From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.3 (2019-12-06) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-1.5 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.3 Received: by atuin.qyliss.net (Postfix, from userid 496) id 3897E753E; Sat, 13 Jun 2020 12:02:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 480A475A3; Sat, 13 Jun 2020 12:02:13 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id BF81E751C; Sat, 13 Jun 2020 12:02:10 +0000 (UTC) Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) by atuin.qyliss.net (Postfix) with ESMTPS id 420A6751B for ; Sat, 13 Jun 2020 12:02:08 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 4B8342CF; Sat, 13 Jun 2020 08:02:06 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute2.internal (MEProxy); Sat, 13 Jun 2020 08:02:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=kurN4mSBvo/MztE4B0PRpMhROi pn//uULrbz1aieO2Y=; b=j/W/XAndUWde9oDgAIfe3c0aEVE5RfeYbopxdCPvUk OYNvyY3SmpI8D4oHKUmjSb/6B9Q8+f7bHTedGKcvn/SwtE7UtgG6Mz744E68Z/OS x7rO5+ZKQCPt+1GgY9txbZ8t3tLSyskBS+FmTVY16OzWkKGykxoknzVG84PM3qC9 ST5D5anO9akG6OlvAOp/tT/b7kdG4UyQruxwqi0AawY6gI8STPVFdQp3uVQ9gThn mkwS1QeAwtnFYWMjfx1/wmkuOBbPIam2orgQIp2sXrYVLqFpIsgCO+xQUkpo0gu8 XCNDd4H1FzbBC5DQV0TDgyyHxv4ZrLnFcZD3ji8P3ymg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=kurN4m SBvo/MztE4B0PRpMhROipn//uULrbz1aieO2Y=; b=SUDw8VovULjs5sqeDGZhUm xOi949zpTp1zfe3tqeWDSvNwLoR7qxRBvu+NgHVb16cV8P062wusHUkMKIr3U7F5 BEyX2+kyKulinOq98/xKP4B70TDzltTFKljxHUjZVnKSN+OtEL00b/8FHAH/sGMa 7UpfTBK840uoHy0pNVSiUYEIzx4ysk/j+v25Ka/8iOeVxrRxtAGZ7mVrIKbuHEhV kHzCyR4noVGT92lwf88UtXRDfWkOLGka4slD4jrFJ6y2pLWr39MRmwtF4avW/XM6 khUrwmoWKdpTt2DU7WTZ8i/1xljHaOC6iTCLccH5oVUMfGCRzwNikvGjoNVJmrvA == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrudeifedggeekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffujghffffkgggtsehgtderre dttddtnecuhfhrohhmpeetlhihshhsrgcutfhoshhsuceohhhisegrlhihshhsrgdrihhs qeenucggtffrrghtthgvrhhnpeeuvdduvdejvdettdelgefhtddviefhkeetteetiedtue dthefhvdffieelgefhkeenucffohhmrghinheprggtmhdrohhrghenucfkphepkeegrddu keegrddvfeelrdduuddtnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrg hilhhfrhhomhephhhisegrlhihshhsrgdrihhs X-ME-Proxy: Received: from x220.qyliss.net (p54b8ef6e.dip0.t-ipconnect.de [84.184.239.110]) by mail.messagingengine.com (Postfix) with ESMTPA id C9D373061CB6; Sat, 13 Jun 2020 08:02:04 -0400 (EDT) Received: by x220.qyliss.net (Postfix, from userid 1000) id A3C9D568; Sat, 13 Jun 2020 12:02:03 +0000 (UTC) From: Alyssa Ross To: "infokiller ." Subject: Re: High level design and other related projects In-Reply-To: <159196057136.15924.4785359159629836782@localhost> References: <159196057136.15924.4785359159629836782@localhost> Date: Sat, 13 Jun 2020 12:01:58 +0000 Message-ID: <87k10bcgy1.