I'm Pierre Alain, a computer science teacher (at Enssat Lannion Brittany France, teaching IT courses with students or apprentices). In my opinion it is always important to keep me up to date with the latest techniques in order to improve my teaching and to give students a view on possible axis of their future as developers.
So I had the opportunity to register for the 11th MirageOS Hack Retreat in the fall of 2022 (in Mirleft, Morocco)! My objective for this session was to meet with many of the most state-of-the-art developers in the field of unikernels and more specifically in the mirage ecosystem.
The background and nationalities were very diverse, and this experience, allowed me to physically meet these people and associate faces with the nicknames of many hackers with whom I had been in contact with for some time. This experience was extremely rich from a technical (every evening there were high quality talks) and a human (thanks again to all the participants) point of view.
Mirage Qubes OS firewall Optimisations
One of the projects of the mirage ecosystem is a firewall designed for QubesOS which takes place as a replacement of a linux kernel virtual machine. This project was initiated in 2016 by Thomas Leonard and is still under development.
One of the biggest coolest thing of the Mirage OS system is that, in addition to using a language with strong type safety, it is very different from the Linux kernel, so a 0day attack on Linux will most likely not be functional on this kernel. Another improvement, in a world where resource consumption is becoming an issue, is that the memory footprint is much smaller than that of a Linux kernel. For example, the mirage OS firewall works with realiability with 32MB of memory, whereas it is necessary to give a barrely minimum of 128MB for the Linux virtual machines.
The main drawback is the current speed of packet transfer. So it was on this task where I spent the technical part of my retreat trying to improve the situation.
After about a week of work, several pull requests, lots of discussions and emotional lifts, here are the raw results, based on a single use of iperf3 (clearly not a reliable statistic to generalise!) where I just change the firewall between two linux virtual machines on the same Qubes laptop.Our baseline, or more precisely the performances we're trying to target, is the performances of the linux kernel (as a firewall virtual machine with 256MB of memory), which gives a symmetrical bandwidth of about 700Mbits/sec with TCP, and about 725Mbits/sec with UDP (and a packet loss of 0.82%).
Regarding the mirage firewall (as a firewall virtual machine with 32MB of memory), I now have a TCP bandwidth of about 540Mbits/sec with TCP (77% of the linux firewall), and 670Mbits/sec with UDP (92% of the linux firewall and a packet loss of 0.033%, surprisingly we lose much less packets than linux :o).
There is still a lot of work to be done to improve performances to match the Linux kernel, but this is something that can probably be done in the future, and the current state of the mirage firewall seems acceptable enough to me to propose it to the Qubes community!
