Open
Description
Is there any possibility to move the retyping facilities to the user level, and have a trusted user-level component take care of the retyping operations? Each time we retype, we call that component, and the component retypes for us, and the kernel integrity is guaranteed by both the kernel and the user-level component.
Pros:
- Further simplify the kernel. Something is only tolerated in the kernel if it cannot be moved outside.
- Different retyping policies can be used, i.e., if some application only allows static allocation, we can ban retyping once and for all, and the complexity of retyping system is completely gone. This is true for embedded applications.
Cons:
- We need to keep track of the reference counters on pages to know how many times they are mapped in. This may lead to the problem that every map/unmap operation must call the component to update the reference counters. This may be mitigated by amortized operations (each call retypes many pages instead of one), but will hurt microbenchmark.
- We need to guarantee concurrency and correct stack management, or we risk relying on a unreliable scheduler (and possibly a capability manager).
- How to keep the integrity of the kernel-user complex is not clear. If it is possible to guarantee kernel integrity by the kernel itself, why involve a user-level component?