[RFC PATCH 2/7] x86/sci: add core implementation for system call isolation
mingo at kernel.org
Tue Apr 30 11:05:49 UTC 2019
* Peter Zijlstra <peterz at infradead.org> wrote:
> On Tue, Apr 30, 2019 at 07:03:37AM +0200, Ingo Molnar wrote:
> > So the question IMHO isn't whether it's "valid C", because we already
> > have the Linux kernel's own C syntax variant and are enforcing it with
> > varying degrees of success.
> I'm not getting into the whole 'safe' fight here; but you're under
> selling things. We don't have a C syntax, we have a full blown C
> lanugeage variant.
> The 'Kernel C' that we write is very much not 'ANSI/ISO C' anymore in a
> fair number of places. And if I can get my way, we'll only diverge
> further from the standard.
Yeah, but I think it would be fair to say that random style variations
aside, in the kernel we still allow about 95%+ of 'sensible C'.
> And this is quite separate from us using every GCC extention under the
> sun; which of course also doesn't help. It mostly has to do with us
> treating C as a portable assembler and the C people not wanting to
> commit to sensible things because they think C is a high-level
Indeed, and also because there's arguably somewhat of a "if the spec
allows it then performance first, common-sense semantics second" mindset.
Which is an understandable social dynamic, as compiler developers tend to
distinguish themselves via the optimizations they've authored.
Anyway, the main point I tried to make is that I think we'd still be able
to allow 95%+ of "sensible C" even if executed in a "safe runtime", and
we'd still be able to build and run without such strong runtime type
enforcement, i.e. get kernel code close to what we have today, minus a
handful of optimizations and data structures. (But the performance costs
even in that case are nonzero - I'm not sugarcoating it.)
( Plus even that isn't a fully secure solution with deterministic
outcomes, due to parallelism and data races. )
More information about the Linux-security-module-archive