NOVA: remote revoke

Udo Steinberg udo at ...121...
Tue Jul 24 23:56:06 CEST 2012


On Tue, 24 Jul 2012 23:39:47 +0200 Norman Feske (NF) wrote:

NF> it seems I slightly misunderstood your proposal. In your solution, the
NF> revoke CRD argument refers to the address space of the the caller, not
NF> the targeted PD, right? If so, your phrasing makes sense.

Correct.

NF> But couldn't the revoke syscall take a CRD referring to the targeted PD
NF> as argument instead? Why the need to have the to-be-revoked range mapped
NF> in the caller's PD at all?

It could, but it allows the holder of the PD cap to manipulate the address
space of the PD at arbitrary locations. While this may not be a problem for
Genode, due to the way PD capabilities are (not) distributed, I'm not sure
it generalizes to other environments as well. With a directed revoke rooted in
the PD of the invoker, you are guaranteed to be able to revoke only mappings
that you established yourself.

Cheers,
Udo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.genode.org/pipermail/users/attachments/20120724/233d0a2a/attachment.sig>


More information about the users mailing list