Sawmill's dataspaces and the Hurd's physmem
darwin.yuan at freescale.com
Wed Oct 19 05:33:49 CEST 2005
Thanks for your detailed information.
> Physical memory management needn't be an all or nothing deal. Certainly, an application might wish to completely
> manage the paging policy and its address space layout, however, I tend to think that this is the exception. And as
> we will provide a POSIX personality, we need to have some sort of default VM manager.
About general VM manager, what I really mean is just the "default VM manager". However, the question is still there: now that those sort of default VM managers provide mmap to those applications who don't want to manage their phsical memory, should they trust these VM managers?
If yes, these applications who use the Sawmill's framework should also trust DSMs, now that DSMs provide mapping to them, and DSMs will manage their own physical memory(implement their own replacement policy, they can even just use the library(LRU) provided by Hurd).
So, we can divide the applications into 2 categories: some of them wanna manage their physical memory, others won't. For the applications who do intend to do that, they just apply memory directly from Hurd's physmem server which is trustworthy; For others, they can just use the Sawmill's framework. Note that these DSMs also apply memory from Hurd's physmem, instead of Sawmill physmem DSM. So we can just think these DSMs are just the applications who intend to manager their own physical memory.
My conclusion is, if Sawmill's framework has security problem on trust model, so has Hurd. So we have to assume that an application must trust its pager ( or pagers in Sawmill's model). Base on this assumption, Hurd & Sawmill's approach can live together.
> I see a number of problems with SawMill's dataspaces. The root of this thread is the presentation of a potential security flaw
> in the design of dataspaces. (Whether this is important or not depends on the assumed trust model and security goals.)
> Another is that as far as I can tell paging decisions are made towards the root of a dataspace hierarchy and not at the applications themselves.
As I said above, for those applications who don't want to manage their own physical memory, they don't need to make paging decision. For others, they just apply memory from Hurd's physmem server, and manage the memory by themselves, which means they can make the paging decision by themselves.
Correct me if I have any misunderstanding.
More information about the l4-hackers