[ag-automation] neuer Mitleser
Benedikt Spranger
b.spranger at linutronix.de
Mon Apr 24 07:00:00 CEST 2006
On Mon, 2006-04-24 at 00:38 +0200, Jan Kiszka wrote:
Hi Jan,
I heavily disagree with your following table:
> Threat sources and potential impact:
>
> Single Domain Separate Domains
>
> memory-sucking apps services are delayed (separate pools to
> or NRT-drivers or fail which depend confine impact)
> on availability
>
> lock-ups in buggy high risk of loosing RT/NRT interaction
> NRT-drivers, including RT properties can be affected, RT
> IRQ handlers threads continue
>
> buggy drivers that high risk of crash high risk of crash
> overwrite kernel
> memory
>
> malicious non-root risk of misusing (not affected as long
> apps shared resources as application remains
> (e.g. timers, memory, non-root)
> locked code paths)
>
> malicious root apps unlimited damage unlimited damage
> or drivers
All your assumptions are related to a non-hardware protected
Pseudodomain Model. Think about the mainframe. These guys using Seperate
Domain Models (hardware protected). As far as I knew it is impossible
there to affect other domains. Also think about virtualization concepts
like Pacifica et al. In short, maybe near midrange these concepts are
widely spreaded. Then we have the chance of hardware protected domains.
But this domain concept is totaly orthogonal to preempt-rt.
As your example:
you can implement a little (only a few hundred lines of code) "don´t
loose load"-watchdog. It runs in a different hardware protected domain.
So you can easyly use preempt-rt :-)
Bene
More information about the ag-automation
mailing list