 Good afternoon everyone. Hope you're having a great time at the I.O. We are here to talk to you about Linux for Chromebooks Also known as crostini We'll start by introducing ourselves. My name is Sudha. I'm a designer on crostini for Chromebooks Hi, I'm Dylan. I'm the Chrome OS virtualization lead And I'm Tom product manager for Linux on Chromebooks Now it's the end of day two at I.O And you've probably already been to a bunch of different sessions that have talked about all the new frameworks that you need to be using Or the platforms that you need to be building for and everyone's right you absolutely should be but we're not really here to talk about that Instead what we want to talk about is you as developers and how you can get more peace of mind by using Linux on Chromebooks We give you that peace of mind by balancing simplicity and security On that note, let's do a quick user study How many of you are developers in the audience? Wow, that's full room as expected keep your hands raised How many of you use your computers for anything else other than development like? Doing your taxes checking email again 100% of you Okay, one last question. How many of you are worried about security? Good, that's pretty. I mean you all should be so I'm glad to see many hands up anyway So I don't know about you, but when I start a new project I I get stuck a lot, right? I hit a lot of walls and I hit a lot of barriers I'm go to look for a problem go to look for a solution and I turn to Google and luckily Google's almost always got a great answer for me Unluckily sometimes the answer looks like this and I know I shouldn't run this script from evil site comm pipe it to sudo, but you know that deadlines coming up and This maybe the site looks kind of legit. So in this case, I'll make an exception and I'll do this and That happens again and again and eventually I end up with a system that I don't trust as much as I should Because I don't really know what code I've run on it anymore. I don't have time to read all these scripts My solution to this has been to carry two laptops One for my developer world and one for my everything else world that I want to be secure in But recently I switched to using one laptop and Tom's going to talk about how I do that So our goal with Chrome OS has been to give you a simple and secure experience from the start But if you tried it previously you might have seen that it wasn't quite ready for developers in order to be simple and secure We couldn't run all of the tools that developers need to get their job done But that all changed at I owe last year when we announced that we were going to start supporting Linux on Chromebooks Linux on Chromebooks lets you run all of your favorite editors ID ease and tools and It's now supported on over 50% of Chromebooks Including great devices with 8th generation Intel CPUs like the Lenovo yoga book c6 30 and the Acer Chromebooks been 13 If you haven't seen it, we're going to run through a few examples First off, how do you get it? It's really easy. It's just a couple clicks now in the background This is downloading a virtual machine setting up containers configuring it all Dylan's going to go more into that in a few minutes But for you as a developer, it's just a couple clicks to get started and this adds a terminal to your launcher Now if you open that terminal, you'll see that you have a pretty standard Debian environment And we've already loaded in a bunch of the tools that developer developers expect like get and vim And if you need anything else, you have the app package manager and you can install whatever packages you need And if you want to instead install files or install programs via dot-deb files, you can do that too This gives you access to thousands of world-class developer tools Now once you've installed any graphical apps You'll find that they all show up in your launcher just like the rest of your Chrome OS apps And if you open them They show up in your window manager again just like the rest of your Chrome OS apps This is the simple experience that people have come to expect from Chrome OS and we didn't want to change that with Linux But importantly, this is also secure You don't have to worry about malware accessing your files snooping on your traffic or infecting your peripherals I'd ask you to trust us on that, but this is way too important for you to take on trust alone So over the course of this talk Dylan and Suda are going to walk you through the principles behind the architecture and design of crossini We're then going to dissect some common developer flows to show you how these principles apply and Finally, we're going to share some tips and tricks for advanced usage for the power users out there So now I'm going to hand it over to Dylan to talk about the architecture Job Okay, so Chrome OS has always had a layered approach to security and Our big layer has always been the browser and the renderer and running all untrusted code in a nice isolated renderer And that keeps the attack surface of your core system to an absolute minimum They're not allowed to make a lot of system calls. They can't poke at random bits of your kernel and That worked really well for web pages web apps However for developer tools, I need to install a lot of different programs. They need a lot of different privileges They can do anything any app on Linux can do and that wasn't acceptable for us on the core of Chrome OS So we need that a layer. So we added a virtualization layer And that lives in the main Chrome OS layer and that spins up a VM and And now this VM has a much more limited interface While still exposing a full Linux kernel to the programs