By: Brendan (btrotter.delete@this.gmail.com), March 17, 2021 10:56 pm
Room: Moderated Discussions
Linus Torvalds (torvalds.delete@this.linux-foundation.org) on March 17, 2021 10:30 am wrote:
> Doug S (foo.delete@this.bar.bar) on March 17, 2021 9:30 am wrote:
> >
> > While everyone agrees that the performance hit of microkernels is real, for applications where
> > security is paramount it is totally worth it.
> Bah, you're just parroting the usual party line that had absolutely no basis
> in reality and when you look into the details, doesn't actually hold up.
> It's all theory and handwaving and just repeating the same old FUD that was never actually really relevant.
> If you actually want security - and this isn't some theory, this is how people actually do it
> - you implement physically separate systems, and you make the secure side much simpler, and
> you do code review like there is no tomorrow. Ie automotive, automation, things like that.
> Yes, the secure side might have a very small kernel, because it might be some special
> automotive grade electronics that might not even have a real MMU on it. But that's not
> what people mean when they talk about microkernels in the sense of "compared to monolithic".
> That kernel is simply not even comparable from a capability standpoint.
> So if there is some correlation between extremely secure systems and microkernels, it's
> exactly that: a correlation, not causation. You minimize the loads, you minimize the
> hardware, and you might end up with a microkernel as a result. But it's not more secure
> because of the microkernel, it's more secure because you did that minimalism.
> So even the security argument is actually mostly just complete garbage. Even if you
> were to use a microkernel (I'm sure it happens - but often mainly because of hardware
> limitations), it's just not a real and comparable general purpose system.
> The real security comes from limiting the load, not the use microkernels, in other words. Often together
> with simplifying the hardware too, because complex hardware is fundamentally more fragile (you mention
> spectre etc, which is kind of relevant to the whole bedtime story about how secure microkernels are,
> but it's bigger than that - in extreme cases it's about rad-hardening etc too).
> In extreme cases you don't just separate the loads, you actually replicate the secure side and
> do multiple independent implementations and things like that. It's very very rare because it's
> so expensive and complex to do, but security and reliability go hand in hand in many ways.
> And yes, simplifying the load very much also works with monolithic kernels. It's not even unusual. Sometimes
> you really want the advantage of a more unified system, so you partition the hardware (depending on how
> sensitive you are to security concerns, either physically separate or just by cores or possibly even by
> just virtualization) and you just make the secure side run much more limited and controlled loads.

For "performance is the only thing that matters", the communication between user-space and kernel is too expensive and it's much better to (e.g.) build a messed up SASOS by dynamically linking everything (web browser, database, cron, ...) into kernel space (and forget about things like spectre patches and file system permissions and...).

For "security is the only thing that matters", yes, you want to air-gap separate systems. In this case you can still use the same "dynamically link everything into kernel space" because the security doesn't depend on the separation between kernel and user-space anymore.

Almost everything is a compromise between these extremes. For a hypothetical (likely non-linear) scale; maybe we can say that monolithic kernels are centered around the "66% performance 33% security" part of the scale and micro-kernels are around the "33% performance 66% security" part of the scale.

Mostly by focusing on "extreme security only" you're being dishonest. It would be equally stupid for someone to claim that monolithic kernels suck for performance (compared to a SASOS with no security at all); although I wouldn't be too surprised if there's some exo-kernel advocates who would be happy to claim traditional monolithic kernels have worse performance with the same security.

And it's not just "performance vs. security". Half of Liedtke's thinking was about flexibility ("allowing competing implementations of services") and not security. Some people care more about fault tolerance/redundancy; and others care about other things (scalability, improving availability during software updates, etc). It's more like a N-dimensional design space ("performance vs. security vs. fault tolerance vs. ...") and not a 2-dimensional scale at all.

It's also not necessarily about strict minimalism either. There's no law that says you can't (e.g.) have a micro-kernel with a virtual memory management and VFS/cache in kernel and all the file systems and drivers in user-space. Sure, something like that might annoy the strict minimalists (L4 fans?), and someone will suggest that it's "hybrid" and not micro-kernel (in the same way that a few people might look at FUSE and user-space USB drivers and the decade of graphics drivers being done by SVAlib and X11 in user-space before KMS came along and claim that Linux is "hybrid" and not strictly monolithic); but it's all based on loosely defined terminology that random people made up (and it'd be equally valid to claim that something like QNX is a nano-kernel because it's too small to meet your personal definition of "micro").

It's also very reasonable to distinguish between "micro-kernel, with everything (drivers, file systems, etc) as a huge monolithic blob in user-space" (e.g. L4Linux) and "micro-kernel, with everything (drivers, file systems, etc) isolated into individual processes" (e.g. Minix); because this has a huge impact on where you end up on that hypothetical "performance vs. security" scale (and a huge impact on where you end in the hypothetical "performance vs. security vs. fault tolerance vs. ...." N-dimensional space).

