[cap-talk] Midori in The Register

Kenneth Hamer-Hodges ken at sipantic.net
Wed Aug 6 05:32:17 CDT 2008

Plessey 250 system rejected protection rings, device driver special cases
and the privileged modes that they require as well as any hardware DMA. 
The multiprocessor architecture used any of the multiple CPUs to perform I/O
actions directly by a thread with the requisite "capability". 
There was (is) no distinction between a device driver and any other
abstraction. They were all implemented as "Enter" capabilities (subroutine
calls) to an instance of a class of (in this case) an I/O device. 
The device hardware registers were accessed as part of the single shared
System 250 memory address space. Access was made and type checked just like
any other memory location - protected by more specific read, write or
execute capabilities that belong to the specific device abstraction. 
Security was easy to enforce right down to the typed hardware of the CPU
with NO privileged modes and NO exceptions.

BTW I am attempting to set up a date for meetings with existing System 250
developers/users to provide an up to date review of the implementation,
practice and results over the past 35 years of use of System 250 by the
UK-MOD. Contact me if you have any specific question that would be of
specific interest.
Thanks - Ken Hamer Hodges ken at sipantic.net 

> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org [mailto:cap-talk-
> bounces at mail.eros-os.org] On Behalf Of Bill Frantz
> Sent: Tuesday, August 05, 2008 9:45 PM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Midori in The Register
> shap at eros-os.com (Jonathan S. Shapiro) on Tuesday, August 5, 2008 wrote:
> >On Wed, 2008-08-06 at 10:52 +1000, James A. Donald wrote:
> >> The problem is that these guarantees are a little *too* strong for
> >> device drivers.
> >
> >In principle I do not see why. In the absence of DMA, it is obviously
> >possible to write fully safe device drivers. In the presence of DMA, it
> >is certainly possible to write fully safe device drivers so long as the
> >low-level DMA interface is understood and mediated by the VM. That is
> >not as difficult as it may initially seem.
> VM/370 did exactly that. The DMA interface was the Channel
> Program[1]. The only way a channel program could be executed was
> through privileged instructions. VM intercepted the instructions,
> translated the channel program, insuring its safety, and then
> executed it. With a suitably constrained interface to the DMA
> hardware, other architectures can perform similarly.
> Cheers - Bill
> [1] <http://en.wikipedia.org/wiki/Channel_program>
> -------------------------------------------------------------------------
> Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
> (408)356-8506      | in a facility that processes   | 16345 Englewood Ave
> www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, CA 95032
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list