On 8/11/23 07:46, Gernot Heiser wrote: > On 11 Aug 2023, at 21:33, Hugo V.C. <[email protected]> wrote: > > > That's it. And here is were I think we all in the security industry are > > failing. I don't think we can solve that nowadays with the current > > hardware/CPUs and "mix" things, moreover, even if someone dares to do it, I > > guess it will be extremely complex to make guarantees. Instead of > > "relaxing" the security policy, I bet to solve that by, literally, make > > hardware partitioning, with different OSs, the general purpose one and the > > one with guarantees and then transfer sensible workloads to the hardware > > partition with the OS that gives you guarantees. I'm aware that here > > interaction between those two systems introduces new challenges, but IMHO > > it simplifies a lot the design. > > I’m not convinced that there’s a case for more HW support than the simple > mechanisms we propose in the TP paper, and which Nils instantiated in > fence.t. Unless you go for something that is *very* complex, and will just > create more opportunities for loopholes. > > "Simple is better” applies in the security context even more than in other > contexts. Pick the simplest mechanism that does the job, and then use it > judiciously.
I agree, but in this case, I don’t know if a simple solution exists. The workloads people want to run aren’t simple, and the security policies they want to enforce aren’t simple either. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ Devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
