.nix?id=b01594b2c089ce2434dacddccf9a285af7334d24#n64 > Any thoughts which would be the preferred way? Maybe some other way? > In the end, HW specifics are needed also on x86 as we saw with NUCs > and different > Lenovo laptops in the spring. I'm not convinced one image to rule them > all is realistic or secure. The issues we saw with Lenovo laptops, etc. wouldn't have been solved by device specific images — those devices were broken because of bugs that hadn't affected any other systems I'd tried, but in the end the fixes were applicable everywhere. That itself isn't an indication that we need device-specific images, just more hardware testing. But as I said above, I'm open to having an officially blessed configuration mechanism to make it possible to build custom images. > Finally, this is by no means blocking the hardened iMX8 based Spectrum > development > but will keep that work in Spectrum fork until there's an agreed path > to implement this. > Integrating this sooner and making it more generic would make Spectrum > more useful > for a wider audience. Makes sense — although of course, if any of the work that's been done so far is not i.MX8-specific, but is instead just generic stuff to make Spectrum more ARM-friendly or cross-compilable, I'd be happy to look at those patches already since they'll be relevant regardless of how we do device-specific stuff. > Best regards, > > -Ville > > [1] https://github.com/tiiuae/spectrum/pull/3#issuecomment-1211834302 [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: HW identification and configuration on Spectrum 2022-08-17 7:52 ` Alyssa Ross @ 2022-08-17 13:25 ` Ville Ilvonen 2022-08-17 13:39 ` Alyssa Ross 0 siblings, 1 reply; 7+ messages in thread From: Ville Ilvonen @ 2022-08-17 13:25 UTC (permalink / raw) To: Alyssa Ross; +Cc: discuss On Wed, Aug 17, 2022 at 10:52 AM Alyssa Ross <hi@alyssa.is> wrote: > > On Tue, Aug 16, 2022 at 06:50:48PM +0300, Ville Ilvonen wrote: > > Hi, > > > > Now that we've been developing Spectrum ARM (aarch64) support > > with iMX8 boards, I'd like to get back to Spectrum HW configuration design. > > > > On x86 the generic image with kernel supporting most devices as modules can > > make sense. On ARM, the vendor specific BSP HW quirks are more common. > > What impact will Google's Generic Kernel Image[1] efforts have on this? > As I understand it, going forward Android devices won't be allowed to > make arbitrary kernel changes, and will be restricted to adding extra > modules. Which presumably means that SOCs aiming to be used for Android > devices will have to work with the standard Android kernel, which is > hopefully getting closer to mainline over time[2]. ARM goes beyond Google Android ecosystem - including automotive and increasingly servers and other personal devices than smartphones. GKI is definitely the right direction but I'm afraid Google can't pull the BSPs on other sectors in. Which takes us to your point below. Nothing to add there. > Regardless, I understand that there will always be some cases where a > non-upstream kernel is a necessity (even if the Android situation gets > better, there will always be a new MacBook that doesn't have upstream > drivers yet!) so I am keen to figure out how to support that well in > Spectrum. > > [1]: https://source.android.com/docs/core/architecture/kernel/generic-kernel-image > [2]: https://lwn.net/Articles/830979/ > > > As of now, the spectrum fork for aarch64 just adds another config > > after rpi configs > > and replaces the default config to use that to build. With small > > changes this could > > be handled like rpi configs. In addition, cloud-hypervisor accepts > > kernel only in > > EFI format for aarch64[1]. Anyway, this would allow us to build an > > aarch64 Spectrum installer > > - even make it with a more generic kernel. That takes us to ARM > > vendor/device specific HW > > quirks which would need to be handled anyway. I'll intentionally leave > > device specific > > kernel hardening and disabling kernel module loading for security > > reasons for now. > > As of now the vendor/device specifics are not supported unless one builds device > > specific Spectrum image with all configs build-time and skips > > installer altogether. > > > > The other option that I see. We discussed earlier nix-hardware and > > device specific modules. > > That would bring nixos configuration.nix and installation supporting > > scripts to Spectrum, > > though. Those could be called from the Spectrum installer but it would > > change the installer > > logic from writing an image to dynamically configuring the device > > during install based on user > > selections. > > I don't think the full NixOS module system, with rebuilds, etc. belongs > in Spectrum. Being able to treat images as immutable makes it easier to > provide various strong security guarantees. But not wanting to This was and still is one important design decision to build on Spectrum. Regardless, it makes development iterations on target HW more challenging than needed. Conceptually we've had discussions on separating concerns between "development system - writable, easily updatable" and "production system - immutable, updated as image". Latter could have more hardening, security policies etc. enabled which makes development more difficult by design. In practice, some developers have remounted the Spectrum file system as writable to make development iterations easier. In