On Wed, Feb 14, 2024 at 09:09:37PM +0100, Petr Tesařík wrote: > On Wed, 14 Feb 2024 13:54:54 -0500 > Kent Overstreet <kent.overstreet@xxxxxxxxx> wrote: > > > On Wed, Feb 14, 2024 at 05:31:12PM +0100, Petr Tesařík wrote: > > > On Wed, 14 Feb 2024 16:11:05 +0100 > > > Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: > > > > > > > On Wed, Feb 14, 2024 at 03:55:24PM +0100, Petr Tesařík wrote: > > > > > OK, so why didn't I send the whole thing? > > > > > > > > > > Decomposition of the kernel requires many more changes, e.g. in linker > > > > > scripts. Some of them depend on this patch series. Before I go and > > > > > clean up my code into something that can be submitted, I want to get > > > > > feedback from guys like you, to know if the whole idea would be even > > > > > considered, aka "Fail Fast". > > > > > > > > We can't honestly consider this portion without seeing how it would > > > > work, as we don't even see a working implementation that uses it to > > > > verify it at all. > > > > > > > > The joy of adding new frameworks is that you need a user before anyone > > > > can spend the time to review it, sorry. > > > > > > Thank your for a quick assessment. Will it be sufficient if I send some > > > code for illustration (with some quick&dirty hacks to bridge the gaps), > > > or do you need clean and nice kernel code? > > > > Given that code is going to need a rewrite to make use of this anyways - > > why not just do the rewrite in Rust? > > Thank you for this question! I concur that rewriting the whole kernel > in Rust would be a better option. I see two differences: > > 1. amount of work > 2. regressions > > Rewriting something in Rust means pretty much writing it from scratch. > Doing that necessarily introduces regressions. Old code has been used. > It has been tested. In many corner cases. Lots of bugs have been found, > and they’ve been fixed. If you write code from scratch, you lose much > of the accumulated knowledge. But it's work that already has some growing momentum behind it, especially in the area you cited - decompression algorithms. > More importantly, sandbox mode can be viewed as a tool that enforces > decomposition of kernel code. This decomposition is the main benefit. > It requires understanding the dependencies among different parts of the > kernel (both code flow and data flow), and that will in turn promote > better design. You see this as a tool for general purpose code...? Typical kernel code tends to be quite pointer heavy. > > Then you get memory safety, which seems to be what you're trying to > > achieve here. > > > > Or, you say this is for when performance isn't critical - why not a user > > mode helper? > > Processes in user mode are susceptible to all kinds of attacks you may > want to avoid. Sandbox mode can be used in situations where user mode > does not exist, e.g. to display a boot logo or to unpack initramfs. [citation needed] Running code in the kernel does not make it more secure from attack, and that's a pretty strange idea. One of the central jobs of the kernel is to provide isolation between different users. > Sandbox mode is part of the kernel, hence signed, which may be relevant > if the kernel is locked down, so you can use it e.g. to parse a key > from the bootloader and put it on the trusted keyring. > > Regarding performance, sandbox overhead is somewhere between kernel > mode and UMH. It is not suitable for time-critical code (like handling > NIC interrupts), but it's still much faster than UMH. yeah, this doesn't seem like a worthwhile direction to go in.
