[cap-talk] EQ, MyCap? review

Charles Landau clandau at macslab.com
Tue Feb 12 17:20:26 EST 2008 

At 1:20 PM -0800 2/12/08, Jed Donnelley wrote:
>Regarding:
>
>On 2/12/2008 8:53 AM, Charles Landau wrote:
>  > At 12:11 AM -0800 2/12/08, Jed Donnelley wrote:
>>>  >Can you describe how that situation (access to private
>>>  >data for capabilities communicated as parameters) is
>>>  >handled in the KeyKOS kin?
>>
>>  In KeyKOS, MyCap? is called DOMAINCREATOR__IDENTIFY_ENTRY
>  > (http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/67.html#iden).
>>  In EROS and CapROS it's Amplify Gate Key
>>  (http://www.eros-os.org/devel/ObRef/standard/ProcessCreator.html).
>>  These operations return a domain/process key, which allows you to
>>  extract all the components of the process, such as its address space.
>
>I looked at the above references.  The terminology is foreign
>enough to me that I haven't yet seen what I was looking for in
>the above.  The Amplify Gate Key sounds to me more like a call
>made after an "entry" (invocation) that would allow access to
>the state of the invoked capability - though I admit I don't
>know what a "process" key is in the above context.
>
>What I was looking for is a mechanism whereby if, let's say,
>a capability A is invoked and A is also passed in as a parameter
>to the invocation of A, then the service (deputy) can determine
>that the parameter is one of the capabilities that it services
>and can identity its associated private state.

Let's say P is the process executing the service (deputy), and A is a 
capability that grants the permission to send a message to P. A is 
called a "start" capability to P in EROS/CapROS, or an "entry" key in 
KeyKOS.

P usually holds a capability that allows it to do Identify_Entry or 
Amplify Gate Key on start caps to a set of processes including P. 
(The set is all processes that have the same "brand" as P.) If the 
parameter to Amplify Gate Key is a start key to a process Q (Q may or 
may not be the same as P, but it has the same brand as P), the 
operation returns a Process key to Q. A Process key allows you to do 
essentially anything to a process, not just call it. For example you 
could reach in and share memory with it. Or you could call it using a 
private interface.

The object that implements the Amplify Gate Key method is the Process 
Creator, but this may change in the future.

In EROS/CapROS, the capability to a caller that allows the callee to 
reply is called a "resume" capability; in KeyKOS it's an "exit" key. 
Amplify Gate Key and Identify_Exit recognize these capabilities too.

I hope this helps with the terminology. Amplify Gate Key is very 
equivalent to MyCap?, for reasonable definitions of "My".

More information about the cap-talk mailing list