Hi All, I would like to share with you the current status of Codezero development as we make the 0.2 release. I am looking into feedback on various design issues, particularly on capabilities.
I think I have understood Hurd requirements to a good extent, and Codezero has different final goals compared to the ideal kernel that Hurd needs. That said, Codezero has a lot of common grounds with Hurd kernel requirements, and I would like to focus discussion on these common areas. What I need is your opinion on our existing capability design, in any aspect. Security, usability, applicability ... We have implemented capabilities in Codezero to a good extent, and the design requires feedback (details to follow on my next email). What this will bring back to you is that you have the chance to see a live kernel that has a capability implementation with resources reduced to a useful small set (e.g. kernel resources), and one that is attempting to apply it to real practice. You will see your feedback being implemented in short periods of time, and have the opportunity to see how it behaves in real. Potentially the same work can be extended, or copied over to your _desired_ Hurd kernel later on. Think of it as a small pilot project for your future capability-based Hurd kernel. If you believe that you already have explored capability-based design to the extent that you don't need to see any further experimentation, well, you might just be interested to help. OK, so here are some final disclaimers: - The design is very rigorous, i.e. fully covering kernel resources, system calls, but only those. I think this is very useful even for Hurd, you can experiment on a small set of sample data, improve your design, and extend it. - The user API has been purposefully simplified, i.e. the capabilities are hidden as much as possible from the userspace. The average programmer need to know as little as possible about capability design. For example you don't pass a capid to a system call. You pass resource ids directly, but they get cap-checked internally. Once you want to manipulate resource allocation in the system, you then need to manipulate (unavoidably) capabilities and need to know what's going on at that level. - No protection from covert channels. This is because covert channels cannot be completely eliminated, and they are less of a focus for current discussion. I am more interested in tackling elegant resource management at this time. - The approach I took is probably different to what you have seen before on capabilities. I tried to make things as practical as possible. Please see my release email for sources and guides on the API. Thanks, -- Bahadir Balban
