Re: [seL4] Userland components in Ring 1/2 (where kernel is in ring 0) to provide protection from less trusted components

On Thu, Sep 17, 2020 at 8:35 PM William ML Leslie < william.leslie.ttg@gmail.com> wrote:

On Fri, 18 Sep 2020 at 02:47, Isaac Beckett wrote:

...

Hey all,

I was wondering if it makes sense for someone building a system on seL4 to run certain drivers or other critical components in a more privileged environment, but still outside the kernel. Does using a different CPU mode in this context make sense? My hunch is that the case is no, because x86 has those extra rings, but ARM only has two modes, Supervisor/System and User mode, which would make it hard to provide any mechanism for the kernel to manage privileged components, because of the differences between platforms.

To keep in mind:

One of the benefits of capabilities over rings is that not only can IO ports used by drivers be protected from applications, but now applications can also be protected from drivers, and ports are protected from other drivers. You can't really get POLA with a strict hierarchy, which is why capabilities allow you to build a graph representing how authority is really distributed to each component. Since we have a strictly more powerful way to distribute authority to drivers, there isn't anything to gain by using rings 1 and 2.

Not to mention that the multics driver rings are a fairly dark corner of the processor these days, since no operating system appears to make use of 1 and 2, so nobody is inspecting them for hardware bugs.

...

_______________________________________________ Devel mailing list Devel@sel4.systems https://sel4.systems/lists/listinfo/devel

-- William Leslie

Notice: Likely much of this email is, by the nature of copyright, covered under copyright law. You absolutely MAY reproduce any part of it in accordance with the copyright law of the nation you are reading this in. Any attempt to DENY YOU THOSE RIGHTS would be illegal without prior contractual agreement.

Thanks, that makes sense. Is there any risk to the system if a piece of userland code takes advantage of some hardware bug or other side channel to cause it to run in those higher privileged rings? Or any mitigation that should be applied on an x86 system to prevent such things?