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Message-ID-Hash: UM4XRHADFVWCQX7T7KHHG6JPL22LHIS5 X-Message-ID-Hash: UM4XRHADFVWCQX7T7KHHG6JPL22LHIS5 X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: discuss@spectrum-os.org X-Mailman-Version: 3.3.1 Precedence: list List-Id: General high-level discussion about Spectrum Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain > - Have you considered using a micro kernel based host like seL4, > similar to what Genode does (at least as I understand it)? Yes. I don't know all that much about microkernels, but I have spoken to some microkernel experts. My understanding is that all the required parts are not yet in place to be able to use a microkernel as the host in a system like Spectrum. I am, however, trying to design the system so that the host system is responsible for as little as possible, and therefore hopefully making it possible to transition to a microkernel later should that look feasible. In principle, the host system should do little other than running virtual machines. Ideally, most hardware interation could be delegated to VMs. This would make it possible to have a very tiny host kernel through disabling most kernel configuration options. The left over code should be just what is critical to run VMs. The paper "A Linux in Unikernel Clothing"[1] compares a minimally-configured Linux kernel to several popular unikernels (not microkernels), with very promising results. It is focused on tiny kernels for single-purpose virtual machines, but I think it contains a lot of relevant insight for all levels of the Spectrum stack. [1]: https://dl.acm.org/doi/pdf/10.1145/3342195.3387526 > - Have you considered gVisor [1] for lightweight compartmentalization? Yes. The main problem I see with gVisor is that it is designed to be run from a full-featured host system. For example, gvisor doesn't provide file system implementations. Instead, it expects to proxy through a file system existing on the host. In Qubes, and hopefully in Spectrum, the host system doesn't have any knowledge of VM file systems, to keep the host as separated from the activities of VMs as possible. There may still be a place for gVisor in Spectrum -- for example, it could get a shared file system from a separately virtualized kernel. For now, though, one VMM is enough to be going on with. :) > - Have you considered reusing stuff from the Whonix project? Yes. My understanding is that the main thing that Whonix provides is full system images for workstation and gateway machines. We probably wouldn't want to use these directly in Spectrum, because it would go against the principle of configuring the entire system with Nix. However, there will likely be lots of work in Whonix (configurations and so on) that can be reused to similar ends in Spectrum. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAl7kwDYACgkQ+dvtSFmy ccDGNBAAlN6p4T898RbRQ1ExtIbzQQp7+xq6X5csu0iAbT7L+S2XtTV9QiD4aUQ6 LHV2HD31Bm2dJU4ny6HFBMCfNIrBPZADbix4nVUn7ZF5tR4Usbv1CC6g7DqkZFha iCTrG5OVJIJivow2YW2ALwfYRY9LLISC4K2kY/yZU3rTxy6sXhhheb+zWrFwUhR9 96y9hS9Ig4O753lOmGrfjfiFU6k8btAYN91ubfTDoNdRTj2JeBnizAFDlImEn19q 0btpe9iCn9daO4x3B++tGga37aMI07Hq3wT+zMvR3/kY3UkBC+LkLXmcnzLR0Lo6 ZAvFAyfTc4OPKlUkz+nIr4v5YxvNqnnpZYtjtapuTKIzRJ3kOkPKLnmBLAXU9sDd JfaUP5IiX6+DECm9/1RgPvaE5aMM/TPTF1mzhRmR9eSX7dkiu9nZqG2pSHd47+Mf r3dlN/GzzcfdbRVwxpKe2/S603md1hy+2XYQzPhJgnLq7iUFLAcl6LhffXOBhhs9 7HE6DvBBR3nxvW5E99oCSS7or1boso/vuQlzv3woKS4bfqgMex/GsV4ySPeTTcAY qtf8muWD6UOVtYMC5IjOncRonWOViUKQ2Gu8Yijw5ZTKpeiucpEuPbUDv8J6mbfB pj1PWIXU1dRQ2MnrEIEJvmN96oCO1i+4B0YAzNEzH+XG/aVCOaU= =uU5I -----END PGP SIGNATURE----- --=-=-=--