l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ANNOUNCE] Introducing Codezero

From: Bas Wijnen
Subject: Re: [ANNOUNCE] Introducing Codezero
Date: Mon, 22 Jun 2009 15:36:29 +0200
User-agent: Mutt/1.5.18 (2008-05-17) 
Hi,

On Sun, Jun 21, 2009 at 10:31:21PM +0300, Bahadir Balban wrote:
> address@hidden wrote:
>> Pistachio? Does that mean that just like Pistachio it has no kernel
>> support for protected IPC? If so, this is a total show-stopper -- it was
>> the main reason why the original Hurd/L4 port has been abandoned...
>
> Yes I can understand that this is a limitation. IPC on Codezero is not
> controlled, yet. It's version 0.1 after all. It is possible to implement
> this, and one option is to add capabilities.

I'm not sure if "adding capabilities" to a working system is a proper
way to get security right.  Security is not something that can be added
to a program.  It must be at the core, and the design must support it
from the start.

If you try to add it, I fear that either it will not work, because there
are insecure bypasses for secure parts, or it will have bad performance
because the fast paths of the system aren't used, or both.

Note that I'm not saying you should make a capability-kernel.  If you
like L4, it makes sense to write something like it.  I'm just saying
that "turning it into a capability kernel" may not be as trivial as you
make it sound.  So it may be better to simply not make that a goal. :-)

> But it won't be  object-based capabilities because I generaly oppose
> designing everything  around object oriented methods.

What I've seen from capability systems, they can be seen by object
oriented systems as remote object calls.  However, this is not enforced
in any way.  The kernel just sends a message over a protected channel.
How this is used or interpreted by both ends of the channel is their
problem.

The role of capabilities in the story is the protection of the channel.
It is not possible for threads to open channels to other threads.  They
can only give away rights that they have over channels that are already
present.

Turning a capability-based system into something like Linux is easy[1]:
just build a central file system server and give a capability for it to
all processes.  Turning Linux into a capability-based system is
equivalent to rewriting Linux.

[1] The easy part is turning it into something like Linux.  Writing the
system, including device drivers, is not easy at all.

> FS0 has the VFS and the underlying filesystems bundled.

In one server?  Does that mean that a new FS0 is needed to support a new
file system type?  I would advise to use a system where users can use
their own implementation of file systems, without the help of the system
administrator.  But that may just be my Hurd-mind, and not something you
wish to care about. ;-)

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://a82-93-13-222.adsl.xs4all.nl/e-mail.html

Attachment: signature.asc
Description: Digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]