Rights Amplification
Neal H. Walfield
neal at walfield.org
Fri Jun 10 15:59:10 CEST 2005
At Fri, 10 Jun 2005 15:38:27 +0200, Bernhard Kauer wrote:
> There is a grant problem. If a client X grant an object to Y and X dies,
> this does not mean, that the reference to the object is released...
Of course it does, X died and as a result the reference monitor gets a
task death notification. If Y required the object beyond X's death,
it should have gotten its own reference but that is a different
problem.
> > > > Situation: S -> C -> (1 reference) A -> B
> > > >
> > > >
> > > > Goal: /-> (1 reference) A
> > > > S-> C
> > > > \-> (1 reference) B
> > > >
> > >
> > > In your scenario both clients A and B have to cooperate with C
> >
> > C needn't trust either A or B.
>
> If client A asks the server C to map something it already has, from C to a
> client B, only the clients have to trust C to provide this service.
> The server C needn't trust its clients for this operation...
Right, that's the point. C is part of A and B's TCB; C does not trust
either A or B.
More information about the l4-hackers
mailing list