Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp283011rdb; Wed, 14 Feb 2024 22:59:46 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXcjvLC5GFa+W/p0WdYGJOIxtAAVxKUZ245pIfHotvnVosSrK8UMUdD8r/uN24s7b/1R6u6DpZJfH8EfpVRfNkXDSU6jivZUAhFJfIYAw== X-Google-Smtp-Source: AGHT+IHhdxz/tZZfxg9+fQEKhjx+c4bZ745FmWoWtt5nbxbZn8V+sdPP0yiCoswmfoEe7+Wdl52i X-Received: by 2002:a0c:aa50:0:b0:68c:7c52:684c with SMTP id e16-20020a0caa50000000b0068c7c52684cmr1120858qvb.24.1707980386672; Wed, 14 Feb 2024 22:59:46 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707980386; cv=pass; d=google.com; s=arc-20160816; b=zVygba+wxXBFVVJRMCoFdLD2AeM2FNe9SzEEVy5Xbhx7IVOHam2D0GCETfGMlBXMvT YYWablEu6Vepd5EhUv3SkcdsKf5sFJtuR08/wBIrcycuTJe1lNOu/Mvb5e4pyIBQTxs0 uiPy0DvnVXSGnoiWlKmGtC8VptlpB4v60Ser9SrclqOewkUXucUeXrtP5aA8xfEXI4r4 nJKLYf8D/TimlZgyxPYZdXaLNm3H3LyqMujuwxCARvOw8S7gXeXShyOYoDYhSAh3KiCB w9fN7lv3m+rMFryujJJdvK6uSMPlmD8AIM8FHHHuZOADNphsDdOXboTK3EHfl1wYS7pP rEnQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=N3MdoAZ1DKJLzJ3/B57rICtVu3+OvUZ4JT3UZwNYmbA=; fh=JQ92d9+zRaKE0iZSXarQuOKSDTsbrroW+tfRXFbeFHI=; b=DFZsv2gOYVabd6QTyI2/zbgAiamGAupUtM+6bLX50/nkVIe7cDLKTRM5+RespM1dl3 dILV/sX7k8fN7f3Xj3D3b8rqVhwQul1zIHaLIpXJVxe2l/sqDKGTI+eSecK2TVskuZKm itv053uRPCMTstdu0KHKJTdj3apQWDiXPCRg6eYMYIy9Y3aB0xaAATqEjdxt+ooEc2fb DfzQ1I/Ir31HAHt3oynl/fNQvjF0BZ+VNSWQEWNNdXMMJkaC44BQ00oc2N6db3eJJsp6 IvNMGP8COxVj194vhotxcs5zOoDf80B3MyhKrx/pAKpOt/cfhdDw/hdIKvTmhwaODQql rmSw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b=nxpdnMIW; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-66343-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66343-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id s5-20020a0562140ca500b0068d14ecdfacsi797878qvs.66.2024.02.14.22.59.46 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Feb 2024 22:59:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-66343-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@tesarici.cz header.s=mail header.b=nxpdnMIW; arc=pass (i=1 spf=pass spfdomain=tesarici.cz dkim=pass dkdomain=tesarici.cz dmarc=pass fromdomain=tesarici.cz); spf=pass (google.com: domain of linux-kernel+bounces-66343-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66343-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tesarici.cz Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 6E6C51C2241E for ; Thu, 15 Feb 2024 06:59:46 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 2600DCA4E; Thu, 15 Feb 2024 06:59:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b="nxpdnMIW" Received: from bee.tesarici.cz (bee.tesarici.cz [77.93.223.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EA5542F32; Thu, 15 Feb 2024 06:59:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=77.93.223.253 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707980380; cv=none; b=FdF7IT99lk+TW/tj3NjdiCDinGctpyBZOAyUldhk2tiLQKtFHnynlE0VSAEzpNw3zaHVJhHqRH7L9QwSqqUvJFUzRU56RwBpollMMFiP0VWSLLz9diTiIkLWJRftpxlVHvEq5Ga5gpof6M2VCo1HSqq1ZWG9FcZmfWkQnNV9kpQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707980380; c=relaxed/simple; bh=qzOGqei22NimszAMZMCbbU4jpZ8GVSl46n2BIQr07lA=; h=Date:From:To:Cc:Subject:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=O+PetAnmkJAHhqtF53CpbxTj7nzR5Hh49IsPylErwLsZwpBdDK1+vOnQl5KzX0ssIowl2JCNxWRSkUGnTHS9TJZuwxGPCh8deN+WCjFVDmmelrcmYIvpRGK4Jgmnt9j523bSzycJhyGcjE4I9QM6Hx9ZvS/BZaIVJu1Di0ylDmA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz; spf=pass smtp.mailfrom=tesarici.cz; dkim=pass (2048-bit key) header.d=tesarici.cz header.i=@tesarici.cz header.b=nxpdnMIW; arc=none smtp.client-ip=77.93.223.253 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=tesarici.cz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=tesarici.cz Received: from