Ok extremely oddball concept here, while contemplating all this side-channel attack madness going on, Spectre, Meltdown, Zombieload etc. The following popped into my head, can someone run more than one gnu/Linux kernel on an gnu/nix operating system at the same time ? After a tad of thought, I believe the answer is yes. That being VM's/true hypervisors such as Kvm, Xen etc. While of course they still all have access to the systems underlying cpu(s), applications launched in these VM's should still totally be subject to the kernel they're running under in the guest OS. Wth does this matter you may be wondering at this point ? Well I've long taken to compiling my own kernels, also long been a performance junkie and doing whatever is reasonable to boost kernel performance/speed etc is one of the priorities. So in the recent past I've actually been researching ways to get rid of many of the new mitigations coming down the pipe for Spectre/MD/ZL etc.
Compiled out Retpoline, found the config to compile out PTI = Page table isolation and researching all the boot parameters someone can add to ie: /etc/default/grub to disable whichever mitigations they choose. Depending upon the kernel version you're running etc. While I overall like this and am interested in it, one thing about all these side-channel buggers and beasties is that folks are saying it's possible these exploits can be pulled off via javascript (web-browsers.) Which doesn't make me feel all warm and fuzzy inside when coupled with my having stripped away many of the mitigations for the kernel I'm running in the hopes of reclaiming any lost performance on my ole Intel cpu (atm era 2009ish). Although I do use noscript the Firefox addon to stop javascripts from running unless cleared on a website by the user. Still thinking eventually if this javascript vunerability is in fact possible that these exploits will trickle down and sooner or later become more common place. More widespread ...
This is what got me to thinking about having web-browsers run under a separate kernel. One with all mitigations in full effect, running under a hypervisor to keep them isolated. A barebones gnu/Linux guest VM, could be fairly well tiny. Even with all the goodies, Xorg, display manager, windows manager etc etc etc running, much of which may not strictly be necessary on a minimal VM guest OS, my install(s) still weigh in under 100mbs-ram total at idle. A stripped down VM guest strictly meant for running web browsers could be a drop in the resource bucket compared. Though with as hardened a kernel as someone prefers, while leaving the host OS, to do it's thing sans all these potentially performance bogging patches. While I've seen it said for desktop users with most workloads the mitigations don't really matter anyway, shrugs.
Now at this point, am tossing around ways to set this dorkishness up reasonably transparently, meaning when xyz-browser(s) are launched on the host, minimal VM/guest fires up to manage them, with it's hardened kernel hopefully preventing such browser(s) from being able to be messed with by Spectre/MD/ZL on the webz. Got some decent ideas on the matter but mostly just wanted to post this for the heck of it. Get people's feedback and opinions. While of course the affected system would have to be capable of virtualization ( mine isn't anyway.) Still thought this idea is somewhat interesting and worth sharing. Also pointlessly pointing out the obvious, this is seriously bad mojo for Intel, will be looking to AMD in future, have long prefered them anyway. Though depending upon the specs/price not going to pass up a good Intel based system that comes down the pike either. What say you fellows ?