Boris wrote:
gerryg400 wrote:
When the blob says "I'm a keyboard driver, give me access to the IO ports related to the keyboard" how do you know to trust the blob?
That's the beauty of it. you can always have a manifest of sorts which would list which is ports / IPC services the module requires.
If for example a keyboard driver requires something it is not supposed to ( network stack , filesystem) then don't load it.
This was exactly my line of thinking. If the driver identifies itself as belonging to a class (say "keyboard", to keep with the discussion), only grant it permissions for keyboard access. If it attempts to access services that it is not granted permissions to, the OS could either deny those requests or unload the driver entirely, depending on how critical the operation it performs is.
Of course, this doesn't prevent some odd behavior, such as a driver that simply
transmutes the data (i.e. when an "A" is pressed, forward a "Q" to the kernel). In practice though, there is no reasonable precaution to be taken against that.
This also allows for the kernel to have some interesting/novel features to aid the programmer, as Brendan alluded to awhile back - the kernel could be instructed to log all driver I/O activity, for example, which would greatly aid in debugging new or experimental drivers.