diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md index 9bc2d3bf0..91c29e2e0 100644 --- a/docs/src/SUMMARY.md +++ b/docs/src/SUMMARY.md @@ -31,7 +31,7 @@ - [Cross-Compilation](ref_impl/cross_compilation.md) - [Creating Application VM](ref_impl/creating_appvm.md) - [labwc Desktop Environment](ref_impl/labwc.md) - - [idsvm Further Development](ref_impl/idsvm-development.md) + - [IDS VM Further Development](ref_impl/idsvm-development.md) - [systemd Service Hardening](ref_impl/systemd-service-config.md) - [Ghaf as Library: Templates](ref_impl/ghaf-based-project.md) - [Example Project](ref_impl/example_project.md) @@ -58,6 +58,7 @@ - [Public Key Infrastructure](scs/pki.md) - [Security Fix Automation](scs/ghaf-security-fix-automation.md) - [Release Notes](release_notes/release_notes.md) + - [Release ghaf-24.06](release_notes/ghaf-24.06.md) - [Release ghaf-24.03](release_notes/ghaf-24.03.md) - [Release ghaf-23.12](release_notes/ghaf-23.12.md) - [Release ghaf-23.09](release_notes/ghaf-23.09.md) diff --git a/docs/src/architecture/adr/idsvm.md b/docs/src/architecture/adr/idsvm.md index 769b7978f..754acd9ae 100644 --- a/docs/src/architecture/adr/idsvm.md +++ b/docs/src/architecture/adr/idsvm.md @@ -34,4 +34,4 @@ Routing and analyzing the network traffic in a separate VM will reduce network p ## References -[IDS VM Further Development](/docs/src/ref_impl/idsvm-development.md) +[IDS VM Further Development](../../ref_impl/idsvm-development.md) diff --git a/docs/src/ref_impl/creating_appvm.md b/docs/src/ref_impl/creating_appvm.md index 61e975219..d77dd5599 100644 --- a/docs/src/ref_impl/creating_appvm.md +++ b/docs/src/ref_impl/creating_appvm.md @@ -7,7 +7,7 @@ Application VM (App VM) is a VM that improves trust in system components by isolating applications from the host OS and other applications. Virtualization with hardware-backed mechanisms provides better resource protection than traditional OS. This lets users use applications of different trust levels within the same system without compromising system security. While the VMs have overhead, it is acceptable as a result of improved security and usability that makes the application seem like it is running inside an ordinary OS. -As a result, both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own AppVM. +As a result, both highly trusted applications and untrusted applications can be hosted in the same secure system when the concerns are separated in their own App VM. To create an App VM: 1. Add the VM description. diff --git a/docs/src/ref_impl/idsvm-development.md b/docs/src/ref_impl/idsvm-development.md index 786818d0c..605df602e 100644 --- a/docs/src/ref_impl/idsvm-development.md +++ b/docs/src/ref_impl/idsvm-development.md @@ -8,7 +8,7 @@ ## Implementation -The [IDS VM](/docs/src/architecture/adr/idsvm.md) is implemented as a regular Micro VM with static IP. +The [IDS VM](../architecture/adr/idsvm.md) is implemented as a regular Micro VM with static IP. The [mitmproxy](https://mitmproxy.org/) is included in the demonstrative interactive proxy to enable analysis of TLS-protected data on the fly. Also, [Snort](https://snort.org/) network intrusion detection and prevention system package is included but no dedicated UI nor proper utilization is provided. diff --git a/docs/src/ref_impl/installer.md b/docs/src/ref_impl/installer.md index 1ddb233b6..35a1790de 100644 --- a/docs/src/ref_impl/installer.md +++ b/docs/src/ref_impl/installer.md @@ -5,22 +5,22 @@ # Installer + ## Configuring and Building Installer for Ghaf You can obtain the installation image for your Ghaf configuration. -In addition to the live USB image that Ghaf provides it is also possible -to install Ghaf. This can either be achieved by downloading the desired image -or by building it as described below. +In addition to the live USB image that Ghaf provides it is also possible to install Ghaf. This can either be achieved by downloading the desired image or by building it as described below. -Currently only x86_64-linux systems are supported by the standalone installer. So to build e.g. the debug image +Currently, only x86_64-linux systems are supported by the standalone installer. So to build e.g. the debug image for the Lenovo x1 follow the following steps ```sh nix build .