doc: Lenovo X1 and compartmentalization

Co-authored-by: Nikita Bazulin <[email protected]>

Signed-off-by: Ivan Nikolaenko <[email protected]>

docs/src/SUMMARY.md

@@ -24,9 +24,12 @@
   - [Development](ref_impl/development.md)
     - [Build and Run](ref_impl/build_and_run.md)
     - [Cross-Compilation](ref_impl/cross_compilation.md)
-  - [Ghaf-Based Project](ref_impl/ghaf-based-project.md)
+    - [Creating Application VM](ref_impl/creating_appvm.md)
+  - [Ghaf as Library](ref_impl/ghaf-based-project.md)
+    - [Example Project](ref_impl/example_project.md)
     - [Modules Options](ref_impl/modules_options.md)
 - [Technologies](technologies/technologies.md)
+    - [Compartmentalization](technologies/compartment.md)
     - [Passthrough](technologies/passthrough.md)
         - [Binding Device to VFIO Driver](technologies/vfio.md)
         - [NVIDIA Jetson AGX Orin: UART Passthrough](technologies/nvidia_agx_pt_uart.md)

docs/src/features/features.md

@@ -19,6 +19,7 @@ Ghaf demo desktop and applications are illustrated in the screen capture below:
 
 - `Orin`—NVIDIA Jetson AGX Orin as the main reference device.
 - `x86`—generic x86_64; tested on Intel NUC (Next Unit of Computing) or laptop.
+- `Lenovo X1`—Lenovo X1 Carbon Gen11 laptop. 
 - `aarch64`—generic AArch64; tested on an ARM server, laptop (e.g. Apple M's), or NVIDIA Jetson AGX Orin.
 - `All variants`—supported devices from [Architectural Variants](https://tiiuae.github.io/ghaf/architecture/variants.html).
 
@@ -32,6 +33,7 @@ The following tables show the status of Ghaf Platform features:
 | `aarch64` reference image | ✅ | `Orin`  | Based on [Jetson Linux](https://developer.nvidia.com/embedded/jetson-linux), [OE4T](https://github.com/OE4T) and [jetpack-nixos](https://github.com/anduril/jetpack-nixos). |
 | `aarch64` reference image | ✅ | `imx8qm`  | Based on NXP BSP, implemented as [nixos-hardware module](https://github.com/NixOS/nixos-hardware/tree/master/nxp)|
 | `x86` generic image | ✅ | `x86` | Generic x86 computer, based on generic [NixOS](https://nixos.org/). NOTE: requires device specific configuration.|
+| `Lenovo X1` reference image | ✅ | `Lenovo X1` | x86_64 laptop computer, supports basic compartmentalized environment |
 | Native build      | ✅         | `aarch64, x86`   | Remote `aarc64` nixos builders recommended |
 | Cross-compilation | 🚧 | `aarch64, riscv64`  | Depends on NixOS `nixpkgs 23.05` support for cross-compilation |
 | CI builds         | ✅ | `All`  | [Only `main`-branch, not for all PRs](https://vedenemo.dev/). |
@@ -47,6 +49,7 @@ The following tables show the status of Ghaf Platform features:
 | root filesystem flashing | ✅   | `x86, imx8qm`  | `dd` image to bootable media - [see](https://tiiuae.github.io/ghaf/ref_impl/build_and_run.html#running-ghaf-image-for-x86-computer) |
 | Debug: SSH        | ✅      | `Orin`, `x86` | Host access only in `-debug`-target, see [authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix) |
 | Debug: Serial     | ✅      | `all` | Host access only in `-debug`-target - e.g. `screen /dev/ttyACM0 115200` |
+| Compartmentalized environment     | 🚧      | `Lenovo X1` | NetVM, GUI VM (with GPU passthrough) plus some Application VMs |
 
