On Mon, Nov 21, 2022 at 12:54 PM William ML Leslie
<
william.l...@gmail.com> wrote:
>
> My summary, since I try to follow all of these very closely. I wrote a really long winded version of this, but I really don't like my writing.
>
Ditto, but I would also like to apologize for not helping out, free
time to work on it hasn't been copious,
and I will admit that some of the commits to c++ize things scared me
off somewhat, as it just isn't a language
which I want to spend much time in.
> On Mon, 21 Nov 2022 at 07:19, Charlie Landau <
cha...@charlielandau.com> wrote:
>>
>> Do any of these systems use checkpoint/restart? If not, how do they solve the problem of preserving relationships that are represented in capabilities? Does this no longer matter in a world where every device has a battery?
>
>
> AFAICT they have all punted on persisting capabilities. The seL4-based systems are small static images. Fuchsia has capabilities in its app storage but not, as far as I can tell, in minfs, which is its dynamic filesystem.
>
The only thing I would add here is, robigalia which is based on seL4
tried to do persistence in userspace; since it is not a part of the
kernel.
But the seL4 kernel doesn't expose things about capabilities needed to
serialize them in any way which could be efficiently done,
It has been a bit of time since I looked at the details regarding
this, but some hints of the scale of problems in
https://robigalia.gitlab.io/book/rosme.html#_capability_equality
It was viewed I believe as a non-starter exposing the tag bits, etc
from the kernel since it leaks information about capabilities, nor was
adding persistence in the kernel proper.
that said I'm uncertain exactly how robigalia was trying it, e.g. full
system persistence via wrapping capability invocations/creation in
proxies a membrane sort of thing,
or otherwise if it was a kind of in-process library, which I'm not
sure would make sense but when posed with the alternative of proxying
might seem tempting?
Anyhow, when I looked at it the conclusion seemed to be that it
doesn't have it, and it seemed like a stretch to imagine it being
feasible without adding some kind of powerful
capability for the persistence layer to hold to allow some kind of
reflection on capabilities.
>>
>>
>> Do these systems support tight control of resources such as storage space and CPU time, as KeyKOS did with space banks and meters? Or is it fair to consider resources unlimited nowadays?
>
>
> The seL4 systems inherited these concepts from the KeyKOS family. Fuchsia does not concern itself with resource management, for the most part, it loves an overcommit. On the flip side, Fuchsia does have async IPC, so you can safely invoke a capability without worrying whether it would ever respond.
>
>>
>>
>> Do these systems support validating the extent to which a service can spread your data, as the factory does? Or was this never really viable in practice?
>
>
> Not as far as I know. The seL4 image system (CAmkES) only supports very static systems, there is no explicit support for construction. I don't think they will move beyond that for some years.
>
> Not sure about Fuchsia.
>
>>
>>
>> Do these systems write their own drivers for all devices? CapROS could run Linux device drivers in a protected domain with little modification.
>
>
> Fuchsia has its own drivers for the most part, at least, as far as I can tell.
>
> Many seL4 systems run a Linux VM and pass hardware straight through to it. There are some drivers specific to the platform, Lucy Parker has recently implemented a high-performance network driver and set the interface for seL4 driver structure.
>
>
> --
> William ML Leslie
>
> --
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
cap-talk+u...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/CAHgd1hGX_OR0Cu8_nwnL7RxNMsTKfQewfU_zm-0KenyTEmw%2BaA%40mail.gmail.com.