Hey redox team. Great work! Just wanted to point out, you wrote “attack of surface” Instead of attack surface. (On your home page https://www.redox-os.org/)
Also, I’m curious about the mention of drivers being in user space. Why would one want their drivers in user space? Wouldn’t that increase the attack surface?
The benefit of drivers being in the user-space is it will limit the damage if that driver has vulnerabilities. The downside is, I don't think the performance will be great. The kernel already written in Rust and if all drivers also written in Rust with limited unsafe it should be almost impossible for vulnerabilities related to memory.
Performance can be fine for the vast majority of hardware. Some drivers may need to be colocated in the same process for performance, but your average PCI driver doesn't benefit at all from being in the kernel. People also underestimate what you can accomplish with an efficient async first shared memory based ipc can accomplish.
Security benefits of driver's being in user space become limited quickly if you lack an iommu. Additionally if it has to set things like voltage regulators or clocks it can easily put the system into precarious states. That said it's still worthwhile and has lots of other benefits.