[cap-talk] EQ, MyCap? review
Charles Landau
clandau at macslab.com
Wed Feb 13 00:25:27 EST 2008
At 8:55 PM -0500 2/12/08, Jonathan S. Shapiro wrote:
>Not sure if this clarifies or obscures.
Good question.
>In KeyKOS/EROS, the brand was mainly used for process teardown, allowing
>a start/resume cap to be "upgraded" to the corresponding process cap. I
>do not know if this is still true in CapROS.
In KeyKOS, EROS, and CapROS, process teardown is usually done by the
process itself, except for the final step, in which the process calls
its process creator, which uses the brand mechanism to validate and
amplify rights to the resume key to the calling process. I wouldn't
call it the "main" use. The process creator will go away in CapROS as
it has in Coyotos.
>The brand is also used to
>authenticate the program you are invoking.
In KeyKOS, EROS, and CapROS, it is used to authenticate and amplify a
capability to a process you are considering invoking or otherwise
using. This is the interesting and important use.
>On Tue, 2008-02-12 at 15:29 -0800, Jed Donnelley wrote:
> > If all the above guesses are correct, then the definition of "My"
>> is essentially 'serviced by a process within the same brand'?
>
>No.
If you mean "not in Coyotos", then I really shouldn't argue with you, but ...
>The identifyEntryWithBrand operation is used by the constructor to
>identify processes that it has created. This is the underlying primitive
>for authenticating programs. The identifyEntry operation reveals
>whether the entry cap names some process that has the same brand as the
>invoked process cap (and therefore presumably executes the same
>program).
Aren't these the approximate equivalent to Jed's "MyCap?" operation,
where "My" means an entry cap to a process with the same brand?
More information about the cap-talk
mailing list