Scribit Tom Bachmann dies 13/11/2006 hora 22:08: > > I don't say drivers must be in kernel space. I only state they > > should be part of the TCB, to some extent > Yep, this is also my pov (well, it'd be great to have drivers that are > not part of the tcb, but I cannot imagine a feasible way of achieving > this).
Well, as I had understood the previous discussion about user-provided drivers, I thought it could be possible to use untrusted drivers if they are not given capabilities to "unsafe" hardware or upper driver. That is, if we have a trusted and safe USB bus driver, a user could plug in an USB gadget and provide a driver for it, which would only be given a capability to the USB bus driver. The data received and sent to the gadget would be formatted and/or filtered, so that only this gadget could communicate with the provided driver. I think it should just work as a TCP/IP stack with firewalling does: a program can listen to a port, but not an already taken or priviledged port. With capabilities, it could only listen to a free port it has a capability for. And once it listens, it could not receive datagrams sent to another port, nor send datagrams as if they were coming from another port. And the program could not send datagram to arbitrary remote ports or adresses if the firewall doesn't let it do so. Without unsafeties as the memory access of DMA chips, some hardware could be dealt this way, and the size of the TCB lowered, couldn't they? Previously, Nowhere man -- [EMAIL PROTECTED] OpenPGP 0xD9D50D8A
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
