Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp65764rdb; Wed, 14 Feb 2024 12:53:29 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVXn/z/UvuAelyeX7tBN3ez+6HdoqED9mmjMANHiGx4cM3WX1vMDYl8kDRLMCUB0GfjenqluU0Fx2WNY6IyQP+zH2njadVjLg2ixqQ1hQ== X-Google-Smtp-Source: AGHT+IFjoa0x3Sj9Jqpc8F8XX9MQnOdKVp3XH0DAkRUinof+kujM10crN+RKDD22Rcxz3ILxBQUc X-Received: by 2002:a05:6358:280d:b0:176:cf18:d0bb with SMTP id k13-20020a056358280d00b00176cf18d0bbmr4468850rwb.13.1707944009072; Wed, 14 Feb 2024 12:53:29 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707944009; cv=pass; d=google.com; s=arc-20160816; b=a5r6uzUb1XP17hJw3CvfcaklnGX1F4wJ8n9Ne22OQnOZnn9OPsvt72TeO9FEcj+isU 1qdcgU6+VETc17vFxdoMADjIf2pFwb9zTIHBW8zQJkj0BGvbQOqH+jbjJl3LIMpiUjSY 5sTxHxQuImtfcB1oX2cVDtiB+Tg9vdZeeL8kF17UFM70IixEbGGTh+DEFv0c6I45asW2 wD9UYeEvsQ21Iu9e+c3OdgYilidANW+Qf9YYyUC4XZMCUBHqkCzQxxuhve9YQGDG97FF BV0aXoa1zL4jv3qINQc2deKvGSAWpuh/p9T3RyEdn+GVG3BXU54zAFucvEgC9nWed7Oi SU5Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-transfer-encoding:content-disposition :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :references:message-id:subject:cc:to:from:dkim-signature:date; bh=L42b5N/GQ68Kpxg4Oo8Su8vLQtANWLk3evJdNxwO3Tg=; fh=UJFt/L7VHTzzY7GBnzMA0GpPAzNdvNq7D6+uqrRlxjE=; b=DiEc21F4NxOjbZdmjTGO8MfyLkhM7vqGJ+jMYQ7gpU+MogZIUuzmXUtBiRLI/UeyFt PvXBevNvxvPiswP7uasWaccoL7WzrJUPO9OeHIB0uzj0HRHjqiYBJnS869W/L0CAW4kU uc2VhwPhUPs/1kEpKJkN1AtmEqfbW6XRCecR9e7qtvtXszZhpTNH6JfSGcir1r5igkNJ VDV6kUBRD6OdJ55t4OqufqoWtvk2IK5c5tLMzGKCOLnaNVFYkQM+oEeF+jEemmuKdVB9 1capVErWi7eTdXacRO8upEZUr8ed14jeWL4JCo4/x8u8+MbQZl3n5p5Ru+5NCGLy8Die EI2A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=KSHVifil; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-65926-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65926-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev X-Forwarded-Encrypted: i=2; AJvYcCVngNcYze0h5vWGuHTcbvy3MrHmP4Mestd9X+efTHdbzsQC9QalRs4R4gidvZNlsfyEd1YI0VG8QbrAcBd7gK6x6K5DsMJABD3jsDNHnQ== Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id d15-20020aa78e4f000000b006e05de3793bsi783537pfr.136.2024.02.14.12.53.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Feb 2024 12:53:29 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-65926-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.dev header.s=key1 header.b=KSHVifil; arc=pass (i=1 spf=pass spfdomain=linux.dev dkim=pass dkdomain=linux.dev dmarc=pass fromdomain=linux.dev); spf=pass (google.com: domain of linux-kernel+bounces-65926-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-kernel+bounces-65926-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.dev Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 8CFF7B23819 for ; Wed, 14 Feb 2024 20:19:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 5EC9D13EFE0; Wed, 14 Feb 2024 20:19:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="KSHVifil" Received: from out-173.mta0.migadu.com (out-173.mta0.migadu.com [91.218.175.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 47EF913DBAE for ; Wed, 14 Feb 2024 20:19:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.173 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707941954; cv=none; b=aFc5mG8Q6FU3mTkZLc47kXwFe0ZcA9geuXZK+CrrZ6HIH2JHQXZL4VeZIajG47QLAK+RiNDHl1TPDtz9x/VclXzwVmOpG5CPKMJ/jI9khcrvSnHONzBy52MLDmmQunH8Tm5FTM6J+7AIkg7w3m+/pewBQsgSV+W/Xj7+qKke8bg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707941954; c=relaxed/simple; bh=RZ54gsjHSdffD9b8pq8FeMFaCz2Uxzo30+wsQyyXz3g=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=tUSHjsNAR2Md95ATZbTmXorSKBzlBZqFnwjtAQMcJPmLhviFqXfdSHC25ruqOKeuCYJAtRLGnvbT0UudJqS0Zyd+5bD1LL4JCPXgYQb2T86I0t89odFvlns/FXNwZBGAhh31vuNRsGKTBz9qy1kKxhOAjZ8gvlKwCnt3Gvo4Dg8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=KSHVifil; arc=none smtp.client-ip=91.218.175.173 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Date: Wed, 14 Feb 2024 15:19:04 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1707941950; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=L42b5N/GQ68Kpxg4Oo8Su8vLQtANWLk3evJdNxwO3Tg=; b=KSHVifilt6B2simPlaHg7DLZfJs3z50rDX6Lz5RUbR0upOZOOJUjl0KIZdMs3v6ywaJB5P W1Kgn8BySc9N2zpkP95Jk1oL+/0n0ZArmvvpDlxeOVMpmjfEEw38ahWCoFMsEdFpCYhinw ONHkPQmckYCV8MXTHM9NxnTmQdPaKyM= X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. From: Kent Overstreet To: Petr =?utf-8?B?VGVzYcWZw61r?= Cc: Greg Kroah-Hartman , Andrew Morton , Petr Tesarik , Jonathan Corbet , David Kaplan , Larry Dewey , Elena Reshetova , Carlos Bilbao , "Masami Hiramatsu (Google)" , Randy Dunlap , Petr Mladek , "Paul E. McKenney" , Eric DeVolder , Marc =?utf-8?Q?Aur=C3=A8le?