[Info-vax] Why not reimplement SEVMS into x86 OpenVMS?

[Stephen Hoffman]

On 2022-11-21 23:58:10 +0000, Single Stage to Orbit said:

> On Mon, 2022-11-21 at 15:27 -0500, Stephen Hoffman wrote:
>> OpenVMS is bad at isolating compromised apps. It's sorta-kinda possible 
>> if the local folks are good at this stuff and expend some effort 
>> messing about with ACLs on all sorts of stuff within the app, but still 
>> comparatively limited. And it's very easy to miss something. Absent MAC 
>> security, an app can expose its own data, or can potentially perform 
>> various unintended-by-the-developer activities at run-time. The latter 
>> is the sort of stuff that usuallyy gets blocked by pledge() calls, or 
>> jails/sandboxes.
> 
> If OpenVMS can support nested virtualisation on x86_64, I guess it 
> could be possible to run OpenVMS within OpenVMS, opening the 
> possibility to isolate applications from each other.
> 
> I can do it with Linux and VirtualBox, running Windows 11 as a guest, 
> with Virtualbox installed in it, running windows 10 in it as another 
> guest. Turtles all the way down ...

VSI is only supporting virtualized use at present and not native boot, 
which makes nesting OpenVMS {or whatever} atop OpenVMS atop {supported 
hypervisor} a somewhat less than appealing configuration.

There's no OpenVMS Hyper-VSI 😉 or BHyVSI 😉 support or similar listed 
in the roadmap, and I'd expect to see native boot before the arrival of 
an integrated hypervisor.

Booting a guest still doesn't isolate damage from arising within a 
particular subsystem, though it does save some on hardware when 
compared with the classic app-per-box design.


-- 
Pure Personal Opinion | HoffmanLabs LLC