OS X Leopard: Hello, hypervisor

Speculation is rampant that Mach, which is a component of the OS X kernel, will be axed from OS X 10.5 (Leopard). If you read Cringely's treatise on monolithic kernels you'll get the gist of the argument in favor of dumping Mach in favor of what's presented as a more modern monolithic kernel design.

In reality, that which is referred to in these discussions as the monolithic kernel is the dinosaur. A monolithic kernel grabs ownership of all system resources at boot time. It expects full trust from the loader, and the OS trusts itself to run with full privileges to poke at CPU registers, map physical memory, set up direct memory access (DMA) transfers, link interrupts to handlers and the like. The one system, one OS model has a negative impact on efficiency, stability, scalability and security. I blame a number of Microsoft's worst security woes on Windows' monolithic design. All of the most-privileged parts of the OS are trusted implicitly and equally. There's no place to slide in a layer that tightens up security, protecting Windows from itself, or permits the safe, low-overhead operation of multiple OS instances.

I don't ponder whether Mach will survive in Leopard. I see Mach as a placeholder for a hypervisor. Working from a set of policies set by the administrator, a hypervisor can transparently allow, refuse or reroute privileged operations. The hypervisor alone has the authority to manage CPU privilege levels.

In a system with a hypervisor, with each system power-up or reset, a signed OS boot loader or hypervisor is located, validated and loaded atomically, meaning that there's no opportunity to subvert the process. The x86 Mac's Trusted Platform Module (TPM) sets up the boot-time validation and Intel's virtualization extensions enable a hypervisor that imposes minimal overhead.

Apple's use of the TPM is worth a separate blog entry, so I'll give it one tonight. Just know that you can't implement a proper hypervisor without a TPM or something like it.

The Mach API (application programming interface) could create a painless path to a potent and extremely secure hypervisor foundation for Apple's OS. OS X's privileged code already puts Mach in charge of physical resources and sets up a sort of mailbox infrastructure for passing commands and data in and out of Mach. If Apple stays true to the Mach API, which is extremely simple, Leopard can boot to an inviolably trustworthy, policy-controlled environment with no changes even to device drivers and the BSD kernel. From a hypervisor, it's a far shorter and safer leap to running multiple simultaneous OS instances without the necessity for, or with diminished need of, software host/guest virtualization.

Is a hypervisor part of an OS's kernel? Can't you boot a monolithic OS on a hypervisor and still say you have a monolithic OS kernel?

If such questions are important to you, I'll leave it to you to work them out. I know that Microsoft is scrambling to build a hypervisor into Longhorn Server. I know that OSes need hypervisors to keep them secure and to give administrators a single, trusted, low-level interface for the granting of access rights and the allocation of resources. Mach, the Mac's TPM and the Intel virtualization extensions give Apple a huge head-start on a hypervised OS.