#lenovo-x1-carbon-gen11-debug-installer ``` -## Flashing the installer + +## Flashing Installer Once built you must transfer it to the desired installation media. It requires at least a 4GB SSD, at the time of writing. @@ -28,9 +28,10 @@ Once built you must transfer it to the desired installation media. It requires a sudo dd if=./result/iso/ghaf--x86_64-linux.iso of=/dev/ bs=32M status=progress; sync ``` -## Installing the image -**Warning this is a destructive operation and will overwrite your system** +## Installing Image + +> **WARNING**: This operation is destructive and will overwrite your system. Insert the SSD into the laptop, boot, and select the option to install. @@ -48,4 +49,4 @@ Once entered, remembering to include `/dev`, press ENTER to complete the process ```nix sudo reboot ``` -And remember to remove the installer drive +Mind remove the installer drive. diff --git a/docs/src/release_notes/ghaf-23.06.md b/docs/src/release_notes/ghaf-23.06.md index fb6b3f8a7..9cb916870 100644 --- a/docs/src/release_notes/ghaf-23.06.md +++ b/docs/src/release_notes/ghaf-23.06.md @@ -27,7 +27,7 @@ The following target hardware is supported by this release: * the development status: . * SLSA v1.0 level provenance file included. * Ghaf version information (query). -* NixOS is updated to 23.05: [NixOS 23.05 released!](https://discourse.nixos.org/t/nixos-23-05-released/28649) +* NixOS is updated to NixOS 23.05: [NixOS 23.05 released!](https://discourse.nixos.org/t/nixos-23-05-released/28649) ## Bug Fixes diff --git a/docs/src/release_notes/ghaf-24.03.md b/docs/src/release_notes/ghaf-24.03.md index 6438ac613..fb597a3fc 100644 --- a/docs/src/release_notes/ghaf-24.03.md +++ b/docs/src/release_notes/ghaf-24.03.md @@ -6,9 +6,9 @@ # Release ghaf-24.03 -## Release Branch +## Release Tag - + ## Supported Hardware @@ -58,9 +58,9 @@ Fixed bugs that were in the ghaf-23.12 release: | Cannot log in to the Element chat with a Google account | In Progress | Workaround for x86: create a user specifically for Element. | | Windows launcher application does not work on AGX | In Progress | Workaround: launch a Windows VM from the command line. | | Time synchronization between host and VMs does not work in all scenarios | In Progress | Under investigation. | -| Closing and re-opening a deck lid of a X1 laptop with running Ghaf causes instability | In Progress | Workaround: keep a deck lid of a laptop open while working with Ghaf. | +| Closing and reopening a deck lid of a Lenovo ThinkPad X1 laptop with Ghaf running causes instability | In Progress | Workaround: keep a deck lid of a laptop open while working with Ghaf. | | Applications do not open from icons when netvm is restarted | In Progress | Workaround: restart AppVMs. | -| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to netvm and run the command `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | +| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to a netvm and run the command: `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | ## Environment Requirements @@ -79,7 +79,7 @@ Download the required image and use the following instructions: | ghaf-24.03_Generic_x86.tar.xz | [Running Ghaf Image for x86 Computer](../ref_impl/build_and_run.md#running-ghaf-image-for-x86-computer) | | ghaf-24.03_Lenovo_X1_Carbon_Gen11.tar.xz | [Running Ghaf Image for Lenovo X1](../ref_impl/build_and_run.md#running-ghaf-image-for-lenovo-x1) | | ghaf-24.03_Nvidia_Orin_AGX_cross-compiled-no-demoapps.tar.xz[^note], ghaf-24.03_Nvidia_Orin_AGX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_AGX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | -| ghaf-24.03_Nvidia_Orin_NX_cross-compiled-no-demoapps[^note].tar.xz, ghaf-24.03_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | +| ghaf-24.03_Nvidia_Orin_NX_cross-compiled-no-demoapps[^note1].tar.xz, ghaf-24.03_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.03_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | | ghaf-24.03_PolarFire_RISC-V.tar.xz | [Building Ghaf Image for Microchip Icicle Kit](../ref_impl/build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | -[^note] no-demoapps images do not include Chromium, Zathura, and GALA applications. \ No newline at end of file +[^note1] no-demoapps images do not include Chromium, Zathura, and GALA applications. \ No newline at end of file diff --git a/docs/src/release_notes/ghaf-24.06.md b/docs/src/release_notes/ghaf-24.06.md new file mode 100644 index 000000000..059c839cf --- /dev/null +++ b/docs/src/release_notes/ghaf-24.06.md @@ -0,0 +1,93 @@ + + +# Release ghaf-24.06 + + +## Release Tag + + + + +## Supported Hardware + +The following target hardware is supported by this release: + +* NVIDIA Jetson AGX Orin +* NVIDIA Jetson Orin NX +* Generic x86 (PC) +* Polarfire Icicle Kit +* Lenovo ThinkPad X1 Carbon