On Thu, Sep 17, 2020 at 8:35 PM William ML Leslie < william.leslie....@gmail.com> wrote:
> On Fri, 18 Sep 2020 at 02:47, Isaac Beckett <isaactbeck...@gmail.com> > wrote: > >> Hey all, >> >> I was wondering if it makes sense for someone building a system on seL4 to >> run certain drivers or other critical components in a more privileged >> environment, but still outside the kernel. Does using a different CPU mode >> in this context make sense? My hunch is that the case is no, because x86 >> has those extra rings, but ARM only has two modes, Supervisor/System and >> User mode, which would make it hard to provide any mechanism for the >> kernel >> to manage privileged components, because of the differences between >> platforms. >> > > To keep in mind: > > One of the benefits of capabilities over rings is that not only can IO > ports used by drivers be protected from applications, but now applications > can also be protected from drivers, and ports are protected from other > drivers. You can't really get POLA with a strict hierarchy, which is why > capabilities allow you to build a graph representing how authority is > really distributed to each component. Since we have a strictly more > powerful way to distribute authority to drivers, there isn't anything to > gain by using rings 1 and 2. > > Not to mention that the multics driver rings are a fairly dark corner of > the processor these days, since no operating system appears to make use of > 1 and 2, so nobody is inspecting them for hardware bugs. > > > >> _______________________________________________ >> Devel mailing list >> Devel@sel4.systems >> https://sel4.systems/lists/listinfo/devel >> > > > -- > William Leslie > > Notice: > Likely much of this email is, by the nature of copyright, covered under > copyright law. You absolutely MAY reproduce any part of it in accordance > with the copyright law of the nation you are reading this in. Any attempt > to DENY YOU THOSE RIGHTS would be illegal without prior contractual > agreement. > Thanks, that makes sense. Is there any risk to the system if a piece of userland code takes advantage of some hardware bug or other side channel to cause it to run in those higher privileged rings? Or any mitigation that should be applied on an x86 system to prevent such things? _______________________________________________ Devel mailing list Devel@sel4.systems https://sel4.systems/lists/listinfo/devel
