I will post my speculations here, in order to substantiate the inquiry.
simeonz wrote:Can a microkernel perform unclean restart (after state corruption) of a driver, such as a filesystem, or even a network one, and not risk corruption of the state of user applications? Or is it meant to enable clean restarts only (i.e. deadlocked/livelocked/aged driver processes)?
I believe, that in general, driver failure cannot be isolated, because the user processes consume data that originates in that driver and also rely on the driver to transfer information to storage or to a communication channel. This may not always be critical failure, but if the data was subsumed for the long-term in the client process, or was corrupted before reaching the media or cluster, continuing to use it and its derivatives hides additional security or integrity risks.
simeonz wrote:Can a microkernel guarantee confidentiality of the data sent to different processes or drivers from the driver stack, without encrypting the data blocks and storing the keys outside of the normal storage, using some kind of TPM?
If a driver is exploited or malicious, the processes can only hide information from it by encrypting it. This is not specific issue with microkernels, but is relevant to the qualities of microkernels. If encryption is used after all, the keys cannot be located in the primary storage which is behind a driver stack, but will have to use separate space, hopefully managed by simple, well-tested and trusted code. The cache and buffer management will probably have to be trusted as well to keep the performance acceptable. Note that filesystem drivers in some cases may operate by translation mechanism entirely, but in other cases they require to directly process the blocks, such as for deduplication and compression purposes. Many lower-level device drivers will be on the data path directly at all times.
simeonz wrote:Can a microkernel guarantee the authenticity of the data without signing each data block that travels through its messaging system and storing the keys in a TPM?
I understand that data can never be protected against losses due to denial of service from the driver, but at least the authenticity of information mediated by the driver can be proven with hashing and signing.
simeonz wrote:Is the microkernel persistent security metadata for files implemented inside the filesystem driver, or inside some designated security module?
For the same reasons as before, the security metadata managed in the filesystem driver is not safe. The filesystem drivers are generally complex, and can be network facing. It is exploitable code. And the user may desire to install third-party filesystems as well. Thus the security metadata should probably be managed by a separate process and interfaced to the filesystem as encrypted attribute. This is obviously taking things to their most extreme to obviate the academic constraints of each solution. I am not making assertions about the feasibility of these measures, and would like to hear your opinion.
simeonz wrote:Can a microkernel schedule eagerly to decrease the servicing latency without risking to increase the number of context switches/TLB invalidations?
The method used to decide how eagerly to schedule driver processes may be can be adaptive to the current and past workload to somehow mitigate the overhead of activation. I am not sure. I haven't thought about it enough. But I have noticed that this is a general problem for the efficiency in scheduling, when a system of processes operate in a pipeline.
simeonz wrote:How similar or different are paravirtualization and microkernels that implement containers/namespaces/jails? Namely when considering that paravirtualization places higher-level drivers in separate address spaces for each guest, yet the physical space remains protected by the hypervisor, isn't that converging to microkernel architecture anyway, and what are the tradeoffs. I know that lower-level drivers used by virtualization are usually hosted in a single kernel, but I am not sure that this is fundamentally necessary and they cannot be distributed in different guests. In terms of feature set, assuming containers, filesystem snapshots, and microkernel driver processes, what additional options does paravirtualization (specifically) provide?
It is apparent from the sentiment in my question, that I think microkernels and paravirtualization share goals and principles. I think that it is a matter of time before they converge. Unlike device emulation, paravirtualization is not fully OS agnostic, so it is already part of the OS architecture. It seems to be one of the two most active trends in virtualization, the other being device passthrough. In any case, I wonder what usability factors and technical tradeoffs will shape the final outcome of this convergence, if it indeed happens.
simeonz wrote:Can an exokernel provide simultaneously security and shared named resources on partitioned devices (memory, storage) without the use of filesystem driver or equivalent facility that is implemented in separate memory space or running in a different privilege level?
If you want to provide a namespace, on a partitioned, dynamically allocated device, I assume that you pretty much need something like a filesystem driver. And since the filesystem cannot use a shared unprotected global state, while enforcing security restrictions, it needs a separate privilege level or a separate process. But this is one of the complex components of the kernel, and the result will start to approximate a microkernel or monolithic kernel approach.
simeonz wrote:How similar or different are exokernels to virtualization using device passthrough? With device passthrough (such as SR-IOV), each guest is responsible for its own drivers that directly interact with the virtual device functions in the hardware, while the physical memory is protected by MMU and IOMMU. So, each kernel is similar to an exokernel process in a sense.
I think that exokernels and device passthrough virtualization are to each other, what microkernels and paravirtualization are to each other. Two converging fronts. Xen's unikernels also work on a similar tangent, although they are technically paravirtualization.
simeonz wrote:Can a single address space operating system be implemented securely without JIT-compiled/VM-running managed code? How does it compare performance-wise to microkernel designs? Can managed code be realtime without significant overhead - i.e. can garbage collection be efficient without being of the stop-the-world variety?
The other issues on this list make me consider software VM as a viable alternative. It ensures portability, flexible security inside a single address space, direct service/driver calls without overhead. I was very skeptical about it a month ago, and mainly due to the cost for handling real-time garbage collection and various memory inefficiencies. Hence the question - is it doable?
.
did i pissed off enough people? no, then I'm gonna say, HV is just a waste of time and not even close to the "pleasure and mental stimulation".