 ## Target architecture
 
@@ -55,11 +58,12 @@ The following tables show the status of Ghaf Platform features:
 | `minimal host`    | 🚧   | [`all`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [Minimal Host](https://tiiuae.github.io/ghaf/architecture/adr/minimal-host.html) and [PR #140](https://github.com/tiiuae/ghaf/pull/140). |
 | `netvm`           |  ✅ | `Orin`  | See [netvm](https://tiiuae.github.io/ghaf/architecture/adr/netvm.html). Passthrough with Wifi works but requires SSID/password configuration |
 | `idsvm`           |  ✅ | `Orin`  | [Defensive security VM placeholder PR open](https://github.com/tiiuae/ghaf/pull/146) |
-| `guivm` | 🚧 | `All`| Currently Wayland stack and apps on host for demos. Graphics are host-only for now. [PCI GPU passthrough and guivm PR open](https://github.com/tiiuae/ghaf/pull/118)|
+| `guivm` | 🚧 | `All`, `Lenovo-X1`| Implemented for Lenovo X1 reference device, other devices have Wayland compositor running on the host.|
+| `appvm` | 🚧 | `All`, `Lenovo-X1`| Implemented for Lenovo X1 reference device: chromium, GALA and zathura VMs. Requires `guivm` in place |
 | `adminvm`           | ✅ | `All`  | Not started |
 | Inter VM comms - IP-based  | 🚧 | `All` |`-debug`-targets have network bridges to access VMs from host |
 | Inter VM comms - shared memory  |  🚧 | `All` |  |
-| Inter VM Wayland  |  🚧 | `All` | Being ported from previous work |
+| Inter VM Wayland  |  🚧 | `All` | Currently it is `waypipe` over SSH, for test and demo purpose only |
 | SW update | 🚧 | `All` | A/B update tooling being evaluated |
 | USB passthrough   | 🚧 | `Orin`  | No reference implementation integrated yet |
 | PCI passthrough   | ✅ | `All`  | Used for reference in `netvm` on `Orin` |
@@ -70,10 +74,10 @@ The following tables show the status of Ghaf Platform features:
 
 | Feature           | Status      | Reference Device | Details                             |
 |-------------------|-------------|------------------|----------------------------------------------|
-| Wayland-compositor | 🚧 | `Orin`, `x86` | On host |
-| Chromium | 🚧 | `Orin`, `x86` | On host |
+| Wayland-compositor | 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` |
+| Chromium | 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` |
 | Element | 🚧 | `Orin`, `x86` | On host |
-| Cloud Android (CVD) client app (GALA )| 🚧 | `Orin`, `x86` | On host |
+| Cloud Android (CVD) client app (GALA )| 🚧 | `Orin`, `x86` | Implemented for `Lenovo-X1` |
 | Virtualization control | 🚧 | [`All`](https://tiiuae.github.io/ghaf/architecture/variants.html) | See [vmd design](https://github.com/tiiuae/vmd/blob/main/doc/design.md). |
 
 ## Next steps

docs/src/ref_impl/build_and_run.md

@@ -30,6 +30,7 @@ Then you can use one of the following instructions for the supported targets:
 |---                      |---               | ---              |
 | Virtual Machine | x86_64           | [Running Ghaf Image for x86 VM (ghaf-host)](./build_and_run.md#running-ghaf-image-for-x86-vm-ghaf-host)     |
 | Generic x86 Сomputer | x86_64           | [Running Ghaf Image for x86 Computer](./build_and_run.md#running-ghaf-image-for-x86-computer) |
+| Lenovo X1 Carbon Gen 11 | x86_64           | [Running Ghaf Image for Lenovo X1](./build_and_run.md#running-ghaf-image-for-lenovo-x1) |
 | NVIDIA Jetson AGX Orin  | AArch64          | [Ghaf Image for NVIDIA Jetson Orin AGX](./build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx)     |
 | NXP i.MX 8QM-MEK        | AArch64          | [Building Ghaf Image for NXP i.MX 8QM-MEK](./build_and_run.md#building-ghaf-image-for-nxp-imx-8qm-mek)     |
 | MICROCHIP icicle-kit    | RISCV64          | [Building Ghaf Image for Microchip Icicle Kit](./build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) |
@@ -64,6 +65,23 @@ Do the following:
 
 ---
 
+## Running Ghaf Image for Lenovo X1
+
+Lenovo X1 is the reference x86_64 device for the Ghaf project.
+
+Do the following:
+1. To build the target image, run the command:
+    ```
+    nix build github:tiiuae/ghaf#lenovo-x1-carbon-gen11-debug
+    ```
+2. After the build is completed, prepare a USB boot media with the target image you built:
+    ```
+    dd if=./result/nixos.img of=/dev/<YOUR_USB_DRIVE> bs=32M
+    ```
+3. Boot the computer from the USB media.
+
+---
+
 ## Ghaf Image for NVIDIA Jetson Orin AGX
 
