Re: problems with hierarchy: L4 pagers

[Neal H. Walfield]

At Sat, 08 Oct 2005 16:27:57 -0400,
Jonathan S. Shapiro wrote:
> In fact, there is a hierarchy problem in L4.x2 today in the memory
> manager. Consider two process A, B with respective pagers A', B'. Now:
> 
>       A' maps to A
>       A maps to B
>       A' revokes
>       B' knows nothing and cannot reconstruct the mapping.
> 
> This problem is now well-known by the L4 designers, and it is a direct
> consequence of using REVOCABLE COPY as the primitive operation. In every
> real system that has been constructed on top of L4.x2, the solution has
> been to require that either
> 
>       A' and B' are identical, or
>       A' and B' have a commonly trusted parent who knows how to
>         recover, or
>       The design is broken, so unmaps are not performed.
> 
> The current L4sec design will require that every capability interaction
> must use the same kinds of solutions.

A can only map to be B if B accepts an IPC containing a map item.
That is, B always knows when someone maps to it and can inform B'
about such a mapping.  If B' doesn't trust B or if B' is unwilling to
accept this information this is not a problem: B can still create a
new thread (LB) and set it as its pager (B' cannot prevent this).
When a page fault occurs, LB looks up how to reconstruct the mapping.
If it doesn't have the required information, it simply propagates the
fault to B':

   B -page fault-> LB -fault propagation -> B'

Do you find this a reasonable solution?

Thanks,
Neal