Spectrum will, for now, be a Linux-based system, with packages from Nixpkgs but not derived from NixOS. This gives us an actively-developed base with good hardware support, powerful and optimised compartmentalization primitives in KVM, and the reproducible packaging and configuration system that is important for a maintainable compartmentalized system.
The current plan is to implement compartmentalization in Spectrum by running each application inside Cloud Hypervisor, a KVM virtual machine monitor implemented in Rust. Qubes-style isolated, composited windowing is provided via virtio-gpu cross-domain Wayland forwarding, with Cloud Hypervisor being lightly patched to enable this. Using a full virtual machine for each application might come with high resource requirements at first, but over time we should be able to optimise this, for example by doing clever tricks like DAX to a read-only storage device shared by multiple guests to save on duplicated memory. In the short term, it might be prudent to allow multiple applications to run in a single KVM instance, but our long-term focus should be on one per application instance.
Ideally, virtual machines will be created on the fly, and be mostly transparent to the user, with access controls handled dynamically where possible. For example, a VM might be created when the user chooses to open an application, having no access to user files in the beginning, but with access able to be granted seamlessly using the File Chooser XDG Desktop Portal — the application could prompt the host or a VM with full filesystem access to display a dialog inviting the user to select a file that will be made available to the application VM, for the application to open.
Where it is necessary to configure VMs statically, doing so should be easy to do, and easy to maintain and reproduce across Spectrum installations.
Spectrum will have a single, global filesystem for user data, with VMs granted access to subsets of the filesystem as required. This is a different model of data storage than has been used in previous implementations of security through compartmentalization. In Qubes OS, user data in each VM is stored in its own virtual block device. This works fine when multiple applications run in a single virtual machine, but would be unmanageable in Spectrum's VM-per-application model. As long as appropriate precautions are taken, Spectrum's persistent model should be secure, while providing a more familiar and easier to understand model for users used to a single directory tree.
Spectrum currently aims to support x86_64 and aarch64, but it is important for Spectrum users to have the choice of as much hardware as possible, including among as many architectures as possible. The mainstream architectures have various problems with regards to freedom and trustworthiness, and so it's important for Spectrum to support other architectures as well, where feasible. Currently, those two architectures are the only ones supported by Cloud Hypervisor, but if that were to change, additional architectures could be supported.
Ideally, it will be possible to build Spectrum reproducibly, across a diverse range of hardware, to verify that the images correspond to the source code, and are free of tampering. Work like Trustix will be important to reaching this goal.
Permission is granted to copy, distribute and/or modify this document under either the terms of the Creative Commons Attribution-ShareAlike 4.0 International License, or the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.