Volkmar Uhlig wrote:
-----Original Message----- From: Jonathan S. Shapiro [mailto:shap@eros-os.org]
My problem is that performance cannot be used to justify fundamental insecurity. Speed at the cost of correctness is simply unacceptable.
Agree in general, however there are application domains which don't want to give up speed for an unused security model. And you have to accept that those apps exist, even if _you_ are not interested in those.
This discussion is going down strange roads ...
Volkmar, I strongly disagree with you here. One of the main motivations - if not _the_ main motivation together with fault isolation - to invent L3 and L4 has been security. Isolation using address spaces will unavoidably cost a few cycles and can ultimately justified by (fault isolation and) security arguments only. We do not build micro-kernels just for wrist watches, and - as Jonathan pointed out correctly - for cell phones you need a sound security model. And L4 does not have one and hence needs one. In Dresden, we are aware of this situation since very long time and have to act _now_ because we in Dresden have excellent opportunities to push the usage of L4 into security domains. We have to stop looking at the kernel interface just from the point of view of kernel hackers counting cycles!
BTW, the perception that Jochen Liedtke considered speed to dominate everything else (see some earlier email) is simply rubbish. Jonathan's statement "that performance cannot be used to justify fundamental insecurity" could as well originate from Jochen Liedtke.
--hermann