- Brendan
< Previous Post in ThreadNext Post in Thread >
TopicPosted ByDate
x86 - why unite when you can fragment?anonymou52021/03/12 06:16 PM
  x86 - why unite when you can fragment?Linus Torvalds2021/03/13 01:18 PM
    x86 - why unite when you can fragment?Jon Masters2021/03/13 07:25 PM
      x86 - why unite when you can fragment?Jon Masters2021/03/13 07:44 PM
        x86 - why unite when you can fragment?Yuhong Bao2021/03/13 08:49 PM
        x86 - why unite when you can fragment?tt2021/03/20 09:30 AM
    x86 - why unite when you can fragment?Andrey2021/03/14 04:15 PM
      x86 - why unite when you can fragment?Linus Torvalds2021/03/14 04:58 PM
        x86 - why unite when you can fragment?anonymou52021/03/14 05:31 PM
          x86 - why unite when you can fragment?anon22021/03/14 08:07 PM
        Microkernel?Anon2021/03/14 11:49 PM
          Microkernel?none2021/03/15 12:37 AM
            Microkernel?Anon2021/03/15 01:56 AM
          Microkernel?anon22021/03/15 01:58 AM
            Microkernel?Simon Farnsworth2021/03/15 03:12 AM
              Microkernel?anon22021/03/15 04:53 AM
                Microkernel?Simon Farnsworth2021/03/15 06:56 AM
                  Microkernel?iz2021/03/15 08:10 AM
                    Microkernel?Anon2021/03/15 09:05 AM
                      Microkernel?iz2021/03/16 01:25 AM
                        Microkernel?Andrey2021/03/16 02:54 AM
                          Microkernel?iz2021/03/16 08:36 AM
                            Microkernel?Andrey2021/03/16 10:06 AM
                              Microkernel?anonymou52021/03/16 11:44 AM
                              Microkernel?iz2021/03/21 02:58 AM
                                Microkernel?Andrey2021/03/21 09:34 AM
                  Microkernel?anon22021/03/15 08:31 AM
                    Microkernel?Simon Farnsworth2021/03/16 04:42 AM
            Microkernel?Gabriele Svelto2021/03/15 03:21 AM
              Microkernel?anon22021/03/15 04:56 AM
                Microkernel?Gabriele Svelto2021/03/15 10:41 AM
                  Microkernel?anon22021/03/15 08:00 PM
                    Microkernel?Gabriele Svelto2021/03/16 07:23 AM
                      Microkernel?anon22021/03/16 05:13 PM
                        Microkernel?anon22021/03/16 05:16 PM
                    Microkernel?Gian-Carlo Pascutto2021/03/16 01:40 PM
                      Microkernel?anon22021/03/16 05:53 PM
                        Microkernel?Linus Torvalds2021/03/16 07:25 PM
                          Microkernel?Doug S2021/03/17 09:30 AM
                            Microkernel?Linus Torvalds2021/03/17 10:30 AM
                              Microkernel?Brendan2021/03/17 10:56 PM
                                Microkernel?Michael S2021/03/18 03:47 AM
                                  Microkernel?Brendan2021/03/18 09:07 AM
                              Microkernel?Jose2021/03/18 09:35 AM
                            Microkernel?zArchJon2021/03/18 05:42 PM
                          TransputerRichardC2021/03/17 09:47 AM
                          Microkernel?dmcq2021/03/17 11:15 AM
                            Microkernel?Linus Torvalds2021/03/17 11:59 AM
                              Microkernel?dmcq2021/03/17 12:38 PM
                              Microkernel?Adrian2021/03/17 01:00 PM
                              Microkernel?Ana R. Riano2021/03/18 04:33 AM
                              Microkernel?2021/04/30 04:52 PM
                          Microkernel?NvaxPlus2021/03/17 11:48 AM
                            Microkernel?Michael S2021/03/18 03:32 AM
                              Microkernel?Adrian2021/03/18 04:12 AM
                                Microkernel?dmcq2021/03/18 06:30 AM
                                  Microkernel?dmcq2021/03/18 06:55 AM
                                  Microkernel?Adrian2021/03/18 08:35 AM
                                    Microkernel?---2021/03/18 09:49 AM
                                    Microkernel?dmcq2021/03/18 10:59 AM
                                      Microkernel?dmcq2021/03/18 04:09 PM
                              Microkernel?---2021/03/18 09:27 AM
                          Microkernel?Kalle A. Sandström2021/03/20 06:34 AM
                            Microkernel?---2021/03/20 08:35 AM
                            Microkernel?anon22021/03/21 05:29 PM
            Microkernel?dmcq2021/03/15 04:06 AM
              Microkernel?anon22021/03/15 04:59 AM
                Microkernel?dmcq2021/03/15 11:51 AM
                  Microkernel?anon22021/03/15 08:31 PM
                    Microkernel?dmcq2021/03/16 09:17 AM
                      Microkernel?Jukka Larja2021/03/16 11:22 AM
                        Microkernel?dmcq2021/03/16 04:06 PM
                          Microkernel?Jukka Larja2021/03/17 03:42 AM
                            Microkernel?dmcq2021/03/17 07:00 AM
                      Microkernel?anon22021/03/16 05:26 PM
                    Microkernel?---2021/03/16 10:07 AM
            Microkernel?-.-2021/03/15 08:15 PM
              Microkernel?anon22021/03/15 09:18 PM
                Microkernel?Foo_2021/03/16 03:37 AM
                  Read the thread (NT)anon22021/03/16 05:27 PM
                    Already did (NT)Foo_2021/03/17 02:55 AM
                      Already didanon22021/03/17 03:46 AM
                        Already didEtienne Lorrain2021/03/18 02:31 AM
                Microkernel?-.-2021/03/17 05:04 AM
                  Microkernel?Gabriele Svelto2021/03/17 08:53 AM
                    Microkernel?-.-2021/03/17 02:43 PM
              Microkernel?dmcq2021/03/16 08:40 AM
        x86 - why unite when you can fragment?Konrad Schwarz2021/03/17 10:19 AM
    x86 - why unite when you can fragment?anonon2021/03/15 07:37 AM
Reply to this Topic
Body: No Text
How do you spell avocado?