This is a central use-case of how we envisage Mill services being used.
There is a subtlety that a (software) private key as a service illustrates:
The private key had to be loaded from somewhere, and so its important that the turf the attacker exploits cannot itself access the key directly. So how can you create a child service to protect some data if the way it gets its data is by you giving it that data? You have access to the data too?
So the kernel may need to be aware of ‘user-space’ services within a ‘process’ (I use quotes as these are OS concepts and an OS on the Mill could do things differently) in order that a turf can rescind access rights to things.
This is rather like the POSIX (and Symbian) ‘capability’ model (quotes because a lot of people think them not capability models at all 😉 ), where you can rescind rights e.g. as a TCP server rescinds rights to bind on low ports after its started its listener.
So rights become something tracked at a turf level rather than at a ‘process’ level, with a process consisting of a collection of turfs and threads flying in close formation? This leads to thoughts about how operating systems conventionally track processes (or tasks, in L4 terms). A process is a collection of threads that share a user space. However, when you perform a Mill portal call, you are moving between protection domains (Mill turfs) without changing threads…
If the OS only allows you to create private services within a process, a hierarchical structure is maintained and its an evolutionary step for the kernel – which is still the intermediary for IPC – to track turfs as well as threads for a process.
However, the exciting ideas that the Mill also allows for is IPC to be between peers without kernel intermediary. However, this challenges how an OS conventionally tracks processes and determines the current running process and does things like preemption accounting and even so far as what
kill show and do. So one thing the Mill may do for the state of the art is start a whole new chapter in OS research 😉
And yes a turf can revoke your own protection regions. You can also imagine the OS being involved in turf creation so if you want to create a new child service, the OS can hand it unshared memory.
Sorry for the long rambling post. We’re happy to have this picked apart and discussed 🙂