= La France , "Gustavo A. R. Silva" , Nhat Pham , "Christian Brauner (Microsoft)" , Douglas Anderson , Luis Chamberlain , Guenter Roeck , Mike Christie , Maninder Singh , "open list:DOCUMENTATION" , open list , Roberto Sassu , Petr Tesarik Subject: Re: [PATCH v1 5/5] sbm: SandBox Mode documentation Message-ID: References: <20240214113035.2117-1-petrtesarik@huaweicloud.com> <20240214113035.2117-6-petrtesarik@huaweicloud.com> <20240214053053.982b48d993ae99dad1d59020@linux-foundation.org> <2024021425-audition-expand-2901@gregkh> <20240214155524.719ffb15@meshulam.tesarici.cz> <2024021415-jokester-cackle-2923@gregkh> <20240214173112.138e0e29@meshulam.tesarici.cz> <20240214210937.3a19945f@meshulam.tesarici.cz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240214210937.3a19945f@meshulam.tesarici.cz> X-Migadu-Flow: FLOW_OUT On Wed, Feb 14, 2024 at 09:09:37PM +0100, Petr Tesařík wrote: > On Wed, 14 Feb 2024 13:54:54 -0500 > Kent Overstreet wrote: > > > On Wed, Feb 14, 2024 at 05:31:12PM +0100, Petr Tesařík wrote: > > > On Wed, 14 Feb 2024 16:11:05 +0100 > > > Greg Kroah-Hartman wrote: > > > > > > > On Wed, Feb 14, 2024 at 03:55:24PM +0100, Petr Tesařík wrote: > > > > > OK, so why didn't I send the whole thing? > > > > > > > > > > Decomposition of the kernel requires many more changes, e.g. in linker > > > > > scripts. Some of them depend on this patch series. Before I go and > > > > > clean up my code into something that can be submitted, I want to get > > > > > feedback from guys like you, to know if the whole idea would be even > > > > > considered, aka "Fail Fast". > > > > > > > > We can't honestly consider this portion without seeing how it would > > > > work, as we don't even see a working implementation that uses it to > > > > verify it at all. > > > > > > > > The joy of adding new frameworks is that you need a user before anyone > > > > can spend the time to review it, sorry. > > > > > > Thank your for a quick assessment. Will it be sufficient if I send some > > > code for illustration (with some quick&dirty hacks to bridge the gaps), > > > or do you need clean and nice kernel code? > > > > Given that code is going to need a rewrite to make use of this anyways - > > why not just do the rewrite in Rust? > > Thank you for this question! I concur that rewriting the whole kernel > in Rust would be a better option. I see two differences: > > 1. amount of work > 2. regressions > > Rewriting something in Rust means pretty much writing it from scratch. > Doing that necessarily introduces regressions. Old code has been used. > It has been tested. In many corner cases. Lots of bugs have been found, > and they’ve been fixed. If you write code from scratch, you lose much > of the accumulated knowledge. But it's work that already has some growing momentum behind it, especially in the area you cited - decompression algorithms. > More importantly, sandbox mode can be viewed as a tool that enforces > decomposition of kernel code. This decomposition is the main benefit. > It requires understanding the dependencies among different parts of the > kernel (both code flow and data flow), and that will in turn promote > better design. You see this as a tool for general purpose code...? Typical kernel code tends to be quite pointer heavy. > > Then you get memory safety, which seems to be what you're trying to > > achieve here. > > > > Or, you say this is for when performance isn't critical - why not a user > > mode helper? > > Processes in user mode are susceptible to all kinds of attacks you may > want to avoid. Sandbox mode can be used in situations where user mode > does not exist, e.g. to display a boot logo or to unpack initramfs. [citation needed] Running code in the kernel does not make it more secure from attack, and that's a pretty strange idea. One of the central jobs of the kernel is to provide isolation between different users. > Sandbox mode is part of the kernel, hence signed, which may be relevant > if the kernel is locked down, so you can use it e.g. to parse a key > from the bootloader and put it on the trusted keyring. > > Regarding performance, sandbox overhead is somewhere between kernel > mode and UMH. It is not suitable for time-critical code (like handling > NIC interrupts), but it's still much faster than UMH. yeah, this doesn't seem like a worthwhile direction to go in.