Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 27 Oct 2002 14:13:09 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 27 Oct 2002 14:13:09 -0500 Received: from ppp-217-133-216-156.dialup.tiscali.it ([217.133.216.156]:22403 "EHLO home.ldb.ods.org") by vger.kernel.org with ESMTP id ; Sun, 27 Oct 2002 14:13:07 -0500 Date: Sun, 27 Oct 2002 20:19:21 +0100 From: Luca Barbieri To: "Eric W. Biederman" Cc: Linux-Kernel ML Subject: Re: [PATCH][RFC] x86 multiple user-mode privilege rings Message-ID: <20021027191921.GA5484@ldb.ods.org> Mail-Followup-To: "Eric W. Biederman" , Linux-Kernel ML References: <1035686893.2272.20.camel@ldb> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1987 Lines: 56 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > But there are privilege switches. Of course, they are unavoidable. However, they are as fast as the one needed to make kernel syscalls. =20 > Let me get the gist of the idea. > To accelerate UML, and wine type applications: > 1) setup segments with restricted limits, so their children cannot > write into their supervisor process even though they share a mm. > 2) load a special system call table that switches processor modes > when any system call is activated. >=20 > Unless I am mistaken all of the above can be accomplished without > using the cpus multiple rings of privilege. Which would allow nesting > only limited by the address space reduction of each task. You also need: 3) Prevent less privileged subtasks from loading segments belonging to more privileged ones This can be done in hardware using the x86 privilege rings, at the cost of limitations on the number of subtasks and the inability to have protected pairs of subtasks where none is more privileged than the other. Of course it is also possible to do this in the kernel, or in a privileged user-mode task using LDT/TLS system calls, by modifying descriptor tables on interprivilege jumps but this is obviously significantly slower. Anyway hardware-based and kernel-based privilege separation can perfectly coexist. --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE9vDw5djkty3ft5+cRAl1AAJ9363B25LcAlmcMTHlx6ZIB7QEUPACeOGd7 KtNK6C9/irGP/inOc3K/ZYA= =nvjO -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/