-
Notifications
You must be signed in to change notification settings - Fork 1
The Grand Design
This page describes the design principles behind the Cardinal operating system. The main principle behind the design is that every service is a filesystem. Additionally, each process has its own view of the filesystem, this is to be used to enforce access permissions.
A service provider is the basic unit for adding functionality to the OS. A service provider is essentially a user space file system driver. Service providers register with the file system server to provide their service.
Finally, directories can be virtually merged (similar to Plan9 union directories), this is to be used instead of environment variables. Union directories are setup by creating an instance of a service provider that performs these computations.
/proc contains process information, each process gets its own filesystem in /proc.
Each filesystem defines the following:
/fs - A virtual mapping to the process's view of the filesystem
/pwd - A file that can be read/written to change the working directory of the process.
/info - A file that can be read to get information about the process such as its name and memory usage
/signal - A directory that contains files representing each signal that can be sent, writing to the files raise the related signal
Cardinal Current Design:
===Kernel Responsibilities=== Following microkernel design principles, the kernel has few responsibilities, the kernel handles thread switching, maintains a list of processes, provides IPC, performs allocation of virtual and physical memory and handles forking, interrupts and faults.
===Privilege System=== Privilege Levels : Syscalls limited by privilege level Ring 0: Kernel-level syscalls Ring 1: Admin-level syscalls Ring 2: User-level syscalls
Ring 0: Raw kernel services
Ring 1: Services based on Ring 0, System encryption etc
Ring 2: All user services
A program in a lower ring is allowed to promote a program in a higher ring to its own ring. A program that has raised its ring may no longer move itself to a lower ring.
Raw kernel services are loaded by the kernel
===List of Standard Services=== List of Kernel services: - Sibyl (syscall filter)
List of Ring 0 services: - Encryption manager - Root file server - Process manager - Elf loader - PCI server - Randomness source - Reincarnation server - System Initialization - Shared memory server - Bus manager - Hardware event bus - Power event bus
Available Syscalls:
- All Ring 2 syscalls
- Kernel level fork
- Full process manipulation permissions
- Get/Set process data
- Access to physical memory
- Map/Unmap memory in arbitrary processes
List of Ring 1 services: - Authentication manager - User manager - Secure data store - Drivers - Network stack - Display server - Busses - Authentication events - Display events - Driver events - Network events
Available Syscalls:
- All Ring 2 syscalls
- Power management syscalls
List of Ring 2 services: - User programs - User authentication manager - User Secure Data Store - Terminal server - Busses - User busses
Available Syscalls:
- All common UNIX syscalls
- Emulation for other calls
===Service Descriptions=== ==Elf Loader== This process simply reads an elf file and loads it into memory, ready to execute.
==Process Manager== This process provides the user with the ability to fork processes, all processes besides System Initialization are children of this process.
==Reincarnation Server== This process acts as a watchdog, ensuring that any servers that aren't responding are restarted from a previously saved state.
==PCI Server== This process provides drivers with the functionality they need, by allowing drivers to request mapping access for MMIO. It also acts as a proxy for gaining access to IO ports.
==Encryption Manager== This process provides encryption related services to applications, providing a single location for implementation of common algorithms.
==Shared Memory Server== This process provides shared memory services to applications, it uses the ability to map physical memory to any process to do so.
==Randomness Source== This process provides a secure source of randomness to the system.
==Authentication Manager== This process handles authentication protocols, providing a single location for secure implementation.
==Bus Manager== This process provides a form of IPC that builds on top of Message passing to provide message busses to the system.
==User Manager== This process handles user management.
==Secure Data Store== This process stores important data in an encrypted data store.
==Terminal Server== This process provides an isolated base terminal to user applications, each terminal window is connected to the user's terminal server.
==Sibyl== Sibyl is a kernel side sandboxing system that dynamically patches syscall handlers per process to allow applications to restrict their own syscalls.
==Root File Server== The Root File Server provides the filesystem abstraction to the rest of the OS, it is responsible for receiving open requests and passing them on to the appropriate file server. It also communicates with the process manager to maintain namespaces groups.
====Namespace Groups==== Namespace groups are a means of defining sets of views of the filesystem. An example of their usage would be for instance, having a namespace group per terminal, thus allowing certain files to be changed, such as the stdio streams. Processes inherit their namespace group from their parent process, a newly created namespace group is based off of the previous namespace group (ie. namespace groups must be forked)
====Multiprocessing==== Access to other cores is controlled via cooperative multitasking, exposing them as services
===File Descriptor Rules=== All paths passed to file servers must be absolute, the libc is responsible for internally maintaining a descriptor for the current working directory and using an fd2path request (as in plan9) to obtain its path to prepend to the path before canonicalizing the path and sending it out to the file server in the end.