On Sat, 6 Jan 2018 04:20:25 +0100 Stefan Kalkowski (SK) wrote:
On Fri, Jan 05, 2018 at 08:24:19PM +0100, Alexander Boettcher wrote:
On 05.01.2018 17:36, Udo Steinberg wrote:
Norman Feske (NF) wrote:
NF> In contrast to monolithic kernels, a microkernel like base-hw, NOVA, NF> or seL4 does not deal with any user-level content like cryptographic NF> secrets, or the content of files. There is hardly any credential to NF> leak to begin with. User content stays outside the microkernel.
While it is true that a microkernel stores significantly fewer secrets than a monolithic kernel, like Linux, most microkernels actually have a full mapping of the entire physical memory in the kernel portion of each address space, which allows an attacker to peek anywhere into physical memory.
before starting to dig/read through all our supported kernels (I'm not all familiar with the internals) - can you please elaborate a bit about which microkernels, according to your knowledge, have all physical memory mapped in the kernel ?
The currently supported microkernels for Genode are Pistachio, OKL4, L4/Fiasco, Fiasco.OC, Nova, seL4 and our own hw kernel.
I can warrant that the hw kernel, which is actually Genode's core component combined with a bit of architectural dependent data-structures (e.g. page-tables) and routines, does not contain physical memory mappings used by user-level components.
Hi,
I am not following the recent development of all those kernels, so I think it's best to directly consult the individual developers/teams for statements (like the one from Stefan above).
For my part, I can tell you that the NOVA microhypervisor (at least the official version) does not map physical RAM into the kernel virtual address space, other than the RAM in which microhypervisor itself resides. NOVA maps certain devices (like APIC, IOMMU), but those can't be speculatively accessed anyway. I cannot comment on modified NOVA versions.
Some commercial kernels and L4/Fiasco certainly used to map as much physical memory as can fit into the kernel address space. Not sure if Fiasco.OC retains that behavior. Check for Physmem in class Mem_layout.
Also any kernel that performs certain things like long IPC via a lazily flushed IPC window may have transient mappings of memory belonging to other user processes.
Cheers, Udo