l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Capability Authentication

From: Marcus Brinkmann
Subject: Re: Capability Authentication
Date: Wed, 19 Oct 2005 00:41:15 +0200
User-agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (Sanjō) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI) 
At Tue, 18 Oct 2005 01:26:10 +0200,
<address@hidden> wrote:
> 
> Hi,
> 
> > If you look at my protocols, this imposes an additional IPCs and
> > system calls in the RPC path for every capability that should be
> > copied from one process to another.  As capability copy is expected to
> > be ubiquituous, this is a discouraging result.
> 
> Is it really? My Guess would be that in typical use, capability passing
> of any kind should happen seldom enough not to make a few more
> IPCs/syscalls critical... But well, I guess I'm overlooking something
> :-)

Well, it depends.  You may be right.  By careful optimization, we can
probably use revocable copies (ie, simple mappings) in L4 for many
operations.  Especially when sending capabilities from a client to a
server, which would include the important I/O path and container use.

This is with the Hurd server design that we had in mind so far.  But
in this design so far we haven't even tried to leverage the capability
system to its full extent.  In fact, we are making pretty poor use of
it.  If you opt for a different system architecture, it may be
different.  For example, process instantiaton (spawn or fork) requires
many capability copies even in our current plans.  Creating new
processes is an important operation in the EROS operating system to
enforce confinement policies.

Thanks,
Marcus
reply via email to
[Prev in Thread] Current Thread [Next in Thread]