[seL4] Re: CPU design, Re: Confidentiality and realtime requirements

16 Aug 2023


      On 8/14/23 12:25, Gernot Heiser wrote:
...
On 15 Aug 2023, at 01:59, Gernot Heiser  wrote:
...
...
Speculative taint tracking helps close some of the remaining holes.
I’m highly sceptical too. Taint-tracking has to be highly pessimistic to be feasible, and adds a lot of complexity to the hardware (which gets back to my earlier argument: make it more complex and you’re making it more likely that something goes wrong).
Forgot to add:
...
It’s not perfect, but it is the best one can do without cache partitioning or heavyweight flushing, and I suspect both of those are often impractical from a performance perspective.
Cache partitioning (which really is static, software-controlled vs dynamic partitioning by hardware) produces, in average, at best a mild performance degradation. There are plenty of cases where it actually improves performance (loads with a cache working set that exceeds the cache size) and it is used for performance isolation and sometimes for improving average-case performance.
In a fully dynamic system, nothing is known statically.  The OS needs to be able to adapt to workloads that did not even exist when the OS was created, and it needs to do so as these workloads are executing.  And virtually all of these workloads will have no idea that cache partitioning even exists.  Can an OS perform the needed analysis at runtime and allocate cache as needed?
...
Similar, cache-flushing (of the L1) has little performance impact, except where context-switching rates are very high. Otherwise, the L1 is too small to hold much hot data after a full round of context switches, so the cache is effectively flushed implicitly.
I’m not surprised by this.  Nevertheless, it is yet another reason to deemphasize protected procedure calls in favor of notifications and shared memory.
...
On OoO processors explicit flushes have a cost, as the cost of the implicit replacement can be at least partially hidden by OoO execution. But I doubt there are many use realistic cases where the impact is significant. (Yes, we did evaluate this, although it’s been studied in more detail by others.)
Are there any links you recommend?
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)