-----Original Message----- From: Rudy Koot [mailto:rudykoot@hotmail.com] Sent: Wednesday, December 31, 2003 11:39 AM
The problem is that they only look at direct costs of cycles spend on entering the kernel, doing IPC and exiting tthe kernel. They also look at indirect costs of TLB and cache misses caused by IPC, but strangely enough won't look at the cost of checking access rights (probalby because access checks are no longer part of the microkernel, but of operating system policy).
That is exactly the point. If you add that feature to the kernel you pay on _every_ system, even if it does not need any security mechansims at all (or only very rudimentary). Hence, moving it to user land eliminates it from the critical path and makes other scenarios faster (without, from my perspective, massively hurting systems which need and want such security models).
If you want to convince them, you have to make sure they eiter count those costs also OR make sure they believe the added IPC costs of capabilities are indeed neglectable. As far as I could reason these added (compared to the thread-id methode) costs would be:
- One extra register spilled on the receiver side (to store
the server defined word)
- One extra memory access (to convert the capability into the
server thread id) [VTO]
- One extra memory access (to load the server defined word)
- One or more extra memory accesses (to locate the server
defined word and server thread id in the Thread Object Space) [VTO]
And you forgot all the TLB entries you need.
When moving it to user land you are able to optimize the lookups by: - clever choosing identifiers (your identifier space is unlimited and can be as small as zero bits) - efficient and combined lookup strategies (e.g. a file descriptor can contain the filepos and security identifiers) - combined calls, i.e. accessing multiple identifiers at once (write to n files at a time, multicast) - local data structures--or do you want to share your cap-tables on NUMA systems between processors? How do you plan to memory-manage those?
- Volkmar