many cases, the development must be done on the target HW which brings us back to the need for the "development system" configuration. Update image iteration cycle is too slow. > integrate the full module system doesn't prevent us taking advantage of > nixos-hardware. It's possible to evaluate NixOS modules standalone in > a Spectrum build, in fact we already do that to reuse NixOS's list of > all redistributable firmware packages[3]. We could do a similar thing > to extract the kernel that nixos-hardware configures for a particular > device, something like this: > > inherit (nixos { > configuration = [ <nixos-hardware/pine64/pinebook-pro/default.nix> ]; > }.config.boot.kernelPackages) kernel; > > And naturally which device that's pulling from should be configurable — > we'll want to have a config file somewhere, just not a full NixOS one. This made me propose nix-hardware usage more and think if we could have what I called "development configuration". In essence, nix-hardware is NixOS channel and we could have a custom channel to support development as well (e.g. dev git repo(s)). > In the medium term, I'd like to decouple nixos-hardware's custom kernel > packages from NixOS configurations. But that would require somebody > finding the time to sit down and make the change, and also convince > other nixos-hardware users that it's the way to go. I don't think it > would be a problem though, especially if it meant nixos-hardware getting > more active maintenance, which it's lacking at the moment because it's > not too well advertised and so not enough people are using it. Ideally yes and I hope we could contribute to that effort. However, we need to focus on getting Spectrum running on aarch64 with imx8 for now. For that I'm reading that nixos-hardware approach is preferred. > I am intrigued by the idea of the installer being able to generate > images, though. Using Nix with a substituter configured on the > installer image would mean that it could download a pre-built image if > one exists for that platform, or fall back to generating one if not. > (And if there was a pre-built image, it would even still be able to > properly Secure Boot with a trusted key once we're in a position to do > that.) So I'm definitely keen on exploring that idea, but it might be > something to do a bit down the road since the work to generate > board-specific Spectrum images wouldn't be contingent on it. Agree, but I'd also move this down the road. > [3]: https://spectrum-os.org/git/spectrum/tree/host/rootfs/default.nix?id=b01594b2c089ce2434dacddccf9a285af7334d24#n64 > > > Any thoughts which would be the preferred way? Maybe some other way? > > In the end, HW specifics are needed also on x86 as we saw with NUCs > > and different > > Lenovo laptops in the spring. I'm not convinced one image to rule them > > all is realistic or secure. > > The issues we saw with Lenovo laptops, etc. wouldn't have been solved by > device specific images — those devices were broken because of bugs that > hadn't affected any other systems I'd tried, but in the end the fixes > were applicable everywhere. That itself isn't an indication that we need > device-specific images, just more hardware testing. Fair enough, there were those as well. But there were also device specific quirks. There always will be. HW makers sell HW with their constraints. There will be hacks. > But as I said above, I'm open to having an officially blessed > configuration mechanism to make it possible to build custom images. Sounds good. Would you also please share your thoughts on this "development configuration"? Like some nix tooling enabled for "development" and not included in the immutable "production" image. > > Finally, this is by no means blocking the hardened iMX8 based Spectrum > > development > > but will keep that work in Spectrum fork until there's an agreed path > > to implement this. > > Integrating this sooner and making it more generic would make Spectrum > > more useful > > for a wider audience. > > Makes sense — although of course, if any of the work that's been done so > far is not i.MX8-specific, but is instead just generic stuff to make > Spectrum more ARM-friendly or cross-compilable, I'd be happy to look at > those patches already since they'll be relevant regardless of how we do > device-specific stuff. Thanks, I think it's time to start looking for those with generic stuff in mind so that the board bring-up won't diverge too much from the Spectrum mainline. -Ville ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: HW identification and configuration on Spectrum 2022-08-17 13:25 ` Ville Ilvonen @ 2022-08-17 13:39 ` Alyssa Ross 2022-08-18 9:15 ` Ville Ilvonen 0 siblings, 1 reply; 7+ messages in thread From: Alyssa Ross @ 2022-08-17 13:39 UTC (permalink / raw) To: Ville Ilvonen; +Cc: discuss [-- Attachment #1: Type: text/plain, Size: 4967 bytes --] On Wed, Aug 17, 2022 at 04:25:20PM +0300, Ville Ilvonen wrote: > > > As of now, the spectrum fork for aarch64 just adds another config > > > after rpi configs > > > and replaces the default config to use that to build. With small > > > changes this could > > > be handled like rpi configs. In addition, cloud-hypervisor accepts > > > kernel only in > > > EFI format for aarch64[1]. Anyway, this would allow us to build an > > > aarch64 Spectrum installer > > > - even make it with a more generic kernel. That takes us to ARM > > > vendor/device specific HW > > > quirks which would need to be handled anyway. I'll intentionally leave > > > device specific > > > kernel hardening and disabling kernel module loading for security > > > reasons for now. > > > As of now the vendor/device specifics are not supported unless one builds device > > > specific Spectrum image with all configs build-time and skips > > > installer altogether. > > > > > > The other option that I see. We discussed earlier nix-hardware and > > > device specific modules. > > > That would bring nixos configuration.nix and installation supporting > > > scripts to Spectrum, > > > though. Those could be called from the Spectrum installer but it would > > > change the installer > > > logic from writing an image to dynamically configuring the device > > > during install based on user > > > selections. > > > > I don't think the full NixOS module system, with rebuilds, etc. belongs > > in Spectrum. Being able to treat images as immutable makes it easier to > > provide various strong security guarantees. But not wanting to > > This was and still is one important design decision to build on Spectrum. > Regardless, it makes development iterations on target HW more challenging > than needed. Conceptually we've had discussions on separating concerns > between "development system - writable, easily updatable" and > "production system - immutable, updated as image". Latter could have more > hardening, security policies etc. enabled which makes development more > difficult by design. In practice, some developers have remounted the > Spectrum file > system as writable to make development iterations easier. In many cases, > the development must be done on the target HW which brings us back to the need > for the "development system" configuration. Update image iteration > cycle is too slow. Yeah, I agree something like this would be good. Especially when testing on hardware as you say. I would like to think more about exactly how this should work. Do you think that, if you it were possible to develop Spectrum on Spectrum, it would be acceptable to have to reboot into a new configuration if the host system was changed? (Assume that the process of actually building the new system is fast — the reboot would be the main overhead.) > > integrate the full module system doesn't prevent us taking advantage of > > nixos-hardware. It's possible to evaluate NixOS modules standalone in > > a Spectrum build, in fact we already do that to reuse NixOS's list of > > all redistributable firmware packages[3]. We could do a similar thing > > to extract the kernel that nixos-hardware configures for a particular > > device, something like this: > > > > inherit (nixos { > > configuration = [ <nixos-hardware/pine64/pinebook-pro/default.nix> ]; > > }.config.boot.kernelPackages) kernel; > > > > And naturally which device that's pulling from should be configurable — > > we'll want to have a config file somewhere, just not a full NixOS one. > > This made me propose nix-hardware usage more and think if we could have > what I called "development configuration". In essence, nix-hardware is > NixOS channel and we could have a custom channel to support development > as well (e.g. dev git repo(s)). You mean set it to your own, custom version of nixos-hardware that included WIP support for the board you were working on? Yeah, that wouldn't be a problem at all. > > In the medium term, I'd like to decouple nixos-hardware's custom kernel > > packages from NixOS configurations. But that would require somebody > > finding the time to sit down and make the change, and also convince > > other nixos-hardware users that it's the way to go. I don't think it > > would be a problem though, especially if it meant nixos-hardware getting > > more active maintenance, which it's lacking at the moment because it's > > not too well advertised and so not enough people are using it. > > Ideally yes and I hope we could contribute to that effort. However, we need > to focus on getting Spectrum running on aarch64 with imx8 for now. For that > I'm reading that nixos-hardware approach is preferred. Yeah, it's definitely the way to go. And if we can make nixos-hardware better in future, that would just be further progress on top of integrating nixos-hardware as described above. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: HW identification and configuration on Spectrum 2022-08-17 13:39 ` Alyssa Ross @ 2022-08-18 9:15 ` Ville Ilvonen 2022-08-18 10:17 ` Development on the Spectrum host Alyssa Ross 0 siblings, 1 reply; 7+ messages in thread From: Ville Ilvonen @ 2022-08-18 9:15 UTC (permalink / raw) To: Alyssa Ross; +Cc: discuss On Wed, Aug 17, 2022 at 4:39 PM Alyssa Ross <hi@alyssa.is> wrote: > Yeah, I agree something like this would be good. Especially when > testing on hardware as you say. I would like to think more about > exactly how this should work. Do you think that, if you it were > possible to develop Spectrum on Spectrum, it would be acceptable to have > to reboot into a new configuration if the host system was changed? > (Assume that the process of actually building the new system is fast — > the reboot would be the main overhead.) Option to develop on the target system is something people (not vocal here) already expect. I think booting into a new configuration is MCU style development process and not a fast enough iteration cycle on Linux user space in all scenarios. Even in kernel driver development, one