that run inside the VM The only way the VM can talk to Chrome OS proper is Through a small API that that cross VM program on the left up there Exposes to the guest. This was pretty good. Now. We've got a lot greatly reduced attack surface We were pretty happy with this we wanted to go a little further So we made sure that the guest VM was Also signed by Google and somewhat trusted this lets us trust some of the actions the guest VM takes and It's also read only so users can only break things so much in that no matter what you do You're gonna be able to boot a VM However with all that security solved We're back in a situation where you don't have enough flexibility Your apps can't do anything. It's a read-only thing You can't install anything in it. So we had another layer and for this we stole used LXD from canonical That team's been very helpful in getting this spun up with us. It's a pretty standard container runtime It's built for running system containers and in our case. We started a system container Of Debian and exposed to that to the user So that cross VM layer I was talking about that's kind of the most important part Of the security story here It's the last line of defense before something gets into Chrome OS so we went We focused on this for a long time and made sure we got that as secure as possible We wrote it in a memory safe programming language. We chose rust this eliminates buffer overflows and integer overflows a lot of common bugs related to memory safety that are exploited by attackers We were pretty happy with that But we again added another layer of security here in that we broke up the Virtualization program into pillars and made sure that each pillar that interfaces with the guest only has access to small parts of your host Chrome OS system So your host Chrome OS system you've got your bank's web page open You've got your online tax filing thing open. You've got all kinds of person identifiable Information everywhere. We really wanted to protect that but we needed to give the guest access to things like a random number a Display a USB device so each of those got their own jail and they can only see the thing they need So our random number generator can generate random numbers. It can't access any files It's in an empty file system from its perspective. It doesn't have any network access The display driver it can access the display again It can't touch the network. It can't go grab your files and upload them Even if somebody gets into it and tries to make it do things we didn't intend it to This is all a little complicated But we've added a great amount of system UI to make this easy for you to use So when you're just doing your job as a developer, you don't have to worry about these pretty pictures I've drawn for you and so they'll show you what we did. Thank you Dylan Security is absolutely top of mind for us while crafting the Linux experience on Chromebooks. We came up with three high-level design goals The first goal was to keep your experience intuitive Everyone here in this room has been using computers for a long time And you've just established your workflows and habits So basically what we wanted to do is to match to those expectations We wanted to provide an experience That's natural to you We want developers everywhere to be using Chromebooks and feel right at home doing it The second goal was to make your experience native We could have taken the easy path by giving you a full Linux desktop in a VM, but that wasn't good enough Our goal was to bring the Linux apps you depend on for development Into your native Chrome OS experience The third goal was to make your experience simple, and I think this is very important there's a lot of complexity that's going on under the hood and We want to leave it there Our guiding principle is that complexity shouldn't interfere with the user experience There's a couple of things we are trying to balance here the security concerns that come with Installing Linux apps on Chromebooks and the simplicity that comes with sticking to design patterns established by Chrome OS and Our mission was to find that sweet spot All right, so now we're going to talk about three common developer flows and see how they work with crusting The first of these is accessing files as developers We have to do this all the time our editors need to access files as do our compilers our source control and a whole lot more But the problem is that our file systems have a lot more than just code They have our personal photos our tax returns. Maybe that novel that you've been working on a lot can go wrong ransomware can hold all of that data hostage Malware can upload your files to some random server, or maybe you just get something that goes and deletes everything for the fun of it We built crostini with those threats in mind to limit what can go wrong and Dylan will tell you how so our our goal sharing files with your VM and with your container was to Make it easy for you to get the files you needed for your development tasks where you need them But not expose things you don't want exposed untrusted code because ultimately we don't trust the code that's running inside this VM To do this we took a layered approach your files all live in Chrome OS at the very bottom and We share them out to the VM With a 9p server. We named it 9s again. We wrote it in Rust so it's memory safe We fuzzed it to make sure you unexpected inputs don't cause unexpected behavior And we put it in a tight jail so it can access only the files you share with it And it takes those files and exports them to the VM The VM mounts the 9p thing that's built into Linux and then LXD takes that