Re: [PATCH v1 5/5] sbm: SandBox Mode documentation

From: Petr Tesařík
Date: Wed Feb 14 2024 - 15:09:50 EST

Next message: Marc Zyngier: "Re: [PATCH v2 19/23] KVM: selftests: Add a minimal library for interacting with an ITS"
Previous message: Mimi Zohar: "Re: [PATCH v9 12/25] security: Introduce file_post_open hook"
In reply to: Kent Overstreet: "Re: [PATCH v1 5/5] sbm: SandBox Mode documentation"
Next in thread: Kent Overstreet: "Re: [PATCH v1 5/5] sbm: SandBox Mode documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 14 Feb 2024 13:54:54 -0500
Kent Overstreet <kent.overstreet@xxxxxxxxx> wrote:

> On Wed, Feb 14, 2024 at 05:31:12PM +0100, Petr Tesařík wrote:
> > On Wed, 14 Feb 2024 16:11:05 +0100
> > Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > > On Wed, Feb 14, 2024 at 03:55:24PM +0100, Petr Tesařík wrote:
> > > > OK, so why didn't I send the whole thing?
> > > >
> > > > Decomposition of the kernel requires many more changes, e.g. in linker
> > > > scripts. Some of them depend on this patch series. Before I go and
> > > > clean up my code into something that can be submitted, I want to get
> > > > feedback from guys like you, to know if the whole idea would be even
> > > > considered, aka "Fail Fast".
> > >
> > > We can't honestly consider this portion without seeing how it would
> > > work, as we don't even see a working implementation that uses it to
> > > verify it at all.
> > >
> > > The joy of adding new frameworks is that you need a user before anyone
> > > can spend the time to review it, sorry.
> >
> > Thank your for a quick assessment. Will it be sufficient if I send some
> > code for illustration (with some quick&dirty hacks to bridge the gaps),
> > or do you need clean and nice kernel code?
>
> Given that code is going to need a rewrite to make use of this anyways -
> why not just do the rewrite in Rust?

Thank you for this question! I concur that rewriting the whole kernel
in Rust would be a better option. I see two differences:

1. amount of work
2. regressions

Rewriting something in Rust means pretty much writing it from scratch.
Doing that necessarily introduces regressions. Old code has been used.
It has been tested. In many corner cases. Lots of bugs have been found,
and they’ve been fixed. If you write code from scratch, you lose much
of the accumulated knowledge.

It may still pay off in the long run.

More importantly, sandbox mode can be viewed as a tool that enforces
decomposition of kernel code. This decomposition is the main benefit.
It requires understanding the dependencies among different parts of the
kernel (both code flow and data flow), and that will in turn promote
better design.

> Then you get memory safety, which seems to be what you're trying to
> achieve here.
>
> Or, you say this is for when performance isn't critical - why not a user
> mode helper?

Processes in user mode are susceptible to all kinds of attacks you may
want to avoid. Sandbox mode can be used in situations where user mode
does not exist, e.g. to display a boot logo or to unpack initramfs.

Sandbox mode is part of the kernel, hence signed, which may be relevant
if the kernel is locked down, so you can use it e.g. to parse a key
from the bootloader and put it on the trusted keyring.

Regarding performance, sandbox overhead is somewhere between kernel
mode and UMH. It is not suitable for time-critical code (like handling
NIC interrupts), but it's still much faster than UMH.

Petr T

Next message: Marc Zyngier: "Re: [PATCH v2 19/23] KVM: selftests: Add a minimal library for interacting with an ITS"
Previous message: Mimi Zohar: "Re: [PATCH v9 12/25] security: Introduce file_post_open hook"
In reply to: Kent Overstreet: "Re: [PATCH v1 5/5] sbm: SandBox Mode documentation"
Next in thread: Kent Overstreet: "Re: [PATCH v1 5/5] sbm: SandBox Mode documentation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]