Hi Jon,
you wrote:
> I am interested in security and microkernels, so GGI appeals to me because
> I like the idea of small kernel modules that securely multiplex graphics.
> However I have some concerns I was not able to answer from the online
> documentation.
>
> Firstly, more architectural diagrams please ...
>
> I searched and read lots of pages on GGI before I found Peter Amstutz's
> diagrams in the 'OLD' documents section.
> I found they helped, almost as much as everything else I read put together.
>
> I think it might help other interested people if architectural diagrams
> occurred up front in an introduction
> document, then readers know which bits they want to read about.
>
> In particular the FAQ compares GGI to X, to SVGAlib, window managers etc.
> Several of these are obviously bogus comparisons (as the FAQ points out)
> but I think a couple of diagrams would clear this up much better.
> [ 4 in particular: GGI, X, SVGAlib, and GGI on X on GGI ]
I will take these valid suggestions into account for the new documentation
I am writing at the moment.
> The obvious missing comparison was Plan 9's 8.5 which securely virtualises
> devices.
Could you perhaps give me some pointers to information about Plan9?
I am not a OS-researcher (yet) but doing physics. All I know about
OS/driver design is what read/learned myself.
> And a couple of security questions.
> [ Please assume a system in which multiple processes of the same user may
> have different security domains ]
>
> 1) Can two GGI programs securely share a display ?
This depends on the target I would say. If the target supports proper
virtualization and protection (e.g. a secure X11-like protocol
that checks permissions before performing graphics operations)
it could definately be. The problem I see more is how to impose
that security without drastic performance loss. That's what the
KGI portion is supposed to help with.
> Presumably each would have a device whose virtual display was a portion of
> the physical display.
This is much like KGI-0.9 is working internally. The graphics driver
exports so-called resources, that e.g. may be a memory region,
a accelerator FIFO, etc. which then is mapped to the application.
The application thereby opens a device (virtual display) and requests
to map resources into it's address space. However, its up to the hardware,
the driver and the mapper to enforce proper isolation and protection.
I have not yet seen any hardware that was designed to meet these goals
under the constraint of decent performance.
> 1b) If two programs securely share a display, do they do so by giving up
> hardware acceleration ?
How do you define the term 'securely'?
> 2) Can I implement a feature like the WinNT logon dialog that comes up in
> response to the three fingered salute ?
> In security parlance a trusted-path: a user can trust the dialog that comes
> up in response to ctrl-alt-delete because
> a) kernel catches ctrl-alt-delete before any programs, and
> b) no programs can access the window list associated with the login dialog.
Doesn't do pressing CTRL-ALT-BACKSPACE at the XDM prompt something simuilar?
> Because I don't really have a good grasp on the architecture its possible
> Im not asking the right questions ...
>
> TIA
> - JonT
I am currently (re-)writing the documentation for KGI-0.9 which is
mainly about such issues. I would be happy if you could attempt to
read through them and give some comments on both the docs and KGI
in general.
Do you have any time constraints to be met?
Steffen
_______________________________________________________________________________
Steffen Seeger mailto:[EMAIL PROTECTED]