may want to unload/load module during development but even disable module loading as a security hardening mechanism in deployment/production configuration. Another example is security policies development (SELinux) - you want to iterate and test them in user space during development but you want to deploy them immutable. Then again, kernel or device tree changes will require rebooting. Point is - rebooting for everything is not development friendly enough mechanism alone. > You mean set it to your own, custom version of nixos-hardware that > included WIP support for the board you were working on? Yeah, that Yeah, like an own git repo as source for nix-channel to pick the nix-hardware module. Ideally, some of that could be easily contributed to nix-hardware upstream - currently it seems to accept different quality support for different HW so that should not be an issue. > wouldn't be a problem at all. Sounds good. > > > In the medium term, I'd like to decouple nixos-hardware's custom kernel > > > packages from NixOS configurations. But that would require somebody > > > finding the time to sit down and make the change, and also convince > > > other nixos-hardware users that it's the way to go. I don't think it > > > would be a problem though, especially if it meant nixos-hardware getting > > > more active maintenance, which it's lacking at the moment because it's > > > not too well advertised and so not enough people are using it. > > > > Ideally yes and I hope we could contribute to that effort. However, we need > > to focus on getting Spectrum running on aarch64 with imx8 for now. For that > > I'm reading that nixos-hardware approach is preferred. > > Yeah, it's definitely the way to go. And if we can make nixos-hardware > better in future, that would just be further progress on top of > integrating nixos-hardware as described above. Right. Even iMX8 dev board generic support might be interesting for other projects. I've seen iMX8M EVK being used at least with Zircon on Fuchsia. Best, -Ville ^ permalink raw reply [flat|nested] 7+ messages in thread
* Development on the Spectrum host 2022-08-18 9:15 ` Ville Ilvonen @ 2022-08-18 10:17 ` Alyssa Ross 2022-08-19 6:26 ` Ville Ilvonen 0 siblings, 1 reply; 7+ messages in thread From: Alyssa Ross @ 2022-08-18 10:17 UTC (permalink / raw) To: Ville Ilvonen; +Cc: discuss [-- Attachment #1: Type: text/plain, Size: 3650 bytes --] On Thu, Aug 18, 2022 at 12:15:28PM +0300, Ville Ilvonen wrote: > On Wed, Aug 17, 2022 at 4:39 PM Alyssa Ross <hi@alyssa.is> wrote: > > > Yeah, I agree something like this would be good. Especially when > > testing on hardware as you say. I would like to think more about > > exactly how this should work. Do you think that, if you it were > > possible to develop Spectrum on Spectrum, it would be acceptable to have > > to reboot into a new configuration if the host system was changed? > > (Assume that the process of actually building the new system is fast — > > the reboot would be the main overhead.) > > Option to develop on the target system is something people (not vocal > here) already expect. I think booting into a new configuration is MCU > style development process and not a fast enough iteration cycle on > Linux user space in all scenarios. Even in kernel driver development, > one may want to unload/load module during development but even disable > module loading as a security hardening mechanism in > deployment/production configuration. Another example is security > policies development (SELinux) - you want to iterate and test them in > user space during development but you want to deploy them immutable. > Then again, kernel or device tree changes will require rebooting. Okay. Obviously we can support booting with the filesystem mounted read-write and no dm-verity. But the problem with that is that then changes have to be manually copied back to the source tree. We could try to add some conveniences for that (e.g. a facility to diff the modified root filesystem with the orginal version). It still means making changes to the compiled system, rather than working on the source, but for the kind of changes you're talking about, maybe doing it that way and then integrating the changes into the Spectrum source at the end wouldn't be too bad? Ideally it would be nice to have something like nixos-rebuild switch, that can build a new system and then switch into it. But the problem is, you have to figure out how to *automatically* take the runtime state of the system (the processes and services that are running), and somehow carry that over into the new system, where anything could have changed. So I'm not sure how we'd do that. NixOS's implementation of this is massive, tightly coupled to both NixOS and systemd, and still it's not very difficult to get it into a weird state where you need to reboot anyway to get an accurate idea of what the change does (or, if you don't realise you need to do that, you just think the change hasn't worked). If a kernel module has changed, do you try to unload and reload it? That's pretty complicated to implement, because you have to unbind the devices from it, unload the module, then rebind them, and even then the module might have had important state that's been lost. If the developer is working on that kernel module it's probably okay, but what if they're working on something else and just pulled a bunch of changes that happened to include a kernel