[cap-talk] A dabblers take on security
Jonathan S. Shapiro
shap at eros-os.com
Tue Feb 5 21:42:06 EST 2008
William:
It seems to me that there are two very early decisions that you need to
make:
1. Are you planning a language-style capability system or an
OS/hardware style capability system? The two involve very
different sorts of design decisions.
2. Do you plan to admit an explicit object destroy operation?
This has implications for capability invalidation.
I have been asked by several people, including Ruby Lee, what features I
might like added to conventional processors to better support
capabilities. My top one is:
1. A supervisor instruction that accepts as input an ASID and
a pointer and returns as output the content of the TLB entry
[that is: a PTE that reflects the final permission state
loaded into the TLB as a consequence of the mapping structure
walk]
Such a TLB entry should not be valid for data references, so a
new form of valid bit is probably required.
This would allow "real" capability addresses to be stored in PTEs, and
allow the supervisor to explicitly reuse the TLB as a CAM. Now that the
idea is on the table, Alan Karp can probably suggest eight improvements,
one of which will be "why not just introduce a CAM". So long as suitable
permission-based tagging can be accomplished, the answer would be "yup,
that would be even better".
The issue with destroy is that it will interact with invalidation of
entries in the CAM.
shap
More information about the cap-talk
mailing list