Driver security

[R. Koot]

Bas Wijnen wrote:
> Daniel Wagner wrote:
>
> > > Does all drivers trust each other?
> >
> >
> >
> > Nope they don't have to but at some point its getting a bit tiresome
> > not to trust the device drivers.  Of course you have to be careful
> > from where new drivers are loaded but as soon a driver gets active in
> > the ddf it has access to all hardware resources.  So there is no point
> > in creating a 'secure' environment.
>
>
> Are you saying that if I want to write a driver which needs, say, some
> i/o ports and an interrupt, it will automatically be allowed to use
> everything?  That doesn't sound like a very good idea...  I hope that
> the idea then is to make those hardware drivers as simple as possible,
> so the actual "meat" of the driver (which contains policy) can be
> written by a mortal user (who must of course has access to the device 
> file)?

I think we should separate the drivers in two groups low-level drivers 
and high-level drivers. Drivers for PCI cards should be low-level, can 
request interrupts and i/o ports at will and can only be loaded by 
root/the system. This also implies they can be trusted by each and 
everyone. Because Deva will be inbetween user applications and drivers, 
low-level drivers can also trust applications (applications call 
drivers, drivers son't call apllications so there is no risk of 
blocking, Deva should just make sure memory mappings are safe).

Drivers for USB devices can be high-level drivers and are loaded when an 
interactive user logsin and unloaded when an he/she logsout. High-level 
drivers can only request services from ther bus driver (the low-level 
driver for the USB Host Controller) with Deva inbetween to make sure the 
low-level driver can trust the high-level driver.


Ruud