mount and exposes it into your container Where your development tools are running? The important thing here is that your container can only see files you say I want to share With my development environment Your VM can only see those same files and even the server that we wrote running on Chrome OS can only see those files It doesn't get to see everything so somebody exploits this stack all the way back into Chrome OS They still don't have access to the files you haven't shared with the container. That's a lot of stuff to set up Setting up 9p mounts bind mounting things into containers We had to do this manually for a while and we were developing it it was painful So I'll let Sue to show you how easy we made it for you There are a lot of layers going on but let's see how simple this is in the UI Right out of the box you have a directory called Linux files, which is your home directory within Linux Anything in this directory is automatically shared with Linux outside of this directory anywhere else on the device Linux doesn't have access to anything until you grant permissions I'll walk you through a couple of examples here Let's say you're working on a project and you see yourself needing files from this one folder called illustrations To share this all you have to do is access the right click menu and Click on share with Linux in as simple as two steps You now share this folder with Linux if you notice this is in Google Drive, and that's a cool thing When you don't want to share this anymore, you can do that by going to settings and unsharing Here's another example where we made quick edits really simple for you You have a data file in your downloads folder and when you double click it automatically opens in VS code When this happens in the background, it's implicitly shared and the sharing last until you restart This is the balance of security and simplicity. We wanted to bring you Thank you so For our second developer flow that we're going to talk about we're gonna look at running a web server Now being Chrome OS we care a lot about people making great web apps And we want to make sure that they can create those on a Chromebook and being able to run a web server is Pretty central to being able to build any web app Unfortunately web servers also need a pretty low level of access and that can cause some problems The code that can run a web server is also capable of snooping on your internet traffic It can know what sites you're accessing and in some cases even see the contents of those pages This means that a malicious web server could potentially track everything that you're doing now again We thought of this as we design cross Dini and we made sure that we prevented this kind of attack Linux Dylan will tell you how I can be called Linux. That's my job All right, so starting a web server from cross Dini Simple we've got a good demo over in the web dev sandbox already type of command you fire up your web server Just like you would on any Linux distribution out there What's actually happening under the hood though is you're in a container and you open up a port That ports in a network namespace inside of VM Running under our special hypervisor which puts its network stack in another namespace on the host and then Finally out to Chrome So Chrome can't get back in which is great for security You've got wonderful isolation, but if I want to test this new PWA or web page I'm running in my VM. How do I get Chrome to talk to it? This was not simple So for that we had to add some demons along the way actually every layer gets a demon for this there's The first one is running in the in the VM and it's sitting there waiting to check if Any container that's running happens to open a port And then it's got to figure out which container open that port and Bundles that information up sends it to Chrome OS says hey this port in this container is listening the user might want to use that port and On the Chrome OS side we say okay the other demon responds says I will set up a route to do some forwarding I'm gonna forward all of this over Vsoc, which is a protocol used to talk to local VMs on on machines That's kept under the hood So either end talks HTTP in into the demons and the demons talk Vsoc to each other So the key here is that the web server Gets to talk HTTP Chrome gets to talk HTTP Everything's normal. Everything works just like you would while under the hood We've got all this extra demons and Vsoc forwarding going, but we've hidden that One other important thing We've made it trusted so you can get all your PWA features you can install it to your desktop Even though it's not technically the same machine We know it is because we've got the information we set up the VM So we allow that to be trusted domain and All this complexity I think makes one of our best demos today of how complicated we made it under the hood And how simple you're gonna see it is to actually use I Totally agree that this is very complicated under the hood But in the UI, it's exactly like you would expect it to be Let's say you're experimenting with building this cool PWA Here in terminal you're in your folder PWA starter kit You're running a commands to start your web server and if you see at the bottom of the screen It's listening at port 8080 at this point you can launch your browser Go to local host 8080 and test your web app on The screen here on the left You have your web app in Chrome and on the right If you're noticing it, it's in Chrome. Yes You can test your web app on a Chromebook in Firefox 2 If you noticed we did not prompt you to give any permissions while we were in this flow This is because the host is accessing the