Why change the kernel when you have seL4?

Authors

Gernot Heiser

    School of Computer Science and Engineering
    UNSW,
    Sydney 2052, Australia

Published:

Abstract

Breaking up monotlithic kernels (which I take means Linux) is no doubt a commendable exercise. Recent additions to computer architectures that provide intra-address-space protection are an enabler of this and come with relatively low overhead.

While interesting for exploring the design space, these mechanisms have drawbacks, especially as using them limits a design to recent processors. Furthermore, they are not standardised across architectures, making it more difficult to keep kernel code mostly portable.

But are these really necessary? I argue they are not, and the combination of good old dual-mode execution paired with page-based virtual memory is all you need – as long as you pick the right design. And the right design got to be based on a microkernel, or rather The Microkernel, i.e. seL4. There are never-dying claims that this leads to poor performance. Our experience shows otherwise: kernel overheads are in the noise with a highly-tuned microkernel and a good design.

Consequently, my recommendation is to avoid dealing with fancy hardware extensions, and (a) de-privilege the (Linux) kernel by running it on seL4 and (b) modularise the resulting user-mode code.

BibTeX Entry

  @misc{Heiser_25:kisv,
    author           = {Gernot Heiser},
    howpublished     = {Keynote at KISV workshop},
    month            = oct,
    slides           = {https://trustworthy.systems/publications/papers/Heiser_25:kisv.pdf},
    title            = {Why Change the Kernel When You Have {seL4}?},
    url              = {https://trustworthy.systems/publications/papers/Heiser_25:kisv.abstract.pml},
    year             = {2025}
  }

Download

• Slides | BibTeX