[ale] Monolithic vs Modularised Kernels

Raju mr at 4securenet.com
Wed Jul 9 09:57:35 EDT 2003


I am inclined at this point towards monolithic kernel from a security
perspective, but need to find a balance of course. No fancy LKMs (Loadable
Kernel Modules) for those kiddies to play with ;-).

--Raju


> Seconded, if only I could go 'round converting people to *nix!! :)
>
> My take on the kernel question is one of security, surprise.
> Seems to me if you can disable dynamic module loading, then nobody can
> trick your kernel into loading an evil module.  Just seems to be a
> prudent just-in-case thing to me, but as always I could be misguided. :)
>
> I've run both and not noticed any performance difference between the
> two, but I've never done anything with real high performance machines or
> machines that needed anything other than a kernel built with bare
> minimum options.
>
> Would be very interested to know what you decide to do, and why...it's a
> good question that I'm sure has lots of strong opinions on either side.
>
> Cheers
> jenn
>
>> Raju -
>>
>> Wish I had your job!
>>
>> I'd be interested to see others' views, but it's my understanding that
>> the whole GNU/Linux operating system has been set up such that,
>> performance-wise, there is virtually no distinction one way or the
>> other.  There may be other differences, but their results/symptoms are
>> unlikely to affect you.
>>
>> I understand - and please, someone correct me if I'm wrong - that
>> selecting "module" for any given kernel config option does not have an
>> associated memory impact if the feature in question is not used but it
>> defintely will if it's compiled in, whether it's used or not.  This
>> issue might come into play if you are trying to squeeze every last bit
>> of performance out of a system (i.e., you plan to have it half beat
>> itself to death as a matter of routine); my take is that a smaller
>> kernel is better than a larger kernel not so much because of the
>> percentage of total RAM taken up by the kernel but because you want
>> your system's L1 and L2 caches to give you as much help as possible;
>> the less there is to shove into them, the more likely they're going to
>> contain something the processor(s) need, and, as you probably already
>> know, the whole point of having L1 and L2 cache in the first place is
>> that they are faster than the system RAM - a LOT faster.
>>
>> - Jeff
>
>>> The Client that I am doing for is finally pushing Linux into the
>>> enterprise. Amazing how chap11 can actually help promote better and
>>> much more superior technologies ;-). I am feverishly replacing a lot
>>> of the servers with Linux (Redhat) that use to the run the piece of
>>> sh!%$^%$ NT , but using a vanilla kernel with the grsecurity patch.
>>> Some examples are, Samba for the PDC, WINS, Print Server, and even
>>> the
>>>  production database running Sybase (HP-UX) will soon be on Linux. My
>>> question is whether to build a Monolithic or Modularised Kernel. Read
>>> several arguments on google, but wanted to see your views. Thanks.
>>>
>>> -Raju
>>> mr at securenet.com
>
>
>



_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale





More information about the Ale mailing list