VM and not the other way around Again, this is another way. We kind of balanced the security and simplicity factor. We were talking about For our finally for our third demo. We're going to talk about testing an Android app Now this is really exciting because just yesterday we announced that Android studio is officially supported on Chromebooks and We even created an installer just for Chrome OS to make it really easy to get started with Now of course Android studio isn't the only thing that you need in order to build a great Android app You also need something to test that app on usually a phone And while you could do that over Wi-Fi with adb remote all this sort of stuff We wanted to make it easy just the experience said you'd expect on any other device I can plug my phone in over USB and test my app that way Now if I'm an Android developer sure I'll plug my phone in to test my app But I'm also going to plug in a lot of other devices over USB over the course of my day I may plug in a USB drive that has a lot of family photos on it I may plug in a wearable that has some health information. I may even plug in my security key for work that gives me all of my access Malware can take advantage of these devices to Uniquely identify you as you move between machines to spread itself or even to make changes to them again We thought of these threats at when designing crostini and made sure that we were preventing them Yeah, implementing USB was a lot of fun for us might have been our most painful stack Same principles apply we've got our layers We protect the host There's a lot of attack surface in a host USB stack. It's a very complicated kind of loosely specced protocol It's an exact spec that's loosely implemented by a lot of people So we've hidden that kept that on the host side Wrote a device that we live in cross vm jail again. We've got a USB driver. It's pretty complicated It's got a lot of code in it. I'm sure there's a bug or two So we made sure it was very well isolated. It can't get to your files. They can't get to the network It also can't get to any USB device You have to explicitly say hey, I want to give this USB device to my development environment we've tried to make that as easy as possible and What actually happens under the hood? We've always got a an emulated USB bus running so the the guest always sees hey, I've got a USB bus There's just nothing plugged in and Once you indicate that I want to give this to my vm It says okay I'm gonna add this device to this bus and then we show it to the guest and then the guest again in turn has to forward that Into the container and the container can see it There's two things we were really focused on here one was security Again, we dressed that with the jail and we made sure that the attack surface was as minimal as possible It's also written in rust and it's nice and memory safe and it's fuzz But the other issue here is is privacy because people somehow use lists of USB devices attached to machines to fingerprint and track users And we wanted to make sure the untrusted code running inside the container couldn't be another way to do that Again, this is a lot of steps We we have to create a device we have to export it to a vm We have to export it to a container we have to decide which device to export and not And again, we'll have a demo that shows how easy it is Okay What this is the last demo? Let's say I'm on my Linux enabled Chromebook and You're plugging in your phone You'll see a notification that prompts you to connect to Linux at this point Only Chrome OS has knowledge of your phone Linux doesn't even know that your phone exists and that's a good thing if you see here Your phone is not listed In in the USB list, but when you read on the command once you connect on the notification Your phone shows up in the list At this point you established Access to Linux to your phone Let's say you're working on a project. You're developing a cool app again in Android studio and You're ready to test it out You hit run and select the phone And boom just like that. You're able to test your phone test your app on your phone At this point you can debug and test out your app Finally you can go to settings and manage what Linux access to at any point of time So you can see how security is at the core of your Linux experience on Chromebooks You the user are in full control at all times of what Linux has access to We take advantage of a variety of UX patterns to make it simple to use and also native to Chrome OS the combination of principles of Chrome OS and Crostini make this experience pretty unique Thanks my turn All right Good. We got plenty of time. So we've been talking about a lot of details And I've been talking a lot about layers and jails and all that's important and It's a good reason for you to trust our normal flows and when I'm using my Chromebook I almost always stay within these common workflows that we've polished and made sure work However, a lot of that Technical detail I was talking about is still usable and we've left hooks in for you to play with it So I'm glad I've got time left so I can go through a few of these examples and kind of just wait your appetite for what else you can do We don't test this stuff We don't support this stuff We really want the standard flow to be enough for everybody, but every once in a while There might be a reason you want to do something a little more advanced or You know, you might just want to go have fun and play with things under the hood. We're tinkerers, right? It's supposed to be So we'll go through and and show how some of this stuff works All this is going to be from the Chrome OS shell. This has been