Spectrum Design

Spectrum will, for now, be a Linux-based system, derived from NixOS. This gives us an actively-developed base with good hardware support, powerful and optimised compartmentalization primitives in KVM, and the reproducible packaging and configuration system that is important for a maintainable compartmentalized system.

The current plan is to implement compartmentalization in Spectrum by running each application inside crosvm, the hypervisor used by ChromiumOS. Qubes-style isolated, composited windowing for applications can hopefully be provided through its virtio-wayland feature, or failing that through Xpra. Using a full virtual machine for each application might come with high resource requirements at first, but over time we should be able to optimise this, for example by doing clever tricks like DAX to a read-only storage device shared by multiple guests to save on duplicated memory. In the short term, it might be prudent to allow multiple applications to run in a single KVM instance, but our long-term focus should be on one per application instance.

Each virtual machine will be generated by a Nix derivation, and will have a completely immutable root file system. Persistent storage will be provided by virtual block devices, that arbitrary paths on the system can be mapped to from the host. There may be other writable mount points inside the virtual machine, but these will not persist between reboots of the VM. Using Nix to generate virtual machines allows them to be reproducibly built, rolled back, edited, and migrated as source code, rather than large, opaque virtual machine images.

Virtual block devices will also be defined in Nix, and block devices and applications will be m:n. Some virtual machines may have no persistent storage, or even write access to a disk, at all. In other cases, it might be desirable for multiple applications to be able to access the same device, such as a local mail store being shared by two mail clients. Other resources and permissions, such as network cards and USB controllers, will similarly be defined in Nix. There are three logical sections for the Nix configuration -- applications, which are just packages, resources (virtual or physical devices), and application instances, which are mappings between applications and accessible resources. This structure allows users to have multiple instances of the same application, with different permissions.

Initial versions of Spectrum will have the user be responsible for writing Nix code for each application and resource, and the combinations they make between them. In future, it would be good if this could be handled by a graphical interface and a data file for simple cases, with Nix importing the data file and using it as input for the standard functions that would be called in a Nix-language configuration file. This use case should be kept in mind when writing the Nix API for Spectrum.

While Spectrum is expected to largely run on personal computers, most of which will almost certainly use the x86_64 architecture, this will not be the only architecture given first class support by Spectrum. One of the advantages to Spectrum's Linux base is the extremely wide hardware support that Linux offers, and, beyond that, x86_64 is notably untrustworthy, especially with the huge attack surface of the Intel Management Engine / AMD Platform Security Processor.

So, Spectrum will additionally have first class support for at least ppc64le. This architecture has been chosen because it is the only other architecture that can come close to the sheer performance x86_64 can offer at the high end, and because, in stark contrast to x86_64, it is possible to buy a new ppc64le (POWER9) system that does not require any proprietary firmware that cannot be inspected and audited. It is a goal of the project to build all packages, x86_64 and ppc64le, on POWER9 hardware. Even if a user has to trust the x86_64 computer available to them, anti-freedom firmware, undocumented backdoors and all, it would be a disservice to them to force them to use packages built on other such untrustworthy hardware.

You may distribute this content under the terms of either the CC-BY-SA license (version 4.0 or later), or the GNU Free Documentation License (version 1.2 or later), at your option.