Re: Stacks, was Segments

On Mon, 3 Feb 2025 22:47:24 +0000, Scott Lurndal wrote:

mitchalsup@aol.com (MitchAlsup1) writes:

On Mon, 3 Feb 2025 21:13:24 +0000, Scott Lurndal wrote:
>

Stefan Monnier <monnier@iro.umontreal.ca> writes:

It is like there is a privilege level between application and GuestOS.
{{I spent all afternoon trying to think of a name for this privilege
above application "non-privileged" and below "privileged". Maybe
meso-privileged ?!?

>
handyman?

>
Application -> Library -> OS -> Hypervisor -> Secure Monitor

>
>
{Sandbox -> user -> application -> Library} ->{sual}×{GuestOS, HV, SM}
>
??

>
You need to precisely define your terms.  What are sandbox
and user in this context?

It is all about manipulating access rights without modifying
what is stored in the TLB (so you don't have to reload any
entries to change access rights.) It is sort of like what
the G-bit does (global) {except in my architecture globality
is controlled by ASID.}
Sandbox is a privilege level where one cannot be granted both
write and execute access at the same time. There may be other
restrictions, too; like access to control registers user may
be allowed to write.
Library would include all the trusted stuff, but also ld.so
and any JITs. JITs can only create code for sandboxes. So,
JIT can write to JITcache but sandbox cannot using the same
PTE entry. ld.so can write GOT while user and application
cannot write GOT (or execute GOT).
User is the privilege level where sandbox does not apply but
also there is no ability to over-access things protected by
PTE.RWE.
Application is a privilege level where PTE.RWE can sometimes
be usurped--such as DMA from a device needing to write into
a execute only page.
Where does memmove() come from is not the library ??
Libraries have a SW-kind of trust even if they are
devoid of HW kinds of trust (PTE.RWE overrides).
But these levels are just talking point at this point.

The hypervisor is optional, as would be a library.

It cannot be a library of process !!
It is not a library of GuestOS !
it is certainly not a library of Secure Monitor !!

>
The Burroughs Large systems and HP-3000 segmented libraries
were distinct entities with attributes.

And could change (update/upgrade) the library while the process
was running !!

Code in a library could be more privileged than the application
when acting on behalf of the application, for example; but the
application could not take advantage of the permissions assigned
to the library it was linked with without using interfaces
provided by the library.

No disagreement.