in Chrome OS since longer than I have And so control alt T gets you a shell. There's a set of debug commands you can run We're going to focus on one command, which is the the VMC command that we added to control virtual machines and containers The basic command you can do a VMC list. It'll show you what VMs you have installed on your system The default VM is called terminal So hopefully the font's big enough And you can see what size it is The terminal VM is the one that all the demos were done for the slides before so it's up and Running we've made a shortcut to enter a container inside of VM So if you want to go into the default container the containers named penguin again, that's that's where we were doing all these demos from So the there's a VMC container command to get you into there We'll pop out of there and then we'll pop back into just the VM. So VMC start enters your virtual machine without entering your container So if you go back to my layers, it's it's the one in the middle the thing that LXD runs in and The reason you'd want to be in here is if you want to manipulate or change containers So I mentioned we used LXD There's gonna be a lot of LXC commands. That's the LXD control program. This is well documented online and Most of it will work inside Chrome OS just like it does on a default to want to install The first one you can do is a list. You can see we've got penguin running. We have one container. It's up and running It's got an IP address So we've got our one container. We might want to play with it a little bit and Before we do maybe I want to make sure I can get back to a state where I know it's good right because I've broken them before it's nice to be able to just go back to where I was and play around without worrying so Standard LXD command. It's called snapshot And you give it your container name and you can give it the name of your snapshot And now you've got an image saved that you can go back to if you break things This is a copy on right to we use butter FS in the VM. So you're not eating up a ton of disk space We can get info on our container. This gives a bunch of information Again, you can go poke around with this on a Chromebook if you want to the important bit here Is that we've got one snapshot at the bottom the IO one snapshot we just created You can have multiple snapshots. It's got a date on it to help you remember if you didn't use a very creative name And then when you want to restore it back LXD restore these are well-named commands. They did a better job with this than I did If you really want to go and play with different things sometimes you want more than one container So I've got my penguin container And I'm gonna go say install some different libraries in this one Maybe I want to have a container that's got Python 2.7 and a different one that's got Python 3 Or maybe I want a different container for writing go then the container I have for writing Rust So we let you do that you can create as many containers as you want disk space limited These do do cost disk space The most basic way to start off a new container is to copy an existing one. There's an LXD copy command The example up here copies the default penguin container over to a new container named Kingfisher You can list the containers got to by default containers are stopped. So we have to start them Now we can list to there. It's running and You can jump in you say I want to run bash and Kingfisher And now I've got a shell in my new container and I can go off and install whatever random toolchain I didn't want in my default container Taking that one step further We chose Debian because it's kind of the easiest thing for us to do That we didn't want to tie you down to that though. We support the Debian workflow We support some guest packages that are installed in Debian by default But some people want to use their favorite distro and there is a a huge amount of distros available From the image server that canonical runs We'll install an arch one here I'm not I'm not an arch guy. I don't really know much about arch But some of my co-workers talked to me into doing this and playing with it So now you can see we've got three containers And I've got two Debian containers my penguin and my Kingfisher and now I've got something called arch test And again, I can enter it by telling it to run bash And if I want to install packages in this one, I'll use Pac-Man instead of apt. It's actually it's actually arch I promise That's just a taste of what you can do from here If you go and look at the LXC and LXD documentation online, you can get some more ideas There's even some help online about installing other ones and getting them to integrate better with the GUI if you want more than just a command line All right So Dylan just showed you a bunch of the really cool tricks you can do with Crustini when you go under the hood and if you're interested in this kind of thing We really recommend checking out the Crustini subreddit The folks there buying features as soon as we release them sometimes even sooner And they're also really welcoming to new users of Linux on Chromebooks So if you have any questions, please check it out and a big thanks to the folks there So that's Linux on Chromebooks as you can see we already support a lot of web and Android developer flows And there's a lot more to come both in supporting other developers and in expanding what we can do with new Capabilities like multiple containers and back up and restore We're going to keep applying these principles of simplicity and security To give you the best developer experience possible Whenever you're ready, we hope you'll join us Thank you