Re: RFC: Memory protection in modules (stability)

Derrik Pates (dpates@Cavern.NMSU.Edu)
Tue, 1 Apr 1997 22:29:00 -0700 (MST)

On Tue, 1 Apr 1997, Floody wrote:

> I have had thoughts along the same line. It would be interesting to have
> modules run in ring 1 (if I am correct, kernel runs in ring 0 and user in
> ring 3 at the moment on x86). Protection level 1 would offer more
> protection than running back to back with kernel, and would allow for
> nifty whiz-bang things like module watching/tracing and sophisticated
> debugging.

If we were only dealing with iX86 and were never gonna grow out of it,
this might not be a bad idea. BUT, as far as I know, only iX86 provides
those extra protection levels in the middle. On other processors (i.e.,
Sparc, Alpha) it's either ring 0 (full access, kernel side) or ring 1
(full restriction, user side). I see where you're coming from though. One
other problem (this actually may not be a problem - kernel gurus, please
correct me if I'm wrong, but), the modules are kernel level code, so
they'd hafta run ring 0 to get full access to devices, etc., as needed.
I don't think that'll cut it. (Please, thought, TELL ME if I am wrong.)

> The tradeoff (isn't there always one) is performance; and it's a BIG
> tradeoff. In a theoretical world, if you ran Linux as close to
> micro-kernel as possible with all drivers at a different protection level,
> the overall system performance would drop like a rock. Those ring context
> switchs are *expensive*, and when you have to hit your SCSI driver
> thousands of times a second, ... ouch ... I'm not sure what the actual
> numbers would be, but I would guess 25% or more performance loss.

>From my familiarity with microkernel OSes, the microkernel starts, and the
real OS itself starts on top of that, which would make Linux not qualify
as a microkernel - it is called by LILO or from a 'cat'ed image, and it's
the only kernel - it does all its own scheduling, resource handling, etc.
Case in point, the Mac PPC port of Linux running atop OSF's Mach

> Netware 4 had an interesting option with it's NLM (Netware Loadable
> Modules), wherein you could choose to run an NLM in a higher protection
> level, for safety/development purposes. Once you had fully (or as fully
> as possible) verified it's safety, you could load it back into ring 0 to
> achieve full performance. There is some interesting hack value, and
> possible real-world value too, to implement this under Linux. Big project
> though....

Well, really... are you gonna run potentially dangerous, untested alpha
code like that on a production-level box when it's doing mission-critical
stuff? Generally, that's what non-critical development boxes are for.
(Yes, I know some people run alpha level code on production boxes - OK,
lots. But, it's not always a great idea.)

Derrik Pates

"What'll you two lovable plush toys have?"
"How 'bout a root beer popsicle and an Orange Julius? What about you,
"Dishwater! And put it in a dirty glass!"
-Sam & Max
"Fair Wind to Java"