Received: by 2002:a05:7412:1e0b:b0:fc:a2b0:25d7 with SMTP id kr11csp327041rdb; Thu, 15 Feb 2024 01:00:13 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCUdXf8twSgW4WyKcrYJcDXzlhN4gR4ktC+xx+vZO6FXAfp3BjnwgoglXiBKnOKoDaIECgZQ00NaCaWFbpZPAOnzCrzRza9vFBjItKpF3A== X-Google-Smtp-Source: AGHT+IFMww/ZfxCwrwUzkAwNVi5Xnr1uB401E4Owv68a4sP9+mJMutN7Kf1Aok8X3A1HUn1WFOGG X-Received: by 2002:a17:903:22ce:b0:1db:94a9:f9f9 with SMTP id y14-20020a17090322ce00b001db94a9f9f9mr255645plg.22.1707987612917; Thu, 15 Feb 2024 01:00:12 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1707987612; cv=pass; d=google.com; s=arc-20160816; b=YIal+C6TPPvF2DN2MY6C/xiVOgc5st99Ubao7UpPXxCrCUShcY3hClGVgljC5CROcP umPvZ1W/6F9es0B/+R/Pqj68iBEA+snOj3KluSX8D1sG1HIQSv9H7msE2NHcuTOrI3Y0 1fmoTfoMJd+N0a/WcYWKB9YBGeKwt2kMz2FYtA/9LwGso3eKFlVzHAAhwjhiDpCtaBuf fCihP6oSmJi9h9AScxBbECsw5dCvhzo1nHXA9fGm1byfJgdn4hQFRUCfkxTkfZx8KkkZ Q8E5mbK8prDuaF7gBk6buAHZtfl7Mx+hOjPX0oiminZ6JkzZ/BShsDS35D1Y5LNkr0Ke xvWw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:references:in-reply-to :user-agent:subject:cc:to:from:date:dkim-signature:dkim-filter; bh=DD0WdTiLzRbhyl1lU6s1kmEpZNGlVGntzwYvTp/OgxY=; fh=vMEV/64Yf06VF1pJsWM2eufXljtAfavm6f1JT+YjJ4M=; b=zlZ/N6u2FTojt4ckBP0dcHyUi/hsspjI5g/xbG5bp0KLcRscAW2NzDse2W77AoM19c wa619dfIPF4P8B4kKWI6SsHhO5rVAGXTSFlORLzjs/SGZBAmf/WX3hKUj2QOPGSBI6wA iFUaFWisI951JGHHKbWGhV2yQslyUiJu+It5O46ljnfiFBTjvd+VAWovgQNziSt6Bjv5 1mNqgLEBEa0Yv3FU+lgffuEhUwuHGoM2Dp738t7Dnz4hLXlBz9aACeNPK+0fDKgqFsPK 47l9lWejaut+iL4gPKT0PjYy5zJOMq6KwJuOEgW18szDlyi/WcKlw4gUqJArZzfHy7eQ Ctgg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@zytor.com header.s=2024021201 header.b=X+NfAZLU; arc=pass (i=1 spf=pass spfdomain=zytor.com dkim=pass dkdomain=zytor.com dmarc=pass fromdomain=zytor.com); spf=pass (google.com: domain of linux-kernel+bounces-66400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66400-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id h13-20020a170902f70d00b001d94beef7c6si800043plo.486.2024.02.15.01.00.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 15 Feb 2024 01:00:12 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-66400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@zytor.com header.s=2024021201 header.b=X+NfAZLU; arc=pass (i=1 spf=pass spfdomain=zytor.com dkim=pass dkdomain=zytor.com dmarc=pass fromdomain=zytor.com); spf=pass (google.com: domain of linux-kernel+bounces-66400-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-66400-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zytor.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id CDC6DB2C784 for ; Thu, 15 Feb 2024 08:18:25 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id BAEF114286; Thu, 15 Feb 2024 08:17:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=zytor.com header.i=@zytor.com header.b="X+NfAZLU" Received: from mail.zytor.com (terminus.zytor.com [198.137.202.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B0A6E13FEB; Thu, 15 Feb 2024 08:17:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.136 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707985066; cv=none; b=IgcGOkL0dsvIN6zgMCG88VTEHTymzmk1vhzf1w80HNYgRY1SKJf+H651CV3SFoGhCz5hv0SSrlgmrypGAvCU6Luqd8suzAFb9iqLQpVwslnZ8XOaXnDvtm+C5tYonYwnJR4ekuU/JNN2QCc5lXvyvuH3IuOFCdBn0ca+/Qvllfo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1707985066; c=relaxed/simple; bh=iHnSVR/o4PCirzYxOuLSrGJ0jY9TGuRvF1WutqVts7I=; h=Date:From:To:CC:Subject:In-Reply-To:References:Message-ID: MIME-Version:Content-Type; b=OqO1eb2lP/CttRYvcEVorfTYgfW68RW7Ri4karMgypxWvukI140AjOidb430BotcpDtlWEdCjF+TAeNTG11U9d99a5tD0FgFdBXvd/WODrwzQo/w/JmXdLB2AK+/v9ZOW744Yq4ZgMAVwbu8eeMWYnuPhN1mEQsZbjJg0aEleO0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zytor.com; spf=pass smtp.mailfrom=zytor.com; dkim=pass (2048-bit key) header.d=zytor.com header.i=@zytor.com header.b=X+NfAZLU; arc=none smtp.client-ip=198.137.202.136 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=zytor.