On 2/14/24 10:22, Petr Tesařík wrote: > Anyway, in the long term I would like to work on gradual decomposition > of the kernel into a core part and many self-contained components. > Sandbox mode is a useful tool to enforce isolation. I'd want to see at least a few examples of how this decomposition would work and how much of a burden it is on each site that deployed it. But I'm skeptical that this could ever work. Ring-0 execution really is special and it's _increasingly_ so. Think of LASS or SMAP or SMEP. We're even seeing hardware designers add hardware security defenses to ring-0 that are not applied to ring-3. In other words, ring-3 isn't just a deprivileged ring-0, it's more exposed to attacks. > I'd rather fail fast than maintain hundreds of patches in an > out-of-tree branch before submitting (and failing anyway). I don't see any remotely feasible path forward for this approach.
