By: Brendan (btrotter.delete@this.gmail.com), March 18, 2021 9:07 am
Room: Moderated Discussions
Michael S (already5chosen.delete@this.yahoo.com) on March 18, 2021 3:47 am wrote:
> Brendan (btrotter.delete@this.gmail.com) on March 17, 2021 10:56 pm wrote:
> > Linus Torvalds (torvalds.delete@this.linux-foundation.org) on March 17, 2021 10:30 am wrote:
> > > Doug S (foo.delete@this.bar.bar) on March 17, 2021 9:30 am wrote:
> > > >
> > > > While everyone agrees that the performance hit of microkernels is real, for applications where
> > > > security is paramount it is totally worth it.
> > >
> > > Bah, you're just parroting the usual party line that had absolutely no basis
> > > in reality and when you look into the details, doesn't actually hold up.
> > >
> > > It's all theory and handwaving and just repeating the same old FUD that was never actually really relevant.
> > >
> > > If you actually want security - and this isn't some theory, this is how people actually do it
> > > - you implement physically separate systems, and you make the secure side much simpler, and
> > > you do code review like there is no tomorrow. Ie automotive, automation, things like that.
> > >
> > > Yes, the secure side might have a very small kernel, because it might be some special
> > > automotive grade electronics that might not even have a real MMU on it. But that's not
> > > what people mean when they talk about microkernels in the sense of "compared to monolithic".
> > > That kernel is simply not even comparable from a capability standpoint.
> > >
> > > So if there is some correlation between extremely secure systems and microkernels, it's
> > > exactly that: a correlation, not causation. You minimize the loads, you minimize the
> > > hardware, and you might end up with a microkernel as a result. But it's not more secure
> > > because of the microkernel, it's more secure because you did that minimalism.
> > >
> > > So even the security argument is actually mostly just complete garbage. Even if you
> > > were to use a microkernel (I'm sure it happens - but often mainly because of hardware
> > > limitations), it's just not a real and comparable general purpose system.
> > >
> > > The real security comes from limiting the load, not the use microkernels, in other words. Often together
> > > with simplifying the hardware too, because complex hardware is fundamentally more fragile (you mention
> > > spectre etc, which is kind of relevant to the whole bedtime story about how secure microkernels are,
> > > but it's bigger than that - in extreme cases it's about rad-hardening etc too).
> > >
> > > In extreme cases you don't just separate the loads, you actually replicate the secure side and
> > > do multiple independent implementations and things like that. It's very very rare because it's
> > > so expensive and complex to do, but security and reliability go hand in hand in many ways.
> > >
> > > And yes, simplifying the load very much also works with
> > > monolithic kernels. It's not even unusual. Sometimes
> > > you really want the advantage of a more unified system, so you partition the hardware (depending on how
> > > sensitive you are to security concerns, either physically separate or just by cores or possibly even by
> > > just virtualization) and you just make the secure side run much more limited and controlled loads.
> >
> > For "performance is the only thing that matters", the communication between user-space
> > and kernel is too expensive and it's much better to (e.g.) build a messed up SASOS by
> > dynamically linking everything (web browser, database, cron, ...) into kernel space (and
> > forget about things like spectre patches and file system permissions and...).
> >
> > For "security is the only thing that matters", yes, you want to air-gap separate systems.
> > In this case you can still use the same "dynamically link everything into kernel space" because
> > the security doesn't depend on the separation between kernel and user-space anymore.
> >
> > Almost everything is a compromise between these extremes. For a hypothetical (likely non-linear) scale;
> > maybe we can say that monolithic kernels are centered around the "66% performance 33% security" part
> > of the scale and micro-kernels are around the "33% performance 66% security" part of the scale.
> >
> I would think that in world where variations of timing sub-channel became the hottest
> (at least from PR perspective, probably less so in real world) security issue, uKernel-based
> designs should be considered more vulnerable rather than less vulnerable.
> Under uKernel, attacker's requests are more likely to be serviced by the
> same CPU core as victim of attack, to use the same memory areas, etc...

If you take a monolithic kernel and replace some direct function calls with IPC (to get past additional barriers/isolation between pieces that you also add); in what way does "using less direct function calls" mean "higher chance of using the same CPU"?

Note that there are very different ways of doing IPC. E.g. rendezvous messaging is like direct function calls (just with some flow control logic and added virtual address space switch) so it wouldn't be any better (or any worse) than an equivalent monolithic kernel; but asynchronous messaging is a completely different beast (no way to guess which CPU the receiver will use, or when).

> Or consider something like Meltdown. Under monolithic kernel it was patched with relative
> ease and with moderate performance impact. Under uKernel, I'd imaging that it would be far
> more painful because performance of protection domain switch is much more critical.

For meltdown; for micro-kernels it's tempting to not do anything at all because there's almost no confidential data in kernel-space to begin with (and if you do care about some kernel data you could maybe just enable/disable the pages containing that data if/when that data actually needs to be accessed instead of using the KAISER approach). For a monolithic kernel (or worse - a monolithic kernel that maps all RAM into kernel space) you'll have all kinds of encryption keys and data in networking buffers and data in file system buffers and ..., and the confidential data will be spread everywhere (scattered through 20+ million lines of code) so it's a massive problem.

