NOVA: remote revoke

Alexander Boettcher alexander.boettcher at ...1...
Fri Jul 20 09:37:34 CEST 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Udo,

do you see any issues to extend the revoke syscall by a protection
domain (pd) parameter ? Currently implicitly the current protection
domain of the caller is used. With the extension the caller would have
to specify explicitly the pd where the revoke operation should apply to.

Genode core currently revokes all memory of the client pd subject to
destruction. However core has no means to make sure that references to
kernel objects are freed which creation has been issued by the client
pd directly using the kernel syscalls. Additionally core can't make
sure to revoke any mappings of memory, i/o ports and object
capabilities which the client received via other channels
(services/sessions provided not by core).

The same issue also applies to NUL[0], where sigma0 can't clean up the
object space of the vancouvers subject to destruction.

With the remote revoke core and sigma0 in NUL would be able to make
sure that all user level references inside a pd subject to destruction
can be freed.

Cheers,

Alex.

[0] http://os.inf.tu-dresden.de/nul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAJCrAACgkQqjRK9KYzJbMfugCfTPyE5Y1Su9satcMLnP3erSVM
L70AnjInjRnNJnGmCz3d2OjHRf7QnLgD
=M4+6
-----END PGP SIGNATURE-----




More information about the users mailing list