[cap-talk] EQ, MyCap? review

Tue Feb 12 18:29:06 EST 2008

On 2/12/2008 2:20 PM, Charles Landau wrote:
> At 1:20 PM -0800 2/12/08, Jed Donnelley wrote:
>> Regarding:
>>
>> On 2/12/2008 8:53 AM, Charles Landau wrote:
>>  > At 12:11 AM -0800 2/12/08, Jed Donnelley wrote:
>>>>  >Can you describe how that situation (access to private
>>>>  >data for capabilities communicated as parameters) is
>>>>  >handled in the KeyKOS kin?
>>>  In KeyKOS, MyCap? is called DOMAINCREATOR__IDENTIFY_ENTRY
>>  > (http://www.cis.upenn.edu/~KeyKOS/agorics/KeyKos/Gnosis/67.html#iden).
>>>  In EROS and CapROS it's Amplify Gate Key
>>>  (http://www.eros-os.org/devel/ObRef/standard/ProcessCreator.html).
>>>  These operations return a domain/process key, which allows you to
>>>  extract all the components of the process, such as its address space.
>> I looked at the above references.  The terminology is foreign
>> enough to me that I haven't yet seen what I was looking for in
>> the above.  The Amplify Gate Key sounds to me more like a call
>> made after an "entry" (invocation) that would allow access to
>> the state of the invoked capability - though I admit I don't
>> know what a "process" key is in the above context.
>>
>> What I was looking for is a mechanism whereby if, let's say,
>> a capability A is invoked and A is also passed in as a parameter
>> to the invocation of A, then the service (deputy) can determine
>> that the parameter is one of the capabilities that it services
>> and can identity its associated private state.
> 
> Let's say P is the process executing the service (deputy), and A is a 
> capability that grants the permission to send a message to P. A is 
> called a "start" capability to P in EROS/CapROS, or an "entry" key in 
> KeyKOS.
> 
> P usually holds a capability that allows it to do Identify_Entry or 
> Amplify Gate Key on start caps to a set of processes including P. 
> (The set is all processes that have the same "brand" as P.) If the 
> parameter to Amplify Gate Key is a start key to a process Q (Q may or 
> may not be the same as P, but it has the same brand as P), the 
> operation returns a Process key to Q. A Process key allows you to do 
> essentially anything to a process, not just call it. For example you 
> could reach in and share memory with it. Or you could call it using a 
> private interface.

Powerful stuff - the old "matches and children" admonition seems to
apply.

> The object that implements the Amplify Gate Key method is the Process 
> Creator, but this may change in the future.
> 
> In EROS/CapROS, the capability to a caller that allows the callee to 
> reply is called a "resume" capability; in KeyKOS it's an "exit" key. 
> Amplify Gate Key and Identify_Exit recognize these capabilities too.
> 
> I hope this helps with the terminology. Amplify Gate Key is very 
> equivalent to MyCap?, for reasonable definitions of "My".

I think I'm understanding.  Is there a one-to-one correspondence
between start/entry capabilities/keys and service processes?
Assuming so, then I guess the "brand" mechanism is a means to
support multiple distinct start/entry capabilities/keys within
a common "domain" by allowing a process entering the "domain"
via one start/entry capability/key to access the internal
state of a start/entry capability/key that might have been
passed in as a parameter?  In that sense to get access to the
"private" data for the object?

If all the above guesses are correct, then the definition of "My"
is essentially 'serviced by a process within the same brand'?
In that case I guess "brand"s would typically have a convention
for where to store a pointer in the the object state for any
start/entry capability/key that may be serviced by another
process in the brand?  Alternatively perhaps this access to
private data is what you referred to above when you mentioned
the possibility of calling "it using a private interface"?

Just checking my understanding of the nomenclature.  Thanks for
taking the time to explain.

--Jed  http://www.webstart.com/jed/