[yjftsjthsd-h]

> This IPC often has a performance impact, which is a big part of why microkernels have remained relatively unpopular.

I thought newer microkernels... Reduced that? Fixed it? I forget, I just had the impression it wasn't actually that bad except that the industry is still traumatized by Mach.

From the project website:

> Only the privileged Framework is allowed to use unsafe features of Rust, while the unprivileged Services must be written exclusively in safe Rust.

That feels backwards to me. If an unprivileged task is unsafe, it's still unprivileged. Meanwhile the unsafe code that requires extra verification... Is only allowed in the part where nothing can safeguard it?

And from https://asterinas.github.io/book/index.html (because it was one of my first questions on seeing 'Linux replacement in rust'):

> Licensing

> Asterinas's source code and documentation primarily use the Mozilla Public License (MPL), Version 2.0. Select components are under more permissive licenses, detailed here.

Not GPL, but not BSD either.

[tatetian16]

> if an unprivileged task is unsafe, it's still unprivileged. Meanwhile the unsafe code that requires extra verification...

I am sorry that the doc is a kind of misleading. I wrote that... The statement need to be interpreted in the context of framekernel. An entire Rust-based framekernel runs in the kernel space but is logically partitioned into the two halves: the privileged OS framework and the de-privileged OS services. Here, "privileged" means safe + unsafe Rust kernel code, whereas "de-privileged" means all safe Rust kernel code. And this is all about the kernel code. Framekernels do not put restrictions on the languages of user-space programs.

[magicalhippo]

I had the same reaction that this sounded all very backwards, but reading the introduction in the paper[1] made it more clear:

The kernel is logically divided into two parts: the privileged OS framework (akin to a microkernel) and the de-privileged OS services. Only the privileged framework is allowed to use unsafe, while the de-privileged services must be written in safe Rust completely. As the TCB, the privileged framework encapsulates all low-level, hardware-oriented unsafe operations behind safe APIs. Using these safe APIs, the de-privileged OS services can implement all kinds of OS functionalities, including device drivers.

Ostd provides a small yet expressive set of safe OS development abstractions, covering safe user-kernel interactions, safe kernel logic, and safe kernel-peripheral interactions. Of particular note is the untyped memory abstraction, which addresses the challenge of safely handling externally-modifiable memory (e.g., MMIO or DMA-capable memory) – a longstanding obstacle in safe driver development.

So the privileged part is privileged because it does unsafe stuff. It's also quite minimal, so that the "business logic" of a driver or similar can be implemented using safe code in the de-privileged code, which is de-privileged because it doesn't need privileged unsafe access. At least that's my understanding.

[1]: https://arxiv.org/abs/2506.03876

[tatetian16]

Yes, that is correct.

[josephg]

> I thought newer microkernels... Reduced that? Fixed it? I forget, I just had the impression it wasn't actually that bad

SeL4 is a microkernel like this. They’ve apparently aggressively optimized IPC far more than Linux ever has. Sending a message via sel4 ipc is apparently an order of magnitude or two faster than syscalls under Linux. I wouldn’t be surprised if most programs performed better under sel4 than they do under Linux - but I’d love to know for real.

[winternewt]

The trick with L4 is they treat IPC basically like syscalls. Arguments are left on CPU registers instead of serializing them to a message buffer. The only significant work performed is a change of virtual memory map. The called process continues execution within the time slice of the caller, instead of waiting for the thread scheduler or using synchronization primitives. While some of this could possibly be achieved with Linux, a lot of the optimization is ingrained into the calling convention and so would require changes to the user-mode source code.

[pas]

so simple recompilation can speed things up? sounds amazing. (but of course, can it?) also, it sounds a bit like restartable sequences (from Google).

[rwmj]

> I thought newer microkernels... Reduced that? Fixed it?

They have.

Actually the elephant in the room is modern hardware which makes even syscalls into monolithic kernels expensive. That's why io_uring and virtio perform well - they queue requests and replies between the OS and applications (or the hypervisor and the guest for virtio) avoiding transitions between address spaces. Any operating system in the future is going to need some kind of queuing syscall mechanism to perform well, and once you've got it doesn't much matter if you structure the components of your OS as a monolith or microkernel or something else.

[kelnos]

My understanding is they don't mean privileged/unprivileged in the kernel-space/user-space sense. All of it is running at the kernel's privilege level. Just they've logically defined a (smaller) set of core library-like code that is allowed to use Rust unsafe ("privileged"), and then all the code that implements the rest of the kernel (including drivers?) uses that library and is disallowed (by linter rules, I assume) to directly use Rust unsafe ("unprivileged").

It's an unfortunate overloading of terminology that you entirely reasonably interpreted according to the more common usage.

[yjftsjthsd-h]

Oh, okay, so it's "privileged" in that it has the privilege of using unsafe. I got that it was all kernel mode but assumed they were doing something fancy to nonetheless restrict the unprivileged parts (though since they say it's all one memory space, I wasn't sure what)

[ronjakoi]

Perhaps I, as the author of this article, could have also been more careful with the terminology.

[ulrikrasmussen]

> That feels backwards to me. If an unprivileged task is unsafe, it's still unprivileged. Meanwhile the unsafe code that requires extra verification... Is only allowed in the part where nothing can safeguard it?

