Two more points:
1) Security lockdown. Security lockdown transforms multikernel from
"0-day means total compromise" to "0-day means single workload
compromise with rapid recovery." This is still a significant improvement
over containers where a single kernel 0-day compromises everything
simultaneously.
I don't follow. My understanding is that multikernel currently does not
prevent spawned kernels from affecting each other, so a kernel 0-day in
multikernel still compromises everything?
I would assume that if there is no enforced isolation by the hardware
(e.g., virtualization, including partitioning hypervisors like
jailhouse, pkvm etc) nothing would stop a kernel A to access memory
assigned to kernel B.
And of course, memory is just one of the resources that would not be
properly isolated.
Not sure if encrypting memory per kernel would really allow to not let
other kernels still damage such kernels.
Also, what stops a kernel to just reboot the whole machine? Happy to
learn how that will be handled such that there is proper isolation.
--
Cheers
David / dhildenb
