On Fri, 18 Sep 2020 at 02:47, Isaac Beckett wrote:

Hey all,

I was wondering if it makes sense for someone building a system on seL4 to run certain drivers or other critical components in a more privileged environment, but still outside the kernel. Does using a different CPU mode in this context make sense? My hunch is that the case is no, because x86 has those extra rings, but ARM only has two modes, Supervisor/System and User mode, which would make it hard to provide any mechanism for the kernel to manage privileged components, because of the differences between platforms.

To keep in mind: One of the benefits of capabilities over rings is that not only can IO ports used by drivers be protected from applications, but now applications can also be protected from drivers, and ports are protected from other drivers. You can't really get POLA with a strict hierarchy, which is why capabilities allow you to build a graph representing how authority is really distributed to each component. Since we have a strictly more powerful way to distribute authority to drivers, there isn't anything to gain by using rings 1 and 2. Not to mention that the multics driver rings are a fairly dark corner of the processor these days, since no operating system appears to make use of 1 and 2, so nobody is inspecting them for hardware bugs.

_______________________________________________ Devel mailing list Devel@sel4.systems https://sel4.systems/lists/listinfo/devel

-- William Leslie Notice: Likely much of this email is, by the nature of copyright, covered under copyright law. You absolutely MAY reproduce any part of it in accordance with the copyright law of the nation you are reading this in. Any attempt to DENY YOU THOSE RIGHTS would be illegal without prior contractual agreement.

On Thu, Sep 17, 2020, at 12:44 PM, Isaac Beckett wrote:

Hey all,

I was wondering if it makes sense for someone building a system on seL4 to run certain drivers or other critical components in a more privileged environment, but still outside the kernel. Does using a different CPU mode in this context make sense? My hunch is that the case is no, because x86 has those extra rings, but ARM only has two modes, Supervisor/System and User mode, which would make it hard to provide any mechanism for the kernel to manage privileged components, because of the differences between platforms.

Other people have commented on the least authority implications but I need to point out that rings 1 and 2 _don't actually do anything_ on modern x86 systems, and by modern I mean since the 386 - they are only used for segment-based protection, page table translation treats 1/2 as equivalent to 0. Since ring 1/2 code can freely overwrite ring 0 code, the IOPL is not relevant either. -s