FilterHN

Kernel: Introduce Multikernel Architecture Support

110 points

by ahlCVA

9 hours ago

| past

| 13 comments

| lwn.net

| HN

▲

yalogin

54 seconds ago

[-]

It’s not clear to me but do these kernels run directly on the hardware? If so how are they able to talk to each other, DMA? That could open up some security flaws, hopefully they thought through that

▲

tremon

2 hours ago

[-]

"while sharing the underlying hardware resources"? At the risk of sounding too positive, my guess is that hell will freeze over before that will work reliably. Alternating access between the running kernels is probably the "easy" part (DMA and command queues solve a lot of this for free), but I'm thinking more of all the hardware that relies on state-keeping and serialization in the driver. There's no way that e.g. the average usb or bluetooth vendor has "multiple interleaved command sequences" in their test setup.

I think Linux will have to move to a microkernel architecture before this can work. Once you have separate "processes" for hardware drivers, running two userlands side-by-side should be a piece of cookie (at least compared to the earlier task of converting the rest of the kernel).

Will be interesting to see where this goes. I like the idea, but if I were to go in that direction, I would choose something like a Genode kernel to supervise multiple Linux kernels.

▲

elteto

2 hours ago

[-]

You just don't share certain devices, like Bluetooth. The "main" kernel will probably own the boot process and manage some devices exclusively. I think the real advantage is running certain applications isolated within a CPU subset, protected/contained behind a dedicated kernel. You don't have the slowdown of VMs, or have to fight against the isolation sieve that is docker.

▲

vlovich123

1 hour ago

[-]

Is there anything that says that multiple kernels will be responsible for owning the drivers for HW? It could be that one kernel owns the hardware while the rest speak to the main kernel using a communication channel. That's also presumably why KHO is a thing because you have to hand over when shutting down the kernel responsible for managing the driver.

▲

ch_123

3 hours ago

[-]

Reminds me of OpenVMS Galaxy on DEC Alpha systems, which allowed multiple instances of the OS to run side by side on the same hardware without virtualization.

https://www.digiater.nl/openvms/doc/alpha-v8.3/83final/aa_re...

▲

skissane

1 hour ago

[-]

IBM mainframes and Power servers have “partitions” (LPARs). My understanding of how they work, is they actually are software-based virtualisation, but the hypervisor is in the system firmware, not the OS. And some of the firmware is loaded from disk at boot-up, making it even closer to something like Xen-labelling it as “hardware” not “software” is more about marketing (and which internal teams own it within IBM) than than technical reality. Their mainframe partitioning system, PR/SM, apparently began life as a stripped-down version of VM/CMS, although I’m not sure how close the relationship between PR/SM and z/VM is in current releases.

This sounds like running multiple kernels in a shared security domain, which reduces the performance cost of transitions and sharing, but you lose the reliability and security advantages that a proper VM gives you. It reminds me of coLinux (essentially, a Linux kernel as a Windows NT device driver)

Does anyone have more details on how OpenVMS Galaxy was actually implemented? I believe it was available for both Alpha and Itanium, but not yet x86-64 (and probably never…)

▲

messe

4 hours ago

[-]

Reminds me of exokernel architectures[0.5][1.5][2.5]. How is non-CPU resource multiplexing handled, or planned to be handled?

[0.5]: https://en.wikipedia.org/wiki/Exokernel

[1.5]: https://wiki.osdev.org/Exokernel

[2.5]: "Should array indices start at 0 or 1? My compromise of 0.5 was rejected without, I thought, proper consideration." — Stan Kelly-Bootle

▲

andutu

5 hours ago

[-]

Pretty cool, sound similar to what Barrelfish OS enabled (https://barrelfish.org/).

▲

rwmj

5 hours ago

[-]

Sounds similar to CoLinux where you could run a "cooperative Linux" alongside Windows http://www.colinux.org/

▲

brcmthrowaway

2 hours ago

[-]

This was underrated!

▲

zokier

5 hours ago

[-]

Interestingly the author has a startup revolving around this technology. Their webpage has some info: https://multikernel.io/

▲

IAmLiterallyAB

1 hour ago

[-]

What's preventing a compromised kernel on one core from hijacking the other cores? This doesn't seem like much of a security boundary

▲

viraptor

1 hour ago

[-]

Nothing prevents it if you achieve code execution. But where it helps is scenarios like syscall / memory mapping exploits where a user process can only affect resources attached to their current kernel. For example https://dirtycow.ninja/ would have a limited scope.

▲

loeg

47 minutes ago

[-]

Insane idea, but very cool.

▲

vaastav

5 hours ago

[-]

How is this different from/similar to Barrelfish?

▲

exe34

5 hours ago

[-]

mainline vs abandoned.

▲

perching_aix

5 hours ago

[-]

Does this mean resiliency against kernel panics?

▲

sedatk

3 hours ago

[-]

> - Improved fault isolation between different workloads

Yes.

▲

ATechGuy

2 hours ago

[-]

That's what the author is claiming. Practically, VM-level strong fault isolation cannot be achieved without isolation support from the hardware aka virtualization.

▲

eqvinox

2 hours ago

[-]

Hardware without something like SR-IOV is straight up going to be unshareable for the foreseeable future; things like ring buffers would need a whole bunch of coordination between kernels to share. SR-IOV (or equivalent) makes it workable, an IOMMU (or equivalent) then provides isolation.

▲

skissane

1 hour ago

[-]

You could have a “nanokernel” which owns the ring buffers and the other kernels act as its clients… or for a “primary kernel” which owns the ring buffers and exposes an API the other kernels could call. If different devices have different ring buffers, the “primary kernel” could be different for each one.

▲

duendefm

3 hours ago

[-]

would this allow running both linux and bsd kernels?

▲

tremon

2 hours ago

[-]

It should be possible in theory, as long as both use the same communication interface. In practice, I think getting it to work on just one kernel is already a huge amount of work.

▲

9cb14c1ec0

4 hours ago

[-]

It would be interesting to see a detailed security assessment of this. Would it provide security improvements over docker?

▲

eqvinox

2 hours ago

[-]

Docker is the wrong thing to compare against, especially considering it is an application and not a technology; the technology would be containerization. This competes against hardware virtualization support, if anything.