module change? Same with if e.g. the Weston service changes, except in that case we have no way to restore the previous state. So either we choose not to automatically restart Weston, in which case we're not really running the new system, but a weird hybrid that may have bugs not present in either the old or new system, or we do restart Weston, and risk an unsuspecting user losing their whole windowing session. If there's a way we could make this work well, I'm open to it, but it's not at all obvious to me what that would look like. [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Development on the Spectrum host 2022-08-18 10:17 ` Development on the Spectrum host Alyssa Ross @ 2022-08-19 6:26 ` Ville Ilvonen 0 siblings, 0 replies; 7+ messages in thread From: Ville Ilvonen @ 2022-08-19 6:26 UTC (permalink / raw) To: Alyssa Ross; +Cc: discuss On 18.8.2022 13.17, Alyssa Ross wrote: > Okay. Obviously we can support booting with the filesystem mounted > read-write and no dm-verity. But the problem with that is that then > changes have to be manually copied back to the source tree. We could One way to handle this is so that people git clone to the target and build small incremental changes there. > try to add some conveniences for that (e.g. a facility to diff the > modified root filesystem with the orginal version). It still means > making changes to the compiled system, rather than working on the > source, but for the kind of changes you're talking about, maybe doing > it that way and then integrating the changes into the Spectrum source > at the end wouldn't be too bad? When installation of development tools to the target is limited, remotely mounting filesystem (e.g. sshfs) from the development host works. > Ideally it would be nice to have something like nixos-rebuild switch, > that can build a new system and then switch into it. But the problem > is, you have to figure out how to *automatically* take the runtime state > of the system (the processes and services that are running), and somehow > carry that over into the new system, where anything could have changed. > So I'm not sure how we'd do that. NixOS's implementation of this is > massive, tightly coupled to both NixOS and systemd, and still it's not > very difficult to get it into a weird state where you need to reboot > anyway to get an accurate idea of what the change does (or, if you > don't realise you need to do that, you just think the change hasn't > worked). If a kernel module has changed, do you try to unload an > reload it? That's pretty complicated to implement, because you have to > unbind the devices from it, unload the module, then rebind them, and > even then the module might have had important state that's been lost. Good examples but there's no one answer to these scenarios. Depends really much on the case and developer preferences. Often services restarting is enough, sometimes system reboot is required. Also, people doing kernel development are usually fairly seasoned and consider which makes sense to themselves. E.g. kernel modules run reset for the hardware in init() and scripts/tests can be used to handle unbind-unload-rebind in driver development. Managing state persistence over resets or SW updates is an eternity problem. It's an interesting problem - I studied dynamic software updates and state migration is one key challenge there. DSU has not taken traction, though. It's tough to update both code and the runtime state. We have legacy and culture of restarts. In critical systems it's designed and handled with hardware, even system redundancy - not at single component level. > If the developer is working on that kernel module it's probably okay, > but what if they're working on something else and just pulled a bunch of > changes that happened to include a kernel module change? Same with if > e.g. the Weston service changes, except in that case we have no way to > restore the previous state. So either we choose not to automatically > restart Weston, in which case we're not really running the new system, > but a weird hybrid that may have bugs not present in either the old or > new system, or we do restart Weston, and risk an unsuspecting user > losing their whole windowing session. True. In these scenarios I've learned not to try to cover every possible scenario on behalf of other people. Developers are smart and they understand and learn constraints of system changes. > If there's a way we could make this work well, I'm open to it, but it's > not at all obvious to me what that would look like. Given above, I try to keep this at high level design. Two configurations: a. development - enables development, testing and debugging with caveats b. user - immutable, hardened, strong security promises Now we have b. which makes a. by design impossible *on target*, making development iterations slow. The question is if we want to generally enable a. and then say - "there it is for anyone who needs it". Best, -Ville ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-08-19 6:26 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-08-16 15:50 HW identification and configuration on Spectrum Ville Ilvonen 2022-08-17 7:52 ` Alyssa Ross 2022-08-17 13:25 ` Ville Ilvonen 2022-08-17 13:39 ` Alyssa Ross 2022-08-18 9:15 ` Ville Ilvonen 2022-08-18 10:17 ` Development on the Spectrum host Alyssa Ross 2022-08-19 6:26 ` Ville Ilvonen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).