|
|
Re: [ANNOUNCE] Introducing Codezero: msg#00022l4-hurd-gnu
Sam Mason wrote:
I've read them already to a certain extent. The problem is that the hurd project is taken into object-capability grounds completely. This is fine as one perspective. But I am questioning, does it really *have* to be this way? Marcus and others (sorry for minimizing everyone else, it was Marcus Capabilities are an elegant way to achieve security. I am questioning, does it have to be object-based[1]? My worry is that things can get too complicated especially on a design such as a microkernel. [1] By object-based I mean programmatically created objects being referred by remote clients. archives and the following looks like a nice early reference: For example this is a very generic example of how the protocols may get fairly complicated. The details are unimportant; it is chosen from your reference pretty randomly: 1. Task A sends a message to S to initiate the reference passing operation. Task A tells S which reference (O_A) it wants to move to which task (B), and if it wants to synchronize with handle reception in B (flag W for wait). The server will return a transaction number T_A, which is unique to a task, and makes a transaction record (O, A, T_A, B, W) in the server. Note: The transaction number has the same job as the rendezvous port in auth.[1] There are handles, references being passed, transaction ids, etc. This won't work. The protocol will get extremely complicated, and you give an opportunity to monolithic kernel people to despise your design. Things should be kept very minimalistic. You should always keep in mind that you are competing against mere function calls in a monolithic kernel. Generally speaking, whatever you have inside a monolithic kernel, should be moved to userspace, being carefully divided into multiple servers. When you do the division, each individual server should maintain a portion of the kernel state of a process that would otherwise be kept in a single structure in a monolithic system. Then, you need to make them coordinate properly (and synchronously) to serve incoming requests. That's all you need for your first version. Monolithic people say it gets very complicated to debug the communication. I very rarely ran into such problems. I am confidently speaking about it because I have done this to a certain extent. A design such as above, together with synchronous communication feels like you are developing on a monolithic system. Now what's missing in this design? Two major concepts are capabilities, and distributed path navigation (i.e. in Codezero IO is multiplexed by a single file server instead). I am not yet sure what would be best on the latter issue. But getting back to capabilities, in my understanding a capability is just a structure that describes a resource as well as the security permissions on it and its owner. It's a compact, elegant description of resource accessibility that can be dynamically passed around. Could it be used as a central mechanism to access programmatically created objects? Yes. But it doesn't have to be. Using the compact definition I just used, it is powerful enough to build all the secure communication that a microkernel needs. IOW I am suggesting to drop objects, and use capabilities to secure ad-hoc services and resources. Jonathan Shapiro, of EROS and Coyotos, seemed to join properly here: I will certainly look into them for improving on my understanding of capabilities. Currently I am currently finishing off with kernel capabilities on Codezero. Next on my agenda: 1.) Demonstrate kernel capabilities in userspace servers mm0/fs0 (e.g. thread, space creation, manipulation, ipc etc.) 2.) Extend ipc capability mechanism to include ipc request numbers, either in userspace or as a kernel extension, so that all ipc-based requests can be covered by capabilities. (e.g. Think of IDL as opposed to just request numbers to servers, and compare which is more heavy-weight). Thanks, -- Bahadir Balban
|
|
||||||||||||||||||||||||||
| News | Mail Home | sitemap | FAQ | advertise |