The unprivileged task is running in the same memory space as the core kernel, and thus there are no runtime checks to ensure that it doesn't do something which it is not allowed to do. The only way you could enforce it at runtime would be to adopt a microkernel architecture. The alternative architecture proposed here is to enforce the privileges statically by requiring that the code doesn't use unsafe features.

[bandrami]

The parts written in unsafe rust implement the memory and access management that make it possible for the other parts to use safe rust.

[pjmlp]

The problem is that many microkernel haters keep repeating what used to be true like 30 years ago, while running tons of containers for basic tasks.

[uncircle]

There are hordes of developers completely dismissing the idea of microkernels with no serious argument other than "lmao didn't Linus destroy Tanenbaum that one time?"

Designing a modern and secure kernel in 2025 as a monolith is a laughable proposition. Microkernels are the way to go.

[dale_glass]

Well, here's some for you:

* In modern times, the practical benefit from a microkernel is minimal. Hardware is cheap, disposable, and virtual machines exist. The use case for "tolerate a chunk of the kernel misbehaving" are minimal.

* To properly tolerate a partial crash takes a lot of work. If your desktop crashes, you might as well reboot.

* Modern hardware is complex and there's no guarantee that rebooting a driver will be successful.

* A monolithic kernel can always clone microkernel functionality wherever it wants, without paying the price elsewhere.

* Processes can't trust each other.

The last one is a point I hadn't realized for a while was an issue, but it seems a tricky one. In a monolithic kernel, you can have implicit trust that things will happen. If part A tells part B "drop your caches, I need more memory", it can expect that to actually happen.

In a microkernel, there can't be such trust. A different process can just ignore your message, or arbitrarily get stuck on something and not act in time. You have less ability to make a coherent whole because there's no coherent whole.

[uncircle]

You describe microkernels are if there is only one way to implement them.

> A different process can just ignore your message

> arbitrarily get stuck on something and not act in time

This doesn't make sense. An implementation of a microkernel might suffer from these issues, it's not a problem of the design itself. There are many ways of designing message queues.

Also:

> In a microkernel, there can't be such trust [between processes]

Capabilities have solved this problem in a much better and scalable way than the implicit trust model you have in a monolithic kernel. Using Linux as an example of a monolith is wrong, as it incorporates many ideas (and shortcomings) of a microkernel. For example: how do you deal with implicit trust when you can load third-party modules at run-time? Capabilities offer much greater security guarantees than "oops, now some third-party code is running in kernel mode and can do anything it wants with kernel data". Stuff like the eBPF sandbox is like a poor-man's alternative to the security guarantees of microkernels.

Also, good luck making sure the implicitly trusted perimeter is secure in the first place when the surface area of the kernel is so wide it's practically impossible to verify.

If you allow me an argument from authority, it is no surprise Google's Fuchsia went for a capability-based microkernel design.

[lkjdsklf]

I’m not sure I would consider fuschia an example that supports your point.

It’s design largely failed at being a modern generic operating system and it’s become primarily an os used for embedded devices which is an entirely different set of requirements

It’s also not that widely used. There’s only a handful of devices that ship fuschia today. There’s a reason for that.

[pjmlp]

Don't mistake Google politics with technical achievements.

[uncircle]

Did it fail because of its microkernel design?

It’s quite disingenuous to use “success” as a metric when discussing the advantages microkernel vs monolithic, as the only kernels you can safely say have succeeded in the past 30+ years are three: Linux, NT and Mach, one of which is a microkernel (of arguably dated design), and the other is considered a “hybrid microkernel.”

Did L4 fail? What about QNX?

This topic was considered a flame war in the 90s and I guess it still isn’t possible to have a level-headed argument over the pros and cons of each design to this day.

[Joker_vD]

> Designing a modern and secure kernel in 2025 as a monolith is a laughable proposition.

I've seen this exact opinion before, only the year in it was "1992". And yet Linux was still made and written regardless of it.

[herewulf]

Point taken but at that time there was no other free (as in beer and freedom) "UNIX" kernel?

Someone may come along and correct me about BSD. Apologies I'm not super familiar with it's history.

[Joker_vD]

There was GNU Hurd in development at the time (which is actually a microkernel), with the first public release in 1990. Needless to say, it never amounted to much.

[yjftsjthsd-h]

> while running tons of containers for basic tasks.

Those containers run on a monolithic kernel; what's your point?

[pjmlp]

The supposed performance gains from monolithic kernel being wasted on features that mimic microkernel features.

[yjftsjthsd-h]

> The supposed performance gains from monolithic kernel being wasted on features that mimic microkernel features.

So two things:

1. Containers don't have a meaningful performance hit. (They are semi-frequently used with things that can have a perf hit, like overlay filesystems, but this is generally easy to skip when it matters.)

2. I don't think containers meaningfully mimic microkernel features. If I run everything on my laptop in a container, and a device driver crashes, then the machine is still hosed.

[pjmlp]

1. The amount of memory consumption I see, versus traditional processes, must be a mirage.

2. It depends on what the containers are being used for. Microkernels aren't only about using drivers in userspace.

[Vilian]

And still manage to run better than a complete microkernel

[pjmlp]

So goes the mythological tales from ancient times.

That is what happens when people don't update themselves.