general high-level discussion about spectrum
 help / color / mirror / Atom feed
* High level design and other related projects
@ 2020-06-12 11:16 infokiller .
  2020-06-13 12:01 ` Alyssa Ross
  0 siblings, 1 reply; 3+ messages in thread
From: infokiller . @ 2020-06-12 11:16 UTC (permalink / raw)
  To: discuss

Apologies for the incoherent title: I'd like to better understand the design choices of this project and discuss how it relates to other projects in this space.
First I'd like to say that I think that using crosvm is a really great decision. Google has a lot of manpower working on ChromeOS and Android, and building on their work is something that should
pay off, especially for a project such as Spectrum that tackles such a huge undertaking (building a secure OS).

Here's a few questions to kick off the discussion:

- Have you considered using a micro kernel based host like seL4, similar to what Genode does (at least as I understand it)?
- Have you considered gVisor [1] for lightweight compartmentalization?
- Have you considered reusing stuff from the Whonix project?

## References

[1] https://github.com/google/gvisor

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: High level design and other related projects
  2020-06-12 11:16 High level design and other related projects infokiller .
@ 2020-06-13 12:01 ` Alyssa Ross
  2020-06-14 20:24   ` infokiller ​
  0 siblings, 1 reply; 3+ messages in thread
From: Alyssa Ross @ 2020-06-13 12:01 UTC (permalink / raw)
  To: infokiller .; +Cc: discuss

[-- Attachment #1: Type: text/plain, Size: 2456 bytes --]

> - Have you considered using a micro kernel based host like seL4,
>   similar to what Genode does (at least as I understand it)?

Yes.

I don't know all that much about microkernels, but I have spoken to some
microkernel experts.  My understanding is that all the required parts
are not yet in place to be able to use a microkernel as the host in a
system like Spectrum.  I am, however, trying to design the system so
that the host system is responsible for as little as possible, and
therefore hopefully making it possible to transition to a microkernel
later should that look feasible.

In principle, the host system should do little other than running
virtual machines.  Ideally, most hardware interation could be delegated
to VMs.  This would make it possible to have a very tiny host kernel
through disabling most kernel configuration options.  The left over code
should be just what is critical to run VMs.  The paper "A Linux in
Unikernel Clothing"[1] compares a minimally-configured Linux kernel to
several popular unikernels (not microkernels), with very promising
results.  It is focused on tiny kernels for single-purpose virtual
machines, but I think it contains a lot of relevant insight for all
levels of the Spectrum stack.

[1]: https://dl.acm.org/doi/pdf/10.1145/3342195.3387526

> - Have you considered gVisor [1] for lightweight compartmentalization?

Yes.

The main problem I see with gVisor is that it is designed to be run from
a full-featured host system.  For example, gvisor doesn't provide file
system implementations.  Instead, it expects to proxy through a file
system existing on the host.  In Qubes, and hopefully in Spectrum, the
host system doesn't have any knowledge of VM file systems, to keep the
host as separated from the activities of VMs as possible.

There may still be a place for gVisor in Spectrum -- for example, it
could get a shared file system from a separately virtualized kernel.
For now, though, one VMM is enough to be going on with. :)

> - Have you considered reusing stuff from the Whonix project?

Yes.

My understanding is that the main thing that Whonix provides is full
system images for workstation and gateway machines.  We probably
wouldn't want to use these directly in Spectrum, because it would go
against the principle of configuring the entire system with Nix.
However, there will likely be lots of work in Whonix (configurations and
so on) that can be reused to similar ends in Spectrum.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: High level design and other related projects
  2020-06-13 12:01 ` Alyssa Ross
@ 2020-06-14 20:24   ` infokiller ​
  0 siblings, 0 replies; 3+ messages in thread
From: infokiller ​ @ 2020-06-14 20:24 UTC (permalink / raw)
  To: discuss

Great, happy to see that you considered all of these options and everything you say makes sense.
Speaking of Whonix, you may be interested in a recent discussion about hardening a Linux desktop [1]. Since Spectrum is designed to be compartmentalized using VMs, this mainly applies to hardening
individual VMs, which is probably less significant than making sure the inter VM communication is secure, but nonetheless may be useful.

[1] https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-06-14 20:24 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-12 11:16 High level design and other related projects infokiller .
2020-06-13 12:01 ` Alyssa Ross
2020-06-14 20:24   ` infokiller ​

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).