By: Jukka Larja (roskakori2006.delete@this.gmail.com), January 17, 2021 9:35 am
Room: Moderated Discussions
dmcq (dmcq.delete@this.fano.co.uk) on January 17, 2021 5:39 am wrote:
> Jukka Larja (roskakori2006.delete@this.gmail.com) on January 16, 2021 8:37 pm wrote:
> > dmcq (dmcq.delete@this.fano.co.uk) on January 16, 2021 1:50 am wrote:
> > > Jukka Larja (roskakori2006.delete@this.gmail.com) on January 15, 2021 8:04 pm wrote:
> > > > dmcq (dmcq.delete@this.fano.co.uk) on January 15, 2021 1:58 pm wrote:
> > > > > Anne O. Nymous (not.delete@this.real.address) on January 15, 2021 11:19 am wrote:
> > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 15, 2021 7:27 am wrote:
> > > > > > > Jukka Larja (roskakori2006.delete@this.gmail.com) on January 15, 2021 5:57 am wrote:
> > > > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 14, 2021 11:13 am wrote:
> > > > > > > > > Jörn Engel (joern.delete@this.purestorage.com) on January 14, 2021 10:42 am wrote:
> > > > > > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 14, 2021 7:26 am wrote:
> > > > > > > > > > >
> > > > > > > > > > > I'm basically in agreement with Maynard about this. I've never had anywhere near as many customers as
> > > > > > > > > > > Apple :-) but even so a major consideration for me has always been the support costs.
> > > > > > > > > >
> > > > > > > > > > You are considering a different question. Your question is "Why would Apple
> > > > > > > > > > want to...". My question is "Why would I (or some other user) want to...".
> > > > > > > > > >
> > > > > > > > > > Of course Apple doesn't care whether I, Linus or the other twelve people buy an extra machine
> > > > > > > > > > to run Linux on it. Doesn't invalidate our reasons to prefer bare metal over hypervisors.
> > > > > > > > >
> > > > > > > > > Eveyone who writes software has support costs unless it is just a private hobby tinkering
> > > > > > > > > around with their own machine.This thread is about gaining perhaps 3% performance if things
> > > > > > > > > work out okay and incurring the trouble of writing ones own drivers which might go out
> > > > > > > > > of date in the next iteration. And for what from the point of view of a user?
> > > > > > > >
> > > > > > > > You presume that MacOS is better OS than Linux (for whatever value of "better").
> > > > > > > >
> > > > > > > > -JLarja
> > > > > > >
> > > > > > > I presume only that a good hypervisor can be built which splits off what is needed to
> > > > > > > be done by the operating system and the firmware that is more dependent on the specific
> > > > > > > version of the hardware. And that a lot of people are interested in security.
> > > > > > >
> > > > > >
> > > > > > How does adding more between the bare metal and the OS add
> > > > > > to security? Sure a hypothetical flawless hypervisor
> > > > > > might do the trick, but how is that any more secure than an equally hypothetical flawless OS? This is not
> > > > > > an argument why apple should or should not consider this just a question about your argument ;)
> > > > > >
> > > > > >
> > > > >
> > > > > If anyone can stick in a new operating system that has full access to everything there is no security.
> > > >
> > > > Just as well anyone can stick in a new hypervisor. I don't really see what's the difference between
> > > > hypervisor and OS in this argument. Or is the point just that a limited system where user can't do stupid
> > > > things is more secure? Wouldn't an OS that only allows running a browser then be even better?
> > > >
> > > > -JLarja
> > >
> > > I wasn't advocating that Chromebook solved everyone's problems, but yes a more limited system that
> > > doesn't allow a person access to everything is more secure and there's lots of examples of that.
> >
> > Yeah, so it's not really about running under hypervisor or not. It's one way to limit a system, but
> > not particularly good. If I run Windows 2000 in VM, it will be insecure. VM may prevent malware from
> > messing with other VMs, but if my goal is running Windows 2000 (not running Windows 2000 along with
> > other OSes), it doesn't really change anything (perhaps makes "re-installing" Windows easier).
> >
> > -JLarja
>
> No that is not what I said at all. just running a secure system on top of an
> insecure system is a waste of time. And bare metal is insecure. If it is easy
> for users to get to bare metal then anyone can compromise the system easily.
If hardware is insecure, hypervisor won't help. There's nothing magical about them.
I'm not really sure what you are trying to say. If we presume that the user doesn't have full access to the computer, it doesn't make particular sense to draw the line to where virtual machine meets hardware. Running insecure OS on top of separate hypervisor isn't significantly better than running the same OS on bare metal, if the point is only running that OS. Why not limit user to non-administrative account, or a set of white-listed programs? What's so special about hypervisor?
I'm running the laptop I'm typing this with Windows 10 on top of bare metal. How would my system be more secure, if I instead ran it in VM on top of Windows 10?
