IPC/Capabilities Overview

Volkmar Uhlig volkmar at ira.uka.de
Wed Dec 31 19:19:16 CET 2003 

> -----Original Message-----
> From: Rudy Koot [mailto:rudykoot at hotmail.com] 
> Sent: Wednesday, December 31, 2003 11:39 AM

> The problem is that they only look at direct 
> costs of cycles spend on entering the kernel, doing IPC and 
> exiting tthe kernel. They also look at indirect costs of 
> TLB and cache misses caused by IPC, but strangely enough won't 
> look at the cost of checking access rights  (probalby because 
> access checks are no longer part of the microkernel, but 
> of operating system policy). 

That is exactly the point.  If you add that feature to the kernel you
pay on _every_ system, even if it does not need any security mechansims
at all (or only very rudimentary).  Hence, moving it to user land
eliminates it from the critical path and makes other scenarios faster
(without, from my perspective, massively hurting systems which need and
want such security models).

> If you want to convince them, you have to make sure they eiter 
> count those costs also OR make sure they believe the added  
> IPC costs of capabilities are indeed neglectable. As far as I 
> could reason these added (compared to the thread-id methode) costs 
> would be:
> 
> - One extra register spilled on the receiver side (to store 
> the server defined word)
> - One extra memory access (to convert the capability into the 
> server thread id) [VTO]
> - One extra memory access (to load the server defined word)
> - One or more extra memory accesses (to locate the server 
> defined word and server thread id in the Thread Object Space) [VTO]

And you forgot all the TLB entries you need.

When moving it to user land you are able to optimize the lookups by:
- clever choosing identifiers (your identifier space is unlimited and
can be as small as zero bits)
- efficient and combined lookup strategies (e.g. a file descriptor can
contain the filepos and security identifiers)
- combined calls, i.e. accessing multiple identifiers at once (write to
n files at a time, multicast)
- local data structures--or do you want to share your cap-tables on NUMA
systems between processors?  How do you plan to memory-manage those?

- Volkmar

More information about the l4-hackers mailing list