Backing up one more step...

[William S. Frantz]

> Actually, a KeyKOS kernel can do this. (I don't know if it was
> implemented - one of the other folks will be able to tell you).
> The KeyKOS checkpoint system can be set up to checkpoint to a remote
> hot standby.  The mechanism for standby startup was for the remote
> kernel to suddenly develop schizophrenia and run two machines on one
> pice of hardware.  Since the two machine images had no knowledge of
> each other (no keys crossing the districts), they could never become
> entangled. 

Never implemented.  We never had machines on a LAN to play with, and
WANs are too expensive (and were 10 years ago too).


> The problem is that all cross-district keys would become invalid the
> first time a district failed.  Once you have *no* keys into any other
> district, it is impossible to obtain any.

There is no reason that ALL keys have to become invalid.  You only need
one to rebuild the connections.  The problem is similar to the relation
between device keys and the device allocator key.  Device keys go away
during restart.  The device drivers have to call the device allocator
to get new copies.  (This logic ensures that the drivers know the devices
were reset and deals with changing I/O device configurations.)  The
device allocator (a domain) uses a key to the kernel (across the district
boundry) to get new device keys.

-----------------------------------------------------------------
Bill Frantz                   Periwinkle  --  Computer Consulting
(408)356-8506                 16345 Englewood Ave.
frantz@netcom.com             Los Gatos, CA 95032, USA