| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aNlBeSpNCvqKXBWm@kernel.org> Date: Sun, 28 Sep 2025 17:08:57 +0300 From: Jarkko Sakkinen <jarkko@...nel.org> To: Cong Wang <xiyou.wangcong@...il.com> Cc: linux-kernel@...r.kernel.org, pasha.tatashin@...een.com, Cong Wang <cwang@...tikernel.io>, Andrew Morton <akpm@...ux-foundation.org>, Baoquan He <bhe@...hat.com>, Alexander Graf <graf@...zon.com>, Mike Rapoport <rppt@...nel.org>, Changyuan Lyu <changyuanl@...gle.com>, kexec@...ts.infradead.org, linux-mm@...ck.org, multikernel@...ts.linux.dev Subject: Re: [RFC Patch 0/7] kernel: Introduce multikernel architecture support On Sat, Sep 27, 2025 at 01:27:04PM -0700, Cong Wang wrote: > On Fri, Sep 26, 2025 at 2:01 AM Jarkko Sakkinen <jarkko@...nel.org> wrote: > > > > On Thu, Sep 18, 2025 at 03:25:59PM -0700, Cong Wang wrote: > > > This patch series introduces multikernel architecture support, enabling > > > multiple independent kernel instances to coexist and communicate on a > > > single physical machine. Each kernel instance can run on dedicated CPU > > > cores while sharing the underlying hardware resources. > > > > > > The multikernel architecture provides several key benefits: > > > - Improved fault isolation between different workloads > > > - Enhanced security through kernel-level separation > > > - Better resource utilization than traditional VM (KVM, Xen etc.) > > > - Potential zero-down kernel update with KHO (Kernel Hand Over) > > > > This list is like asking AI to list benefits, or like the whole cover > > letter has that type of feel. > > Sorry for giving you that feeling. Please let me know how I can > improve it for you. There is no evidence of any of these benefits. That's the central issue. You pretty much must give quantatitve proof of any of these claims or the benefit is imaginary. > > > > > I'd probably work on benchmarks and other types of tests that can > > deliver comparative figures, and show data that addresses workloads > > with KVM, namespaces/cgroups and this, reflecting these qualities. > > Sure, I think performance comes after usability, not vice versa. > > > > > > E.g. consider "Enhanced security through kernel-level separation". > > It's a pre-existing feature probably since dawn of time. Any new layer > > makes obviously more complex version "kernel-level separation". You'd > > had to prove that this even more complex version is more secure than > > pre-existing science. > > Apologize for this. Do you mind explaining why this is more complex > than the KVM/Qemu/vhost/virtio/VDPA stack? KVM does not complicate kernel level separation or access control per kernel instance at all. A guest in the end of the day is just a fancy executable. This feature on the other hand intervenes various easily breaking code paths. > > > > > kexec and its various corner cases and how this patch set addresses > > them is the part where I'm most lost. > > Sorry for that. I will post Youtube videos to explain kexec in detail, > please follow our Youtube channel if you are interested. (I don't > want to post a link here in case people think I am promoting my > own interest, please email me privately.) Here I have to say that posting a youtube link to LKML is of your own interest is not unacceptable as far as I'm concerned :-) That said, I don't promise that I will watch any of the Youtube videos posted either here or privately. All the quantitative proof should be embedded to patches. > > > > > If I look at one of multikernel distros (I don't know any other > > tbh) that I know it's really VT-d and that type of hardware > > enforcement that make Qubes shine: > > > > https://www.qubes-os.org/ > > > > That said, I did not look how/if this is using CPU virtualization > > features as part of the solution, so correct me if I'm wrong. > > Qubes OS is based on Xen: > https://en.wikipedia.org/wiki/Qubes_OS Yes, and it works great, and has much stronger security metrics than this could ever reach, and that is quantitative fact, thanks to great technologies such as VT-d :-) This is why I'm repeating the requirement for quantitative proof. We have already great solutions to most what this can do so building evidence of usefulness is the huge stretch this patch set should make it. Nothing personal, but with the current basically just claims, I don't believe in this. That said, by saying this I don't I'd pick my soccer no. If there is enough evidence, I'm always ready to turn my opinion 180 degrees. > > > > > I'm not entirely sure whether this is aimed to be alternative to > > namespaces/cgroups or vms but more in the direction of Solaris Zones > > would be imho better alternative at least for containers because > > it saves the overhead of an extra kernel. There's also a patch set > > for this: > > > > https://lwn.net/Articles/780364/?ref=alian.info > > Solaris Zones also share a single kernel. Or maybe I guess > you meant Kernel Zones? Isn't it a justification for our multikernel > approach for Linux? :-) > > BTW, it is less flexible since it completely isolates kernels > without inter-kernel communication. With our design, you can > still choose not to use inter-kernel IPI's, which turns dynamic > into static. > > > > > VM barrier combined with IOMMU is pretty strong and hardware > > enforced, and with polished configuration it can be fairly > > performant (e.g. via page cache bypass and stuff like that) > > so really the overhead that this is fighting against is > > context switch overhead. > > > > In security I don't believe this has any realistic chances to > > win over VMs and IOMMU... > > I appreciate you sharing your opinions. I hope my information > helps. I'd put strong focus on getting the figures aside with the claims :-) > > Regards, > Cong Wang BR, Jarkko
Powered by blists - more mailing lists