 Before you begin:

docs/src/ref_impl/creating_appvm.md

@@ -0,0 +1,73 @@
+<!--
+    Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+    SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# Creating an Application VM
+
+## What is AppVM?
+
+AppVM is a virtual machine that is used to improve trust in system components by isolating the applications from both host OS and other applications. This way user can use applications of different trust levels within the same system and without compromising system security. This is because virtualization with hardware backed mechanisms provides better resource protection than traditional OS. While the VMs have overhead, it's acceptable via improved security and usability that makes the application seem like it is running inside an ordinary OS.
+
+As a result - both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own AppVMs.
+
+## How to add a new AppVM
+
+### 1. AppVM description
+
+Add the VM description in the target configuration.
+[lenovo-x1.nix](../../../targets/lenovo-x1.nix) already has AppVMs inside for Chromium, Gala, and Zathura applications.
+
+#### Example of the current AppVMs
+
+```
+vms = with pkgs; [
+  {
+    name = "chromium";
+    packages = [chromium];
+    ipAddress = "192.168.101.5/24";
+    macAddress = "02:00:00:03:03:05";
+    ramMb = 3072;
+    cores = 4;
+  }
+  {
+    name = "gala";
+    packages = [(pkgs.callPackage ../user-apps/gala {})];
+    ipAddress = "192.168.101.6/24";
+    macAddress = "02:00:00:03:03:06";
+    ramMb = 1536;
+    cores = 2;
+  }
+  {
+    name = "zathura";
+    packages = [zathura];
+    ipAddress = "192.168.101.7/24";
+    macAddress = "02:00:00:03:03:07";
+    ramMb = 512;
+    cores = 1;
+  }
+];
+```
+
+Each VM has the following properties:
+
+
+| **Property** | **Type**                  | **Unique** | **Description**                                                                                               | **Example**         |
+| -------------- | --------------------------- | ------------ | --------------------------------------------------------------------------------------------------------------- | --------------------- |
+| name         | str                       | yes        | This name is prefixed with `vm-` and will be shown in microvm list. The prefixed name - e.g. `vm-chromium` will be also the VM hostname                                     | “chromium”        |
+| packages     | list of types.package     | no         | Packages to include in a VM. It’s possible to make it empty or add several packages                          | [chromium top]    |
+| ipAddress    | str                       | yes        | This IP will be used to access a VM from the host. Should has the same subnetwork, as other VMs: Net, GUI VMs | "192.168.101.5/24"  |
+| macAddress   | str                       | yes        | Needed for network configuration                                                                              | "02:00:00:03:03:05" |
+| ramMb        | int, [1, …, host memory] | no         | Memory in MB                                                                                                  | 3072                |
+| cores        | int,  [1, …, host cores] | no         | Virtual CPU cores                                                                                             | 4                   |
+
+
+### 2. Add an app launcher in GUI VM
+
+To add an app launcher, add an element in the [guivm.nix](../../../modules/virtualization/microvm/guivm.nix) file to the **graphics.weston.launchers** list.
+A launcher element has 2 properties:
+
+1. **path** – path to the executable you want to run, like a graphical application.
+2. **icon** – path to an icon to show.
+
+You may want to check the example launchers [here](../../../modules/virtualization/microvm/guivm.nix)

docs/src/ref_impl/development.md

@@ -9,7 +9,7 @@ Ghaf Framework is free software, currently under active development.
 
 Scope of target support is updated with development progress.
 
-Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in the[authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix#L4-L5) module.
+Once you are up and running, you can participate in the collaborative development process by building a development build with additional options. For example, with the development username and password that are defined in the [authentication.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/authentication.nix#L4-L5) module.
 
 If you set up development SSH keys in the [ssh.nix](https://github.com/tiiuae/ghaf/blob/main/modules/development/ssh.nix#L4) module, you can use `nixos-rebuild switch` to quickly deploy your configuration changes to the development board over the network using SSH:
 

