[cap-talk] Rescind vs. sever

Charles Landau clandau at macslab.com
Wed Nov 21 19:35:50 EST 2007 

At 4:16 PM -0800 11/21/07, Bill Frantz wrote:
>david.hopwood at industrial-designers.co.uk (David Hopwood) on 
>Wednesday, November 21, 2007 wrote:
>
>>I'm also dubious as to whether we want 'Sever' to work on all objects,
>  >rather than only objects that agree to it.
>
>It should be noted that the "sever" operation in KeyKOS is only defined
>for two objects, nodes and pages.

It's implemented by the spacebank, which only deals with two objects, 
nodes and pages. Here's pseudocode illustrating how it's used in 
KeyKOS:

object := SpaceBank.createObject();
grant_object_to_others;
object2 := SpaceBank.sever(object);
/* Others no longer can access object. */

Sever isn't a call on the object itself.

>While these objects are the fabric
>from which all other objects are constructed, it does not follow that
>the "sever" operation is available on them.  To sever a domain, one
>would need either a "sever" operation on a domain key or the domain
>creator key,

The latter makes more sense; you wouldn't want to grant a cap to your 
object to someone else and have them sever/revoke your access!

>which do not exist;

True in KeyKOS: that is not to say that such an operation should or 
should not exist.

>or a way to get node keys to the nodes
>that make up that domain, which also does not exist.

For good reason.

>Note that at a higher level, a domain could create a "sever" operation
>on itself.  It "severs" any components for which the operation is
>semantically required (depending on exactly what "sever" means in this
>case), makes a new domain and populates it with all the necessary keys,
>including the resume key to the caller of "sever", and start it running
>to destroy the old domain, and return to the caller.

I think this is David Hopwood's "clone and destroy original".

>Similarly, a segment keeper can provide a "sever" operation, using the
>sever operation on nodes, and perhaps pages as a tool.  Since it can
>build segments that depend on a single slot in a node to define the
>whole segment, it can use Node__Swap to atomically remove access from
>users of the old segment.

Or, it can simply clone and destroy original.

>Since the "sever" operation can be built for higher-level objects
>without having a page or node level "sever", there doesn't seem to be
>much downside to removing it.

It can be built, but there is a difference in performance.

More information about the cap-talk mailing list