Re: [PATCH][RFC] x86 multiple user-mode privilege rings

[Luca Barbieri <ldb@ldb.ods.org>]

[-- Attachment #1: Type: text/plain, Size: 1334 bytes --]

> But there are privilege switches.

Of course, they are unavoidable. However, they are as fast as the one
needed to make kernel syscalls.
 
> Let me get the gist of the idea.
> To accelerate UML, and wine type applications:
> 1) setup segments with restricted limits, so their children cannot
>    write into their supervisor process even though they share a mm.
> 2) load a special system call table that switches processor modes
>    when any system call is activated.
> 
> Unless I am mistaken all of the above can be accomplished without
> using the cpus multiple rings of privilege.  Which would allow nesting
> only limited by the address space reduction of each task.

You also need:
3) Prevent less privileged subtasks from loading segments belonging to
   more privileged ones

This can be done in hardware using the x86 privilege rings, at the
cost of limitations on the number of subtasks and the inability to have
protected pairs of subtasks where none is more privileged than the other.

Of course it is also possible to do this in the kernel, or in a
privileged user-mode task using LDT/TLS system calls, by modifying
descriptor tables on interprivilege jumps but this is obviously
significantly slower.

Anyway hardware-based and kernel-based privilege separation can
perfectly coexist.

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]