docs/src/ref_impl/example_project.md

@@ -0,0 +1,36 @@
+<!--
+    Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+    SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# Example Project
+
+The compartmentalization could be applied to many specific x86_64 computers and laptops with some customization applied to the Ghaf. The best way of the Ghaf customization is using Ghaf templates.
+
+1. Create a template project as described in [Ghaf as Library](../ref_impl/ghaf-based-project.md) section
+2. Adjust your system configuration with accordance to your HW specification. Determine all VIDs and PIDs of the devices that are passed to the VMs
+
+3. Add GUIVM configuration, NetworkVM configuration and optionally some AppVMs
+4. Set up weston panel shortcuts.
+Refer to the existing [project example for Lenovo T14 and Lenovo X1 laptops](https://github.com/unbel13ver/ghaf-lib)
+
+Creating the structure that includes all necessary data for the device passthrough:
+```
+# File 'my-hardware/lenovo-t14.nix':
+# Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Generic x86_64 computer -target
+{
+  deviceName = "lenovo-t14";
+  networkPciAddr = "0000:00:14.3";
+  networkPciVid = "8086";
+  networkPciPid = "02f0";
+  gpuPciAddr = "0000:00:02.0";
+  gpuPciVid = "8086";
+  gpuPciPid = "9b41";
+  usbInputVid = "046d";
+  usbInputPid = "c52b";
+}
+```
+The fields of that structure are self-explanatory. Use `lspci -nnk` command to get this data from any Linux OS running on the device.

docs/src/ref_impl/ghaf-based-project.md

@@ -3,7 +3,7 @@
     SPDX-License-Identifier: CC-BY-SA-4.0
 -->
 
-# Ghaf-Based Project
+# Ghaf as Library: Templates
 
 Ghaf is a framework for creating virtualized edge devices, it is therefore expected that projects wishing to use Ghaf should import it to create a derived work for the specific use case.
 
@@ -23,7 +23,7 @@ The Ghaf Platform repository provides declarative modules and reference implemen
 External repositories help make various HW options, system image generators, and reference board-support packages available.
 
 
-## Creating Ghaf-Based Project
+## Using Ghaf Templates
 
 1. Check the available target templates:
 
@@ -63,15 +63,15 @@ External repositories help make various HW options, system image generators, and
     ```
 
 
-## Updating Ghaf-Based Project
+## Updating Ghaf Revision
 
 To update your project, run `nix flake update`. This check the inputs for updates and based on availability of the updates, generate an updated `flake.lock` which locks the specific versions to support the reproducible builds without side effects.
 
 In practice, nix flake will not allow floating inputs but all the inputs and declared packages must be mapped to specific hashes to get exact revisions of your inputs. This mechanism also supports the supply-chain security - if someone changes the upstream project e.g. by over-writing a part of the input so that the hash changes, you will notice. (Believe it or not, this happens even with large HW vendors). 
 
 After update, review and testing - commit the updated `flake.lock` to your version history to share reproducible builds within your project.
 
-## Customizing Ghaf-Based Project
+## Customizing Ghaf Modules
 
 To use the Ghaf declarative module system, check what you need in your system and choose the [modules options](./modules_options.md) you need. For example, import the ghaf `graphics`-module and declare that you won't need the reference Wayland-compositor Weston and the demo applications:
 

docs/src/scenarios/showcases.md

@@ -9,5 +9,5 @@ The Ghaf Platform can be used in various different environments, configurations,
 
 ## In This Chapter
 
-- [Running Windows VM on Ghaf](scenarios/run_win_vm.md)
-- [Running Cuttlefish on Ghaf](scenarios/run_cuttlefish.md)
+- [Running Windows VM on Ghaf](./run_win_vm.md)
+- [Running Cuttlefish on Ghaf](./run_cuttlefish.md)

docs/src/technologies/compartment.md

@@ -0,0 +1,13 @@
+<!--
+    Copyright 2022-2023 TII (SSRC) and the Ghaf contributors
+    SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# Compartmentalization
+Compartmentalization is the technique of separating parts of a system to decrease attack surface and prevent malfunctions from cascading in the system. In Ghaf architecture, there is a separate Virtual Machine (VM) for every vital function of the system.
+
+Current implementation supports Graphic User Interface (GUI) VM, Networking VM and a couple of Application VMs, such as Chromium web-browser and Zathura pdf reader.
+
+The GUI VM owns computer's GPU and performs desktop environment and application windows rendering. Wayland protocol for applications in this case is proxified by `waypipe` over SSH. This approach is used temporarly before moving to more sophisticated solutions.
+
+VM compartmentalization requires all necessary devices passthrough in place. More specifically, you need to know PCI VID and PID of a device and also it's number on the PCI bus. In case of USB device passthrough, it is enough to know device's VID and PID. See [Ghaf as Library](../ref_impl/ghaf-based-project.md) and [Creating Application VM](../ref_impl/creating_appvm.md) sections to know more about the actual implementation.