- Brendan
< Previous Post in ThreadNext Post in Thread >
TopicPosted ByDate
x86 - why unite when you can fragment?anonymou52021/03/12 06:16 PM
  x86 - why unite when you can fragment?Linus Torvalds2021/03/13 01:18 PM
    x86 - why unite when you can fragment?Jon Masters2021/03/13 07:25 PM
      x86 - why unite when you can fragment?Jon Masters2021/03/13 07:44 PM
        x86 - why unite when you can fragment?Yuhong Bao2021/03/13 08:49 PM
        x86 - why unite when you can fragment?tt2021/03/20 09:30 AM
    x86 - why unite when you can fragment?Andrey2021/03/14 04:15 PM
      x86 - why unite when you can fragment?Linus Torvalds2021/03/14 04:58 PM
        x86 - why unite when you can fragment?anonymou52021/03/14 05:31 PM
          x86 - why unite when you can fragment?anon22021/03/14 08:07 PM
        Microkernel?Anon2021/03/14 11:49 PM
          Microkernel?none2021/03/15 12:37 AM
            Microkernel?Anon2021/03/15 01:56 AM
          Microkernel?anon22021/03/15 01:58 AM
            Microkernel?Simon Farnsworth2021/03/15 03:12 AM
              Microkernel?anon22021/03/15 04:53 AM
                Microkernel?Simon Farnsworth2021/03/15 06:56 AM
                  Microkernel?iz2021/03/15 08:10 AM
                    Microkernel?Anon2021/03/15 09:05 AM
                      Microkernel?iz2021/03/16 01:25 AM
                        Microkernel?Andrey2021/03/16 02:54 AM
                          Microkernel?iz2021/03/16 08:36 AM
                            Microkernel?Andrey2021/03/16 10:06 AM
                              Microkernel?anonymou52021/03/16 11:44 AM
                              Microkernel?iz2021/03/21 02:58 AM
                                Microkernel?Andrey2021/03/21 09:34 AM
                  Microkernel?anon22021/03/15 08:31 AM
                    Microkernel?Simon Farnsworth2021/03/16 04:42 AM
            Microkernel?Gabriele Svelto2021/03/15 03:21 AM
              Microkernel?anon22021/03/15 04:56 AM
                Microkernel?Gabriele Svelto2021/03/15 10:41 AM
                  Microkernel?anon22021/03/15 08:00 PM
                    Microkernel?Gabriele Svelto2021/03/16 07:23 AM
                      Microkernel?anon22021/03/16 05:13 PM
                        Microkernel?anon22021/03/16 05:16 PM
                    Microkernel?Gian-Carlo Pascutto2021/03/16 01:40 PM
                      Microkernel?anon22021/03/16 05:53 PM
                        Microkernel?Linus Torvalds2021/03/16 07:25 PM
                          Microkernel?Doug S2021/03/17 09:30 AM
                            Microkernel?Linus Torvalds2021/03/17 10:30 AM
                              Microkernel?Brendan2021/03/17 10:56 PM
                                Microkernel?Michael S2021/03/18 03:47 AM
                                  Microkernel?Brendan2021/03/18 09:07 AM
                              Microkernel?Jose2021/03/18 09:35 AM
                            Microkernel?zArchJon2021/03/18 05:42 PM
                          TransputerRichardC2021/03/17 09:47 AM
                          Microkernel?dmcq2021/03/17 11:15 AM
                            Microkernel?Linus Torvalds2021/03/17 11:59 AM
                              Microkernel?dmcq2021/03/17 12:38 PM
                              Microkernel?Adrian2021/03/17 01:00 PM
                              Microkernel?Ana R. Riano2021/03/18 04:33 AM
                              Microkernel?2021/04/30 04:52 PM
                          Microkernel?NvaxPlus2021/03/17 11:48 AM
                            Microkernel?Michael S2021/03/18 03:32 AM
                              Microkernel?Adrian2021/03/18 04:12 AM
                                Microkernel?dmcq2021/03/18 06:30 AM
                                  Microkernel?dmcq2021/03/18 06:55 AM
                                  Microkernel?Adrian2021/03/18 08:35 AM
                                    Microkernel?---2021/03/18 09:49 AM
                                    Microkernel?dmcq2021/03/18 10:59 AM
                                      Microkernel?dmcq2021/03/18 04:09 PM
                              Microkernel?---2021/03/18 09:27 AM
                          Microkernel?Kalle A. Sandström2021/03/20 06:34 AM
                            Microkernel?---2021/03/20 08:35 AM
                            Microkernel?anon22021/03/21 05:29 PM
            Microkernel?dmcq2021/03/15 04:06 AM
              Microkernel?anon22021/03/15 04:59 AM
                Microkernel?dmcq2021/03/15 11:51 AM
                  Microkernel?anon22021/03/15 08:31 PM
                    Microkernel?dmcq2021/03/16 09:17 AM
                      Microkernel?Jukka Larja2021/03/16 11:22 AM
                        Microkernel?dmcq2021/03/16 04:06 PM
                          Microkernel?Jukka Larja2021/03/17 03:42 AM
                            Microkernel?dmcq2021/03/17 07:00 AM
                      Microkernel?anon22021/03/16 05:26 PM
                    Microkernel?---2021/03/16 10:07 AM
            Microkernel?-.-2021/03/15 08:15 PM
              Microkernel?anon22021/03/15 09:18 PM
                Microkernel?Foo_2021/03/16 03:37 AM
                  Read the thread (NT)anon22021/03/16 05:27 PM
                    Already did (NT)Foo_2021/03/17 02:55 AM
                      Already didanon22021/03/17 03:46 AM
                        Already didEtienne Lorrain2021/03/18 02:31 AM
                Microkernel?-.-2021/03/17 05:04 AM
                  Microkernel?Gabriele Svelto2021/03/17 08:53 AM
                    Microkernel?-.-2021/03/17 02:43 PM
              Microkernel?dmcq2021/03/16 08:40 AM
        x86 - why unite when you can fragment?Konrad Schwarz2021/03/17 10:19 AM
    x86 - why unite when you can fragment?anonon2021/03/15 07:37 AM
Reply to this Topic
Body: No Text
How do you spell avocado?