Re: secure exec

[Niels Möller]

Marcus Brinkmann <address@hidden> writes:

> I will give hints about implementation.  In particular, I think that using
> task handles can be light-weight in the task server,

Right, from your description, task handles seem quite simple to do.

> The object handles it provides are built up like this:
> 
>        17 reserved bits - 1 bit control? - 14 bits task ID

> The 17 reserved bits can actually be used internally for reference counting,
> for example.  The task object could have a list of unprivileged task handle
> owners, and each such element in the list contains 1 word, built up this
> way:
>       16 bits refcount - 2 unused bits - 14 bits task ID

I'm not sure I understand what these refcounts are, I think it is
simpler for the task server (or any server, for that matter), if a
single task can't have several copies of the same handle. I think I'd
prefer to let each task have zero or one reference handles and zero or
one control handles to any given task.

If the owner wants to believe it can have multiple copies, then the
owner should do the reference counting himself. The general principle
is that a server should not do work that the client could do by
himself, right?

> The task server creates tasks as empty (ie, no actual address space is
> created), and provides a task_revoke call that can be used to revoke access
> to a task and only keep access for the caller.  This together with a normal
> task status inquiry (ie, something that allows to find out if a task is
> still empty) is enough for me to implement the below protocol.

All this also sounds easy to do. I'll reorganize my code to get
closer.

Regards,
/Niels