If we presume that user does have full access, removing or replacing hypervisor is just as trivial as replacing the OS.
-JLarja
> Jukka Larja (roskakori2006.delete@this.gmail.com) on January 16, 2021 8:37 pm wrote:
> > dmcq (dmcq.delete@this.fano.co.uk) on January 16, 2021 1:50 am wrote:
> > > Jukka Larja (roskakori2006.delete@this.gmail.com) on January 15, 2021 8:04 pm wrote:
> > > > dmcq (dmcq.delete@this.fano.co.uk) on January 15, 2021 1:58 pm wrote:
> > > > > Anne O. Nymous (not.delete@this.real.address) on January 15, 2021 11:19 am wrote:
> > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 15, 2021 7:27 am wrote:
> > > > > > > Jukka Larja (roskakori2006.delete@this.gmail.com) on January 15, 2021 5:57 am wrote:
> > > > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 14, 2021 11:13 am wrote:
> > > > > > > > > Jörn Engel (joern.delete@this.purestorage.com) on January 14, 2021 10:42 am wrote:
> > > > > > > > > > dmcq (dmcq.delete@this.fano.co.uk) on January 14, 2021 7:26 am wrote:
> > > > > > > > > > >
> > > > > > > > > > > I'm basically in agreement with Maynard about this. I've never had anywhere near as many customers as
> > > > > > > > > > > Apple :-) but even so a major consideration for me has always been the support costs.
> > > > > > > > > >
> > > > > > > > > > You are considering a different question. Your question is "Why would Apple
> > > > > > > > > > want to...". My question is "Why would I (or some other user) want to...".
> > > > > > > > > >
> > > > > > > > > > Of course Apple doesn't care whether I, Linus or the other twelve people buy an extra machine
> > > > > > > > > > to run Linux on it. Doesn't invalidate our reasons to prefer bare metal over hypervisors.
> > > > > > > > >
> > > > > > > > > Eveyone who writes software has support costs unless it is just a private hobby tinkering
> > > > > > > > > around with their own machine.This thread is about gaining perhaps 3% performance if things
> > > > > > > > > work out okay and incurring the trouble of writing ones own drivers which might go out
> > > > > > > > > of date in the next iteration. And for what from the point of view of a user?
> > > > > > > >
> > > > > > > > You presume that MacOS is better OS than Linux (for whatever value of "better").
> > > > > > > >
> > > > > > > > -JLarja
> > > > > > >
> > > > > > > I presume only that a good hypervisor can be built which splits off what is needed to
> > > > > > > be done by the operating system and the firmware that is more dependent on the specific
> > > > > > > version of the hardware. And that a lot of people are interested in security.
> > > > > > >
> > > > > >
> > > > > > How does adding more between the bare metal and the OS add
> > > > > > to security? Sure a hypothetical flawless hypervisor
> > > > > > might do the trick, but how is that any more secure than an equally hypothetical flawless OS? This is not
> > > > > > an argument why apple should or should not consider this just a question about your argument ;)
> > > > > >
> > > > > >
> > > > >
> > > > > If anyone can stick in a new operating system that has full access to everything there is no security.
> > > >
> > > > Just as well anyone can stick in a new hypervisor. I don't really see what's the difference between
> > > > hypervisor and OS in this argument. Or is the point just that a limited system where user can't do stupid
> > > > things is more secure? Wouldn't an OS that only allows running a browser then be even better?
> > > >
> > > > -JLarja
> > >
> > > I wasn't advocating that Chromebook solved everyone's problems, but yes a more limited system that
> > > doesn't allow a person access to everything is more secure and there's lots of examples of that.
> >
> > Yeah, so it's not really about running under hypervisor or not. It's one way to limit a system, but
> > not particularly good. If I run Windows 2000 in VM, it will be insecure. VM may prevent malware from
> > messing with other VMs, but if my goal is running Windows 2000 (not running Windows 2000 along with
> > other OSes), it doesn't really change anything (perhaps makes "re-installing" Windows easier).
> >
> > -JLarja
>
> No that is not what I said at all. just running a secure system on top of an
> insecure system is a waste of time. And bare metal is insecure. If it is easy
> for users to get to bare metal then anyone can compromise the system easily.
If hardware is insecure, hypervisor won't help. There's nothing magical about them.
I'm not really sure what you are trying to say. If we presume that the user doesn't have full access to the computer, it doesn't make particular sense to draw the line to where virtual machine meets hardware. Running insecure OS on top of separate hypervisor isn't significantly better than running the same OS on bare metal, if the point is only running that OS. Why not limit user to non-administrative account, or a set of white-listed programs? What's so special about hypervisor?
