On 27 Mar 2025, at 05:22, Gernot Heiser <gernot@unsw.edu.au> wrote: But then a logical question: why do we need revocation in the first place? In the end the client trusts the driver to release the pages back via the TCB when connection is teared down. This seems natural -- there is a degree of trust and cooperation between clients and the driver. That’s still revocation, isn’t it? Just not by the untrusted app. Forgot to say: There is, in a well-designed system, no need for a server to trust clients. And mutually-distrusting relationships are easy to set up, but definitely need a trusted intermediary. Of course, this is not different from other OSes: you trust the OS. Here, the “OS” is a collection of servers, rather than a monolith, and there can be a hierarchy of trust. Gernot