On Sat, 6 Jan 2018 04:20:25 +0100 Stefan Kalkowski (SK) wrote: > On Fri, Jan 05, 2018 at 08:24:19PM +0100, Alexander Boettcher wrote: > > > > On 05.01.2018 17:36, Udo Steinberg wrote: > > > Norman Feske (NF) wrote: > > > > > > NF> In contrast to monolithic kernels, a microkernel like base-hw, NOVA, > > > NF> or seL4 does not deal with any user-level content like cryptographic > > > NF> secrets, or the content of files. There is hardly any credential to > > > NF> leak to begin with. User content stays outside the microkernel. > > > > > > While it is true that a microkernel stores significantly fewer secrets > > > than > > > a monolithic kernel, like Linux, most microkernels actually have a full > > > mapping of the entire physical memory in the kernel portion of each > > > address > > > space, which allows an attacker to peek anywhere into physical memory. > > > > before starting to dig/read through all our supported kernels (I'm not > > all familiar with the internals) - can you please elaborate a bit about > > which microkernels, according to your knowledge, have all physical > > memory mapped in the kernel ? > > > > The currently supported microkernels for Genode are Pistachio, OKL4, > > L4/Fiasco, Fiasco.OC, Nova, seL4 and our own hw kernel. > > I can warrant that the hw kernel, which is actually Genode's core > component combined with a bit of architectural dependent > data-structures (e.g. page-tables) and routines, does not contain > physical memory mappings used by user-level components.
Hi, I am not following the recent development of all those kernels, so I think it's best to directly consult the individual developers/teams for statements (like the one from Stefan above). For my part, I can tell you that the NOVA microhypervisor (at least the official version) does not map physical RAM into the kernel virtual address space, other than the RAM in which microhypervisor itself resides. NOVA maps certain devices (like APIC, IOMMU), but those can't be speculatively accessed anyway. I cannot comment on modified NOVA versions. Some commercial kernels and L4/Fiasco certainly used to map as much physical memory as can fit into the kernel address space. Not sure if Fiasco.OC retains that behavior. Check for Physmem in class Mem_layout. Also any kernel that performs certain things like long IPC via a lazily flushed IPC window may have transient mappings of memory belonging to other user processes. Cheers, Udo
pgp396jAy1i9W.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ genode-main mailing list genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main