Hi,
Pype.Clicker wrote:[*] ATA has two disks per channel, that is, 2 different devices (and potentially drivers) sharing the same I/O registers ;
Either one device driver controlling both ATA devices, or 3 device drivers (one for the controller and one for each device, where the disk driver talks to the controller driver instead of I/O ports).
Pype.Clicker wrote:[*] PCI DMA basically means by writing in some device-specific area, you enable the device to access any area of physical memory;
I'm not sure how this can be hard to figure out, unless you're talking of the possibility of protection violation (of course even if you do nothing here, a possibility of protection violation via. DMA is better than a possibility of protection violation for everything the device driver does).
Pype.Clicker wrote:[*] small delays are an important part of driver programming, but in userspace, you cannot prevent the kernel to interrupt you when you're waiting for a small delay
Can you actually think of a device where a small delay is required? More often, you need a minimum of X ns rather than exactly X ns, and a delay that is much longer is fine (except for rare performance implications). I've never had a problem using high priority threads and "nanosleep()".
Pype.Clicker wrote:[*] interrupts are omnipresent. Even worse is shared interrupt: if each device on the irq line has to probe the device to tell if he's the interrupt source or not -- how do you handle that with "send message to X on interupt" ...
There's 2 methods here. You could use "send message to X, Y and Z". Alternatively, when X does "EOI(status)" you could check if the IRQ was handled and if it wasn't do "send message to Y".
Pype.Clicker wrote:[*] VM86 hooks to change video mode in "default" video driver ...
VM86 is only ever a temporary solution anyway. I refuse to use V86 - instead I set a default video mode during boot and use it as a frame buffer (no acceleration, no video mode changes, etc) until a decent/device specific video driver is started (if ever).
Pype.Clicker wrote:For all these things, there's (imvho) no clean way to get things solved by simply "expose only I/O resources of device x to driver handling x" policy...
I don't see any problem.
For me, I can't think of a clean way to prevent malicious (or even just buggy) device drivers from trashing anything they like.
Pype.Clicker wrote:So i'd rather go for a solution where drivers are split in two part:
[*] a "core" driver, running at DPL0, which would be abstracting architecture contraints (e.g. it will have to do virt_to_phys address translations) and dealing with direct I/Os
[*] a "service", running at DPL3 that makes use of core drivers to provide higher-level abstractions such as partitions, network connections, etc.
Does your OS automatically scan PCI buses and look for device drivers to suit the devices it finds? If I write a "trojan" device driver that wipes all your hard drives (or perhaps sends all keypresses to my IP address), will your OS automaticly load it and run it? To prevent this, will you need a large/expensive "driver signing" program like Microsoft, or will you have open source drivers (where it's impossible to comply with the NDA's some hardware manufacturers want)? Can you think of a clean way to solve this?
Of course I'm not saying that the monolithic approach (or the hybrid approach suggested) is bad - only that there's a trade-off between performance and protection.
The only form of protection violation a "pure" microkernel approach can't protect against is PCI bus masters (ISA DMA is easy to protect). I must admit I haven't found an adequate way around this a problem...
Cheers,
Brendan
I just had a slight difference in not requiring a service (even though the vast majority of drivers would implement one anyway).