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zytor.com Received: from [127.0.0.1] ([76.133.66.138]) (authenticated bits=0) by mail.zytor.com (8.17.2/8.17.1) with ESMTPSA id 41F8GFuv1589561 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Thu, 15 Feb 2024 00:16:17 -0800 DKIM-Filter: OpenDKIM Filter v2.11.0 mail.zytor.com 41F8GFuv1589561 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zytor.com; s=2024021201; t=1707984986; bh=DD0WdTiLzRbhyl1lU6s1kmEpZNGlVGntzwYvTp/OgxY=; h=Date:From:To:CC:Subject:In-Reply-To:References:From; b=X+NfAZLU3AMZ2IHW0uaYerX383bpCn8RbHJGNuGmq0cjQKG5LrKDq33I2OEvQYSLT 0NjaCa63zhtLiBZ30Q20vrgl1PEsarU7x8PGas74tO1ekvQpoY0qlTKxfgaBcNJti2 cY14+GNfZX47M1q+NL67uYeVxlNCLFKuKmzUbZVYCs18pynaAPZ7IJwPmv+IAGfb5W LvJdMxN6A0iTLGNYgPgq/jJJ3gG1mxO+tN8dO40AkGvrYzCWE3ZLK4bT5Gm74mBhgr dhdhGST5bk/3fyOdCd0rH2nNPJXr3kHC6NDDBNa7pPz0pwYownaMNn02nXNmX79rcT 41J1Ehzh2xorg== Date: Thu, 15 Feb 2024 00:16:13 -0800 From: "H. Peter Anvin" To: =?UTF-8?Q?Petr_Tesa=C5=99=C3=ADk?= , Xin Li CC: Dave Hansen , Petr Tesarik , Jonathan Corbet , Thomas Gleixner , Ingo Molnar , Borislav Petkov , Dave Hansen , "maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" , Andy Lutomirski , Oleg Nesterov , Peter Zijlstra , Xin Li , Arnd Bergmann , Andrew Morton , Rick Edgecombe , Kees Cook , "Masami Hiramatsu (Google)" , Pengfei Xu , Josh Poimboeuf , Ze Gao , "Kirill A. Shutemov" , Kai Huang , David Woodhouse , Brian Gerst , Jason Gunthorpe , Joerg Roedel , "Mike Rapoport (IBM)" , Tina Zhang , Jacob Pan , "open list:DOCUMENTATION" , open list , Roberto Sassu , Petr Tesarik Subject: Re: [PATCH v1 0/8] x86_64 SandBox Mode arch hooks User-Agent: K-9 Mail for Android In-Reply-To: <20240215075932.66fef954@meshulam.tesarici.cz> References: <20240214113516.2307-1-petrtesarik@huaweicloud.com> <20240214192214.78734652@meshulam.tesarici.cz> <20240215075932.66fef954@meshulam.tesarici.cz> Message-ID: <5434F240-2F74-4D9F-8BEE-220C8EC53C0F@zytor.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On February 14, 2024 10:59:32 PM PST, "Petr Tesa=C5=99=C3=ADk" wrote: >On Wed, 14 Feb 2024 10:52:47 -0800 >Xin Li wrote: > >> On 2/14/2024 10:22 AM, Petr Tesa=C5=99=C3=ADk wrote: >> > On Wed, 14 Feb 2024 06:52:53 -0800 >> > Dave Hansen wrote: >> > =20 >> >> On 2/14/24 03:35, Petr Tesarik wrote: =20 >> >>> This patch series implements x86_64 arch hooks for the generic Sand= Box >> >>> Mode infrastructure=2E =20 >> >> >> >> I think I'm missing a bit of context here=2E What does one _do_ wit= h >> >> SandBox Mode? Why is it useful? =20 >> >=20 >> > I see, I split the patch series into the base infrastructure and the >> > x86_64 implementation, but I forgot to merge the two recipient lists= =2E >> > :-( >> >=20 >> > Anyway, in the long term I would like to work on gradual decompositio= n >> > of the kernel into a core part and many self-contained components=2E >> > Sandbox mode is a useful tool to enforce isolation=2E >> >=20 >> > In its current form, sandbox mode is too limited for that, but I'm >> > trying to find some balance between "publish early" and reaching a >> > feature level where some concrete examples can be shown=2E I'd rather >> > fail fast than maintain hundreds of patches in an out-of-tree branch >> > before submitting (and failing anyway)=2E >> >=20 >> > Petr T >> > =20 >>=20 >> What you're proposing sounds a gigantic thing, which could potentially >> impact all subsystems=2E > >True=2E Luckily, sandbox mode allows me to move gradually, one component >at a time=2E > >> Unless you prove it has big advantages with real >> world usages, I guess nobody even wants to look into the patches=2E >>=20 >> BTW, this seems another attempt to get the idea of micro-kernel into >> Linux=2E > >We know it's not feasible to convert Linux to a micro-kernel=2E AFAICS >that would require some kind of big switch, affecting all subsystems at >once=2E > >But with a growing code base and more or less constant bug-per-LOC rate, >people will continue to come up with some ideas how to limit the >potential impact of each bug=2E Logically, one of the concepts that come >to mind is decomposition=2E > >If my attempt helps to clarify how such decomposition should be done to >be acceptable, it is worthwile=2E If nothing else, I can summarize the >situation and ask Jonathan if he would kindly accept it as a LWN >article=2E=2E=2E > >Petr T > I have been thinking more about this, and I'm more than ever convinced tha= t exposing kernel memory to *any* kind of user space is a really, really ba= d idea=2E It is not a door we ever want to open; once that line gets muddle= d, the attack surface opens up dramatically=2E And, in fact, we already have a sandbox mode in the kernel =E2=80=93 it is= called eBPF=2E