[cap-talk] Secure Restart or Trusted Recovery?

Valerio Bellizzomi devbox at selnet.org
Sat Jan 6 07:24:58 CST 2007 

On 05/01/2007, at 18.27, Jed Donnelley wrote:

>At 02:00 PM 1/5/2007, Valerio Bellizzomi wrote:
>>On 04/01/2007, at 18.33, Jed Donnelley wrote:
>>...
>> >1.  Cold start - build only an initial set of systems processes as if
>> >after a base system build to the disk.  Fairly safe, but of course
even
>> >the code for the kernel and the base system processes could have
>> >been corrupted on disk.
>> >
>> >2.  Warm start - recover all processes that have no components
>> >in memory.  Process state is checked for minimal consistency
>> >(e.g. memory mapping, etc. when pulled in from disk - this happens
>> >in any case).  Processes that had contents in memory are faulted.
>> >Processes whose state was entirely on the disk can begin to run.
>> >
>> >This "recovery" might be considered to do it's best to check
>> >and recover from process state on disk.
>>
>> >3.  Hot start - a system initializer paws through what's in
>> >memory (overlaying lower memory where the kernel code
>> >resides), checking for consistency with process state that's
>> >on disk and tries to write out the memory content to the appropriate
>> >process states on disk.  Any processes successfully recovered
>> >can begin to run right away as well as those whose state was entirely
>> >on rotating storage.
>>
>> >This "recovery" can be considered to do it's best to check
>> >and recover from process state on disk and from process
>> >state in memory.
>>
>>I know the two terms above differently:
>>
>>Cold start: when the machine has power turned off, load OS after machine
>>power on,
>>and
>>Warm start: when the machine has power turned on, load OS after machine
>>reset.
>
>The above Cold/Warm distinction seems nearly vacuous to me.  I guess in
>principle the Warm start as above could recover content from memory, but
>did it?  Are the above two means to the same end?

It isn't vacuous, it is that there two different points of view of the
restart operation. One that is hardware-centric and one that is
software-centric.
The cold start/warm start above is the hardware-centric point of view.
The cold start above, is really that the machine is turned off before
start, in hindsight that is what CDC mainframe people call "dead start",
which really means that the machine was OFF.
The warm start above is really what happens after a machine reset,
typically some POST checks are skipped.
After thinking a bit on the topic, the hardware-centric point of view is
what I call "regime" in my papers, and the software-centric point of view
is what I call "condition", (see http://www.selnet.org/pubs/PMM.html
section 7).


>
>While we're at terminology I'll mention a term that's floated around the
>supercomputer "industry", "Checkpoint/Restart".  This term is also a
>bit ambiguous.  For example, there is this:
>
>http://computing-dictionary.thefreedictionary.com/checkpoint%2Frestart
>
>that seems to apply to a whole system, though it seems to ignore
>changes to rotating storage that happen after a checkpoint.


Typically on some IBM mainframe application there are a number of
checkpoints stored on disk, and you can choose from which checkpoint you
want to restart.

>
>Here's a notion that's a bit more familiar to me:
>
>http://ftg.lbl.gov/CheckpointRestart/CheckpointRestart.shtml
>
>as I know some of the people who worked on that scheme for a time.
>
>Here's another per application notion of Checkpoint/Restart:
>
>http://publib.boulder.ibm.com/infocenter/pdthelp/v1r1/index.jsp?topic=/com
.ibm.entcobol4.doc/cpchk02.htm
>
>I spent a bit of time looking back through this thread and some of
>the historical links that it derived from.
>
>May I ask, independent of the name: "Secure Restart" or "Trusted
Recovery",
>what mechanism is actually being discussed?  Does it relate in any
>way to the recovery of processes from disk or recovery of processes
>from memory (presumably after a "crash" or other system fault)?  I guess
>it goes without saying, but after a clean shutdown of our NLTSS system
>all processes returned to their state before the shutdown - except of
>course that a large chunk of time disappeared.   The "warm start"
described
>was essentially the dual of the clean shut down.  A "cold start" started
>the system without running processes other than those initialized by
>a new system build.

The warm start you describe in this paragraph is a slightly different
point of view, similar to UNIX run-levels.

>
>What I describe above as a "hot start" was the most ambitious.  This
could
>be used after some sort of system failure (e.g. a crash, hardware fault,
>etc.) when main memory was still in tact.  An initialization/recovery
>program would overlay where the system kernel would eventually be
>placed and it would look through memory for process state that could
>be written to disk to allow processes that were running at the time of a
>crash to be recovered and restarted after the subsequent continuation
>that had the effect of a "warm start" (system load, processes recovered
>from disk).

I think we are discussing recovery of processes from disk.

>
>Is it either of these sorts of actions that's being discussed as
>"Secure Restart" or "Trusted Recovery" or perhaps something
>quite different?
>
>--Jed http://www.webstart.com/jed/ 
>
>
>_______________________________________________
>cap-talk mailing list
>cap-talk at mail.eros-os.org
>http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list