meshulam.tesarici.cz (dynamic-2a00-1028-83b8-1e7a-4427-cc85-6706-c595.ipv6.o2.cz [IPv6:2a00:1028:83b8:1e7a:4427:cc85:6706:c595]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by bee.tesarici.cz (Postfix) with ESMTPSA id E5B161A550F; Thu, 15 Feb 2024 07:59:32 +0100 (CET) Authentication-Results: mail.tesarici.cz; dmarc=fail (p=quarantine dis=none) header.from=tesarici.cz DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tesarici.cz; s=mail; t=1707980373; bh=N3MdoAZ1DKJLzJ3/B57rICtVu3+OvUZ4JT3UZwNYmbA=; h=Date:From:To:Cc:Subject:In-Reply-To:References:From; b=nxpdnMIWkYfe1SQrl5ajZ5tEcVh53WpUqYtTr4X98v6vWSCu758VqhJjEI+ZZaSk0 L+dHXndDE6dmreyDBxpZBwLwmleAT4uXRCpLDxvi4PaRHVYD7hUtDJW4/py+eSf3q0 YWJBYD2L0n3H8USshqA3mKBj92w9AavaKHKSlaembDheXZz1F0hclI0xC7w185Xpi4 gCBo3hdkSnUzWp+XcFeEQ03ADLqdN9WJpwBrYgoblb7gxplnvoN7RrFB3NGofa5w4K iI3BGoKCiqgGshwF2T8vL/TmCqh+VqlYgLll8s4Fzeq8baC68s3VrOlDEhTKJxCn9F utYiobdf6cb2Q== Date: Thu, 15 Feb 2024 07:59:32 +0100 From: Petr =?UTF-8?B?VGVzYcWZw61r?= To: Xin Li Cc: Dave Hansen , Petr Tesarik , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , "H. Peter Anvin" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , Roberto Sassu , Petr Tesarik Subject: Re: [PATCH v1 0/8] x86_64 SandBox Mode arch hooks Message-ID: <20240215075932.66fef954@meshulam.tesarici.cz> In-Reply-To: References: <20240214113516.2307-1-petrtesarik@huaweicloud.com> <20240214192214.78734652@meshulam.tesarici.cz> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.39; x86_64-suse-linux-gnu) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Wed, 14 Feb 2024 10:52:47 -0800 Xin Li wrote: > On 2/14/2024 10:22 AM, Petr Tesa=C5=99=C3=ADk wrote: > > On Wed, 14 Feb 2024 06:52:53 -0800 > > Dave Hansen wrote: > > =20 > >> On 2/14/24 03:35, Petr Tesarik wrote: =20 > >>> This patch series implements x86_64 arch hooks for the generic SandBox > >>> Mode infrastructure. =20 > >> > >> I think I'm missing a bit of context here. What does one _do_ with > >> SandBox Mode? Why is it useful? =20 > >=20 > > I see, I split the patch series into the base infrastructure and the > > x86_64 implementation, but I forgot to merge the two recipient lists. > > :-( > >=20 > > Anyway, in the long term I would like to work on gradual decomposition > > of the kernel into a core part and many self-contained components. > > Sandbox mode is a useful tool to enforce isolation. > >=20 > > In its current form, sandbox mode is too limited for that, but I'm > > trying to find some balance between "publish early" and reaching a > > feature level where some concrete examples can be shown. I'd rather > > fail fast than maintain hundreds of patches in an out-of-tree branch > > before submitting (and failing anyway). > >=20 > > Petr T > > =20 >=20 > What you're proposing sounds a gigantic thing, which could potentially > impact all subsystems. True. Luckily, sandbox mode allows me to move gradually, one component at a time. > Unless you prove it has big advantages with real > world usages, I guess nobody even wants to look into the patches. >=20 > BTW, this seems another attempt to get the idea of micro-kernel into > Linux. We know it's not feasible to convert Linux to a micro-kernel. AFAICS that would require some kind of big switch, affecting all subsystems at once. But with a growing code base and more or less constant bug-per-LOC rate, people will continue to come up with some ideas how to limit the potential impact of each bug. Logically, one of the concepts that come to mind is decomposition. If my attempt helps to clarify how such decomposition should be done to be acceptable, it is worthwile. If nothing else, I can summarize the situation and ask Jonathan if he would kindly accept it as a LWN article... Petr T