Take a closer look at how I suggested people do the "svgaserver".
The server does a fork(), and the child does all the graphics stuff,
exactly so that the parent can't be impacted by a buggy (or malicious)
graphics program.
Essentially, this already sets up the protection domains. The server is
protected, yet the fork() inheritance is able to give the graphics
program all the resources it needs, and nothing more.
> simple: a kernel trap is currently the cheapest protection domain switch
We don't need to switch protection domains more than once. We just need
to set up the frame buffer, put it into graphics mode, and then the
graphics program can just use it directly. This is all assuming the card
has a sane frame buffer and doesn't need more than the map (and perhaps
some IO port access, but that is also set up by the startup stuff).
I mean, you've all been trying to say that all graphics cards have frame
buffers, so why aren't you happy now that I gave you a protected
frame-buffer without a line of kernel code? What more do you want?
Linus