[cap-talk] KeyKOS kernel safety

Charles Landau clandau at macslab.com
Tue Aug 23 12:19:12 EDT 2005

This question is directed at the KeyKOS folks who have a better memory than I.

In KeyKOS there was a page range designated as the kernel range. The 
boot code loaded the range without consulting checkpoint data. To 
update the kernel, you could write data to these pages, wait for it 
to be migrated from the checkpoint area to the home range, and reboot 
the system.

KeyKOS was designed to maintain a safe working state if the system 
crashed and rebooted at any instant. My question is, what if the 
system crashed during the write or migration of the kernel range?

My recollection is that the design, if not the implementation, called 
for two kernel ranges, a primary and a backup. If the primary failed 
to boot, the secondary was booted. You would update and test one 
before updating the other.

(To be safe, you would have to first write the first page of the 
primary kernel with code that reliably fails. At the instant that 
page is migrated, any reboot will reliably go to the secondary 
kernel. Then write the other pages of the new primary kernel, and 
wait for them to be migrated. Then write a good first page; at the 
instant that page is migrated, the new kernel is bootable.)

Is this recollection correct, or was there another design? In CapROS 
this issue applies both to the kernel and to the user-mode disk 
driver, because at boot time they are both loaded without regard to 
checkpoint data.

More information about the cap-talk mailing list