[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hurd-L4 : Architecture Questions
|
From: |
Matthieu Lemerre |
|
Subject: |
Re: Hurd-L4 : Architecture Questions |
|
Date: |
Sun, 10 Jul 2005 22:00:47 +0200 |
|
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (gnu/linux) |
NePat <address@hidden> writes:
> Hello,
Hi,
(and sorry for the late answer, but we were all in LSM)
>
> I've spend much time in reading documentation on L4-Hurd, i read
> some code , i also read some mails in the mailing list, and i have
> some questions to ask (excuse my poor english :) ) :
>
> 1 - Trusted process ?
> There's lots of things and thought about, but i don't really get the
> thing.
> On what is based the amount of trust provide to a process by a server ?
> Why
> it can't be enough to trust the owner (user) of a process ?
This question is in fact not specific to the L4 port of the Hurd.
Basically, the Hurd is designed so that if you communicate with a
server which is a malicious program, i.e. it will do anything it can
to annoy you (like trying to freeze you), the amount of annoyement
that it can do is limited.
For instance, if you are using emacs and opening a file located on a
filesystem provided by a translator runned by another user, and this
translator is malicious, all that it can do is not respond to you, and
you can cancel the operation and emacs will never freeze or crash.
The server also needn't to trust the client. So we can have
communication between a client and a server and no one trust the
other.
This helps also if any of the party is not malicious, but buggy.
But certains operation can't be done this way, so you have to put some
trust in the server which provide this kind of service and avoid to do
something if it may be harmful to you. To help communication between
the two parties, there are third party servers which are provided by
the system. For instance, auth is a system server which can be trusted
by every task and helps with authentificating a client to a server.
There are some more additional problems in L4 because of synchronous
RPCs.
I would suggest that you read the papers located on
http://www.gnu.org/software/hurd/docs.html, they are really helpful to
understand the overall design of the Hurd.
>
> 2 - SMP are'nt thinked ? I don't find anything about SMP ans
> L4-Hurd. Altought the L4 pistachio seems to be designed in such a
> way. And , the heavily muti-threaded conception of Hurd-L4 is
> directly interested in SMP. And more, the futur, by the limit on
> electronics size, is to the SMP. So ...
>
> It seems that the design changes his way to a more centralized
>system ( with cap server and notification server, perhaps there's the
>same ), but in SMP architecture centralisation is a bad thing ( i
>think ), the things has to be as much as possible local, so are the
>reason to change the way so unbreakable ? ( and i don't speak about
>overhead costs ).
Don't worry, we have SMP in mind. As you mentionned, the servers are
multithreaded: the fact that there is one server does not mean that it
runs only on one CPU. The thing we have to take care of is not to do
too much cross-CPU IPCs, and we're thinking about when designing the
capability system.
Thanks,
Matthieu