Gen 11 +* Lenovo ThinkPad X1 Carbon Gen 10 +* NXP i.MX 8M Plus + + +## What is New in ghaf-24.06 + +* Added support for NXP i.MX 8M Plus. +* NixOS is updated to [NixOS 24.05](https://nixos.org/blog/announcements/2024/nixos-2405/) further to nixos-unstable. +* labwc is used as a default compositor on all platforms. Weston is no longer supported. +* Static networking with external DNS server support only. Internal DHCP and DNS are removed. + * This affects all new guest VM networking. + * Windows VM must be configured with static IP and DNS. +* Lenovo X1 Carbon Gen 10/11: + * Image compression uses the [Zstandard (zstd)](https://github.com/facebook/zstd) algorithm. + * Initial vTPM implementation for Application VMs is added. + * Audio VM with [PipeWire](https://gitlab.freedesktop.org/pipewire/pipewire) backend and [PulseAudio](https://www.freedesktop.org/wiki/Software/PulseAudio/) TCP remote communications layer. + * Multimedia function key passthrough. + * Initial implementation of [IDS VM](../architecture/adr/idsvm.md) as a defensive network mechanism. + * Support for [Element](https://element.io/) chat application. + * GPS location sharing through the Element application. + * [AppFlowy](https://github.com/AppFlowy-IO/AppFlowy) uses the [Flutter](https://github.com/flutter) application framework. +* NVIDIA Jetson Orin NX: + * UARTI passthrough. + * The Jetpack baseline software updates and fixes. +* Further refactoring and modularization of Ghaf Framework. +* Development, testing, and performance tooling improvements. + + +## Bug Fixes + +Fixed bugs that were in the ghaf-24.03 release: + +* Icons do not launch applications when a netvm is restarted. +* Closing and reopening a deck lid of a Lenovo ThinkPad X1 laptop with Ghaf running causes instability. + + +## Known Issues and Limitations + +| Issue | Status | Comments | +|-----------------|-------------|--------------------------------------| +| Cannot log in to the Element chat with a Google account | In Progress | Workaround for x86: create a user specifically for Element. | +| Windows launcher application does not work on AGX | In Progress | Workaround: launch a Windows VM from the command line. | +| Time synchronization between host and VMs does not work in all scenarios | In Progress | Under investigation. | +| Applications do not open from icons when netvm is restarted | In Progress | Workaround: restart AppVMs. | +| Cannot connect to a hidden Wi-Fi network from GUI | In Progress | Workaround: connect with SSH to a netvm and run the command: `nmcli dev wifi connect SSID password PASSWORD hidden yes`. | +| NVIDIA Jetson AGX Orin and NVIDIA Jetson Orin NX: cannot make voice calls using the Element application | In Progress | Under investigation. | +| The Element application cannot find a camera | In Progress | Under investigation. | + + +## Environment Requirements + +There are no specific requirements for the environment with this release. + + +## Installation Instructions + +Released images are available at [vedenemo.dev/files/releases/ghaf_24.06/](https://vedenemo.dev/files/releases/ghaf_24.06/). + +Download the required image and use the following instructions: + +| Release Image | Build and Run | +|-------------------------|--------------------| +| ghaf-24.06_Generic_x86.tar.xz | [Running Ghaf Image for x86 Computer](../ref_impl/build_and_run.md#running-ghaf-image-for-x86-computer) | +| ghaf-24.06_Lenovo_X1_Carbon_Gen11.tar.xz | [Running Ghaf Image for Lenovo X1](../ref_impl/build_and_run.md#running-ghaf-image-for-lenovo-x1) | +| ghaf-24.06_Nvidia_Orin_AGX_cross-compiled.tar.xz, ghaf-24.06_Nvidia_Orin_AGX_native-build.tar.xz, ghaf-24.06_Nvidia_Orin_NX_cross-compiled.tar.xz, ghaf-24.06_Nvidia_Orin_NX_native-build.tar.xz | [Ghaf Image for NVIDIA Jetson Orin AGX](../ref_impl/build_and_run.md#ghaf-image-for-nvidia-jetson-orin-agx) | +| ghaf-24.06_PolarFire_RISC-V.tar.xz | [Building Ghaf Image for Microchip Icicle Kit](../ref_impl/build_and_run.md#building-ghaf-image-for-microchip-icicle-kit) | + + + diff --git a/docs/src/release_notes/release_notes.md b/docs/src/release_notes/release_notes.md index bd273a255..0d400d658 100644 --- a/docs/src/release_notes/release_notes.md +++ b/docs/src/release_notes/release_notes.md @@ -12,6 +12,7 @@ Release numbering scheme: *ghaf-yy.mm*. ## In This Chapter +- [Release ghaf-24.06](../release_notes/ghaf-24.06.md) - [Release ghaf-24.03](../release_notes/ghaf-24.03.md) - [Release ghaf-23.12](../release_notes/ghaf-23.12.md) - [Release ghaf-23.09](../release_notes/ghaf-23.09.md)