Subject: Re: Looking ahead
To: NetBSD Embedded Systems Technical Discussion List <>
From: Greg A. Woods <>
List: tech-embed
Date: 06/05/2007 14:15:42
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

At Tue, 5 Jun 2007 13:53:56 -0400, Allen Briggs wrote:
Subject: Re: Looking ahead
> I'd be interested to see more discussion about this.  I don't
> know the x86 privilege model and don't currently have much interest
> in x86-based embedded systems, but it seems reasonable to give LKMs
> different levels of trust.

I'm not intimately familiar with the specifics of the x86 privilege
model either, but I don't think it's either reasonable or even possible
to truly give something like an LKM a different level of trust from the
rest of the kernel, let alone from other LKMs.  The LKM ABI is just far
too broad it seems.

x86 architecture also seems to be a relatively rare one for use in the
embedded systems domain, and perhaps for good reason.  I would think
that any kind of domain-specific security feature really needs to be a
lot more portable to be of any real use as a forward looking goal.

> As I mentioned, I see "embedded" running a pretty wide range of
> systems and applications.  I tend toward working with/on the smaller,
> networked, minimal/serial console kind of systems, but others might
> be handheld PCs, game systems, metro-scale routers, DVRs, etc.  There
> are some cases where I can see LKMs in use and yet not fully trusted
> with full system access.

I'm not even sure LKMs have any place whatsoever in embedded systems.

In fact it seems to me that embedded systems, no matter how widely one
expands their definition, are the one best example of an application
domain where use of dynamic kernel modules is the very least needed
feature one can imagine!

However I can see how some embedded systems engineers might get
themselves into a situation where LKMs may have some benefit to their
needs, so I wouldn't necessarily want to suggest that LKMs are entirely
unnecessary; but to combine this arguably rare need with the idea that
they can somehow be given different trust levels from the rest of the
kernel would seem to be stretching things quite a bit too far to label
it as a useful requirement specific to embedded systems.

						Greg A. Woods

H:+1 416 218-0098 W:+1 416 489-5852 x122 VE3TCP RoboHack <>
Planix, Inc. <>       Secrets of the Weird <>

Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

Version: PGPfreeware 5.0i for non-commercial use
MessageID: NBhtsxag42DxZGtZlV0mc8/az+bTk+30