[snvzz]

Millions of lines of code, all running in supervisor mode.

One bug is all it takes to compromise the entire system.

The monolithic UNIX kernel was a good design in the 60s; Today, we should know better[0][1].

0. https://sel4.systems/

1. https://genode.org/

[tlb]

My conclusion is that microkernels offer some protection from random reboots, but not much against hacking

Say the USB system runs in its own isolated process. Great, but if someone pwns the USB process they can change disk contents, intercept and inject keystrokes, etc. You can usually leverage that into a whole system compromise.

Same with most subsystems: GPU, network, file system process compromises are all easily leveraged to pwn the whole system.

[bawolff]

Year of HURD on the desktop?

[calvinmorrison]

Highly unrealistic rewrite disease

[josefx]

Of course by now processor manufacturers decided that blowing holes into the CPUs security model to make it go faster was the way to go. So your micro kernel is stuck on a hardware security model that looks like swiss cheese and smells like Surströmming.

[__bjoernd]

How are SEL4 and Genode going for you in your day-to-day compute usage?

[chelmuth]

I'm quite happy using SculptOS (Genode/NOVA) for all my productive work - every day ;-)

[__bjoernd]

But you're a main project contributor. What about everyone else?

[chelmuth]

Come round tonight and see for yourself https://hedgedoc.c3d2.de/GenodeUserGroupDD

[windowssuperfi]

Yeah cause windows is amazing Or maybe macos? Ignore their freebsd parts of course.

[DowsingSpoon]

Yes. As far as kernels go, NT was pretty damn good.

So is Mach, by the way, if you can afford the microkernel performance overhead.

[johncolanduoni]

Mach is not a very good microkernel at all, because the overhead is much higher than necessary. The L4 family’s IPC design is substantially more efficient, and that’s why they’re used in actual systems. Fuchsia/Zircon have improved on the model further.

Someone will of course bring up XNU, but the microkernel aspect of it died when they smashed the FreeBSD kernel into the codebase. DriverKit has brought some userspace drivers back, but they use shared memory for all the heavy lifting.

[saagarjha]

> Mach is not a very good microkernel at all, because the overhead is much higher than necessary. The L4 family’s IPC design is substantially more efficient, and that’s why they’re used in actual systems.

As opposed to Mach, which is not used in any actual systems

[johncolanduoni]

I mentioned XNU below. It doesn’t really count as a microkernel if you, you know, don’t actually use the microkernel part. At least for the 30 years between the FreeBSD collision and the introduction of DriverKit, which does most of its IPC through shared memory (because the mach ports are not efficient enough, I would assume).

[saagarjha]

Yes, but a lot of other things use Mach messages.

[heavyset_go]

XNU monolith-ized itself over time, even over some microkernel-esque boundaries.

[dundarious]

If you include all the drivers too (which surely makes the comparison more accurate), is that still the case?

[nobodyandproud]

Windows NT 3.x was a true microkernel. Microsoft ruined it but the design was quite good and the driver question was irrelevant, until they sidestepped HAL.

The Linux kernel was and is a monstrosity.

[pjmlp]

This is outdated since Windows Vista, and even more so in Windows 11.

[nobodyandproud]

Windows Vista isn't Windows NT 3.x. In the internal versioning, it's not even 4.0.

[WalterGR]

What do you meant by them sidestepping the HAL?

[avadodin]

I think the biggest one is that the whole GDI library was moved into the Kernel in 3.5x because the performance was terrible at the time.

I don't think they ever intended to keep all drivers strictly userland, though. Just the service side.

[nobodyandproud]

Mind you I don't have access to Microsoft code, so this is all indirect, and a lot of this knowledge was when I was fledgling developer.

The Windows NT code was engineered to be portable across many different architectures--not just X86--so it has a hardware abstraction layer. The kernel only ever communicated to the device-driver implementation through this abstraction layer; so the kernel code itself was isolated.

That doesn't mean the device drivers were running in user-land privilege, but it does mean that the kernel code is quite stable and easy to reason about.

When Microsoft decided to compromise on this design, I remember senior engineers--when I first started my career--being abuzz about it for Windows NT 4.0 (or apparently earlier?).

[cosmic_cheese]

Apple at least has been making a concerted effort to kick more macOS/iOS functionality out into userland in the past several years.

[pjmlp]

Just like Windows since Vista.

[lifetimerubyist]

NT is actually a pretty good kernel. NTFS and the userland is what is shit.

[IcePic]

I think NTFS get a bit of crap from the OS above it adding limitations. If you read up on what NTFS allows, it is far better than what Windows and the explorer allows you to do with it.

[speed_spread]

NTFS is a beast of a filesystem and has been nothing but solid for 25+ years. The performance grievances ignore the warranties that NTFS offers vs many antiquated POSIX filesystems.

[johncolanduoni]

What warranties? I assume you’re comparing it to ext4 and not e.g. ZFS?

[speed_spread]

Here are a few

- mandatory byte-range locks enforced by the kernel

- explicit sharing modes

- guarantees around write ordering and durability

- safe delete-on-close

- first-class cache coherency contracts for networked access

POSIX aims for portability while NTFS/Win32 aims for explicit contracts and enforced behavior. For apps assuming POSIX semantics (e.g. git) NTFS feels rigid and weird. Coming the other way from NTFS, POSIX looks "optimistic" if not downright sloppy.

Of course ZFS et al. are more theoretically more robust than EXT4 but are still limited by the lowest common denominator POSIX API. Maybe you can detect that you're dealing with a ZFS backed volume and use extra ioctls to improve things but its still a messy business.

[johncolanduoni]

These are pretty much all about mandatory locking. Which giveth and taketh away in my experience. I’ve had substantially fewer weird file handling bugs in my Linux code than my Windows code. POSIX is very loosey-goosey in general, but Linux’s VFS system + ext4 has a much stronger model than the general POSIX guarantees.

`FILE_FLAG_DELETE_ON_CLOSE`’s equivalent on Posix is just rm. Windows doesn’t let you open new handles to `FILE_FLAG_DELETE_ON_CLOSE`ed files anyway, so it’s effectively the same. The inode will get deleted when the last file description is removed.

NFS is a disaster though, I’ll give you that one. Though mandatory locks on SMB shares hanging is also very aggravating in its own right.

[pjmlp]

Also to point out that outside UNIX, surviving mainframe and micros, the filesystems are closer to NTFS than UNIX world, in regards to what is enforced.

There is also the note that some of them are more database like, than classical filesystems.

Ah, and modern Windows also has Resilient File System (ReFS), which is used on Dev Drives.

[edoceo]

Userland peaked in Windows 2000