Capability Authentication

Marcus Brinkmann marcus.brinkmann at
Wed Oct 19 00:41:15 CEST 2005

At Tue, 18 Oct 2005 01:26:10 +0200,
<olafBuddenhagen at> wrote:
> Hi,
> > If you look at my protocols, this imposes an additional IPCs and
> > system calls in the RPC path for every capability that should be
> > copied from one process to another.  As capability copy is expected to
> > be ubiquituous, this is a discouraging result.
> Is it really? My Guess would be that in typical use, capability passing
> of any kind should happen seldom enough not to make a few more
> IPCs/syscalls critical... But well, I guess I'm overlooking something
> :-)

Well, it depends.  You may be right.  By careful optimization, we can
probably use revocable copies (ie, simple mappings) in L4 for many
operations.  Especially when sending capabilities from a client to a
server, which would include the important I/O path and container use.

This is with the Hurd server design that we had in mind so far.  But
in this design so far we haven't even tried to leverage the capability
system to its full extent.  In fact, we are making pretty poor use of
it.  If you opt for a different system architecture, it may be
different.  For example, process instantiaton (spawn or fork) requires
many capability copies even in our current plans.  Creating new
processes is an important operation in the EROS operating system to
enforce confinement policies.


More information about the l4-hackers mailing list