I'm running the laptop I'm typing this with Windows 10 on top of bare metal. How would my system be more secure, if I instead ran it in VM on top of Windows 10?
If we presume that user does have full access, removing or replacing hypervisor is just as trivial as replacing the OS.
-JLarja
| Topic | Posted By | Date |
|---|---|---|
| Question to Torvalds | Paul | 2020/11/14 04:08 AM |
| Question to Torvalds | Linus Torvalds | 2020/11/14 02:12 PM |
| Question to Torvalds | never_released | 2020/11/14 05:12 PM |
| Question to Torvalds | Doug S | 2020/11/15 09:55 AM |
| Question to Torvalds | never_released | 2020/11/15 12:31 PM |
| Question to Torvalds | Doug S | 2020/11/16 10:46 AM |
| Question to Torvalds | Maxwell | 2020/11/16 11:49 AM |
| Question to Torvalds | never_released | 2020/11/16 04:25 PM |
| Question to Torvalds | lyra64 | 2020/11/23 11:23 AM |
| Question to Torvalds | me | 2020/11/22 12:11 PM |
| Question to Torvalds | James | 2020/11/25 06:59 AM |
| Question to Torvalds | bakk | 2021/01/09 03:35 PM |
| Question to Torvalds | Maynard Handley | 2021/01/09 04:12 PM |
| He asked disingenuously (NT) | JS | 2021/01/09 08:33 PM |
| He asked disingenuously | Maynard Handley | 2021/01/10 10:51 AM |
| He asked disingenuously | JS | 2021/01/10 03:50 PM |
| He asked disingenuously | Maynard Handley | 2021/01/10 06:02 PM |
| Question to Torvalds | anon | 2021/01/10 07:01 PM |
| Question to Torvalds | Maynard Handley | 2021/01/10 07:59 PM |
| Question to Torvalds | anon | 2021/01/11 09:56 AM |
| Question to Torvalds | Jukka Larja | 2021/01/12 05:50 AM |
| Question to Torvalds | anon2 | 2021/01/10 07:21 PM |
| Question to Torvalds | Maynard Handley | 2021/01/10 08:15 PM |
| Question to Torvalds | Maynard Handley | 2021/01/10 08:22 PM |
| Question to Torvalds | anon2 | 2021/01/10 08:47 PM |
| Question to Torvalds | Maynard Handley | 2021/01/10 09:28 PM |
| Question to Torvalds | anon2 | 2021/01/10 10:36 PM |
| Question to Torvalds | Jukka Larja | 2021/01/11 06:21 AM |
| Question to Torvalds | Maynard Handley | 2021/01/11 10:33 AM |
| Question to Torvalds | anon2 | 2021/01/11 10:40 PM |
| Question to Torvalds | Jukka Larja | 2021/01/12 06:05 AM |
| Question to Torvalds | Maynard Handley | 2021/01/12 09:42 AM |
| Question to Torvalds | Jukka Larja | 2021/01/12 11:15 AM |
| Question to Torvalds | Maynard Handley | 2021/01/12 12:07 PM |
| Question to Torvalds | Jukka Larja | 2021/01/13 06:24 AM |
| Question to Torvalds | Michael S | 2021/01/13 08:45 AM |
| Question to Torvalds | Ungo | 2021/01/13 07:34 PM |
| Question to Torvalds | Jörn Engel | 2021/01/13 09:49 AM |
| Question to Torvalds | Etienne Lorrain | 2021/01/14 03:02 AM |
| Question to Torvalds | dmcq | 2021/01/14 08:26 AM |
| Question to Torvalds | Jörn Engel | 2021/01/14 11:42 AM |
| Question to Torvalds | dmcq | 2021/01/14 12:13 PM |
| Question to Torvalds | Jukka Larja | 2021/01/15 06:57 AM |
| Question to Torvalds | dmcq | 2021/01/15 08:27 AM |
| Question to Torvalds | Anne O. Nymous | 2021/01/15 12:19 PM |
| Question to Torvalds | dmcq | 2021/01/15 02:58 PM |
| Question to Torvalds | Jukka Larja | 2021/01/15 09:04 PM |
| Question to Torvalds | dmcq | 2021/01/16 02:50 AM |
| Question to Torvalds | Jukka Larja | 2021/01/16 09:37 PM |
| Question to Torvalds | dmcq | 2021/01/17 06:39 AM |
| Question to Torvalds | Adrian | 2021/01/17 08:46 AM |
| Question to Torvalds | dmcq | 2021/01/17 09:36 AM |
| Question to Torvalds | Jukka Larja | 2021/01/17 09:35 AM |
| Question to Torvalds | dmcq | 2021/01/17 10:01 AM |
| Question to Torvalds | Jukka Larja | 2021/01/17 10:52 AM |
| Question to Torvalds | Doug S | 2021/01/14 10:37 AM |
