|
From: | R. Koot |
Subject: | Driver security |
Date: | Fri, 21 Jan 2005 13:50:20 +0100 |
User-agent: | Mozilla Thunderbird 1.0 (X11/20041206) |
Bas Wijnen wrote:
Daniel Wagner wrote:Does all drivers trust each other?Nope they don't have to but at some point its getting a bit tiresome not to trust the device drivers. Of course you have to be careful from where new drivers are loaded but as soon a driver gets active in the ddf it has access to all hardware resources. So there is no point in creating a 'secure' environment.Are you saying that if I want to write a driver which needs, say, some i/o ports and an interrupt, it will automatically be allowed to use everything? That doesn't sound like a very good idea... I hope that the idea then is to make those hardware drivers as simple as possible, so the actual "meat" of the driver (which contains policy) can bewritten by a mortal user (who must of course has access to the device file)?
I think we should separate the drivers in two groups low-level drivers and high-level drivers. Drivers for PCI cards should be low-level, can request interrupts and i/o ports at will and can only be loaded by root/the system. This also implies they can be trusted by each and everyone. Because Deva will be inbetween user applications and drivers, low-level drivers can also trust applications (applications call drivers, drivers son't call apllications so there is no risk of blocking, Deva should just make sure memory mappings are safe).
Drivers for USB devices can be high-level drivers and are loaded when an interactive user logsin and unloaded when an he/she logsout. High-level drivers can only request services from ther bus driver (the low-level driver for the USB Host Controller) with Deva inbetween to make sure the low-level driver can trust the high-level driver.
Ruud
[Prev in Thread] | Current Thread | [Next in Thread] |