>>>>> "Jon" == Jon Smirl <[EMAIL PROTECTED]> writes:
Jon> On Tue, 15 Mar 2005 14:47:42 +1100, Peter Chubb
Jon> <[EMAIL PROTECTED]> wrote:
>> What I really want to do is deprivilege the driver code as much as
>> possible. Whatever a driver does, the rest of the system should
>> keep going. That way malicious or buggy drivers can only affect
>> the processes that are trying to use the device they manage.
>> Moreover, it should be possible to kill -9 a driver, then restart
>> it, without the rest of the system noticing more than a hiccup. To
>> do this, step one is to run the driver in user space, so that it's
>> subject to the same resource management control as any other
>> process. Step two, which is a lot harder, is to connect the driver
>> back into the kernel so that it can be shared. Tun/Tap can be used
>> for network devices, but it's really too slow -- you need zero-copy
>> and shared notification.
Jon> Have you considered running the drivers in a domain under Xen?
See the paper presented by Karlsruhr at OSDI:
Joshua LeVasseur, Volkmar Uhlig, Jan Stoess, and Stefan Götz:
Unmodified Device Driver Reuse and Improved System Dependability via
Virtual Machines. OSDI '04.
They're using L4, rather than Xen as the paravirtualisation layer.
--
Dr Peter Chubb http://www.gelato.unsw.edu.au peterc AT gelato.unsw.edu.au
The technical we do immediately, the political takes *forever*
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
