[EROS-Arch] Re: (process tool restriction)
Sun, 12 Nov 2000 20:53:02 -0800
"Jonathan S. Shapiro" wrote:
> > I've argued at <http://www.macslab.com/charlies/NoDC.html> that the
> > creator is unwise, which implies that the domain/process tool should be
> > to the space bank.
> Another implication is that the kernel (which must trust the space bank in
> any case) need no longer consider the possibility of certain perversely
> malformed processes that are possible to construct in the current design.
> The simple fact that a process capability/key exists is a priori proof that
> the process is well-formed. This alone is worthwhile, as it simplifies some
> hairy kernel code.
Not really. Today, an errant process creator can create malformed processes. In
the proposal, an errant space bank can do so. In KeyKOS the kernel did not
trust the space bank, and one can argue it shouldn't in EROS either.
> Note, however, that the decision about who allocates processes is orthogonal
> to the decision about who brands them.Charlie's design is a plausible one,
> and very possibly the one we should adopt. An alternative would be to decide
> that all processes returned by the space bank would be initially branded by
> the zero number capability, and that the process/domain tool can
> subsequently be used to rebrand them if desired. This keeps branding and
> allocation separated, which may or may not be a good thing.
I raised a problem with this in a separate remark in reply to Bill Frantz.
> One reason NOT to merge branding and process creation in the proposed design
> is as follows:
> The factory/constructor must be able to answer the question: "Did you create
> this process?" If the replacement for this is to ask the space bank "is this
> your process"
that's not my proposal
> then we have a problem, because the space for the process came
> from the end user and might be used for multiple different programs. If the
> replacement is to give the space bank [the] brand and say "does this process
> this brand"
that is my proposal
> then (a) we must frequently re-verify that the bank is kosher
> and (b) the factory must retain access to some bank.
I think not. For reasons of discretion and promptness, the factory will only
construct a domain out of an official space bank. Therefore any official bank
can be used to amplify rights; it doesn't have to be the client's bank. The
factory already must have some official bank; it used it when it first verified
the kosherness of the client's bank.