[cap-talk] Cap type safe OS questions

Sat Aug 1 18:51:44 EDT 2009

Ben Kloosterman wrote:
> It's a bit intimidating posting to an 11 year old list with lots of experts
> when entering the field. Anyway the best way to learn quick is to read and
> ask stupid /incorrect questions.

Don't worry, we are friendly.

On CapROS-devel, Ben Kloosterman wrote:
 > Charles Landau wrote:
>> I would also ask you to clarify the questions considerably. Remember,
>> >not everyone comes with the background that you may be taking for
>> >granted. For example, when you say "the design" or "managed" are you
>> >talking about the operating system code, or the architecture seen by
>> >clients of the OS?
> 
> Only talking about the OS itself not the clients. 

 From your questions, it seems to me that you are assuming that all 
programs running under the OS (the clients of the OS) are managed and 
thus can safely share a single address space. Or am I misunderstanding?

> Q2) How does the loader create the capability to a keyring ( nodepage or
> capability page) for a new process

I'm not sure where you got the term "keyring" or what it means to you. 
In EROS and CapROS a KeyRing is a structure that is used internally by 
the kernel for bookkeeping purposes, but is not exposed to the user.

A process in EROS or CapROS involves several objects:
- the "process" object, which contains thread registers, storage for 
general-purpose capability registers, and capabilities to other objects, 
including:
- an address space
- a capability granting authority for CPU resources,
- etc.

> I note : In a capability system, a new program (we'll call it new) gets its
> capabilities in two ways:
> 
>    1.New receives an initial set of capabilities when it is created. These
> are supplied by new's creator (which is another program).
>    2.If another program receives a capability to new, it can invoke new and
> pass it additional capabilities if it desires.
> From. http://www.eros-os.org/essays/wherefrom.html
> 
> But how is this handled in terms of storage of the capability and storage of
> the pointer to the capability ? Or is there a special case that a process
> can access the keyring without a capability. 

In EROS and CapROS, objects are stored in kernel memory, where they are 
protected from users. (Data pages are handled differently.) Capabilities 
are stored in certain objects such as nodes (capability pages) or 
processes. There are no pointers to capabilities, because they are not 
in the user's address space.

> Q3) User code ( including services) can't call the kernel ( capabilities can
> though I need to decide how to allow capabilities to call the kernel) or
> have a reference outside their address space . 

A capability is a reference to a protected object. It is not an active 
entity that can perform calls.