Hi Albin,
On 04.09.23 19:01, Albin Otterhäll wrote:
- Protection domain 1 has a capability space insied the kernel.
Q2: Is the protection domain seperate from the capability space in the kernel, and they're "connected" with some map somewhere?
In general, this is very kernel-specific. However, I know the internals only for the "base-hw" kernel. In this kernel, the cap space is not separate from its protection domain. Each domain object [5] contains a tree _cap_tree of all RPC object names known to this domain (see [6] for more details).
Okey! Didn't know that it could be different between the different kernels. Thought that they were abstracted out, but apparently not. :)
At the level of Genode's Core component (the "root" component of the component tree) and Genode's base library (the basic environment for each Genode component) the differences between the kernels are indeed abstracted out. So, to every component other than Core capability management looks the same: Genode-like. However, as your question involved kernel internals, I wanted to mention that there are differences.
Q4: If the answer to Q3 is yes, does that mean that delegagion is some form of mechanism to share the adress of the object identity with other protection domains?
If I understand you correctly, yes and no. To the user it looks like sharing an address in OO but you might better think of it as sharing the _ability_ to access the object. In contrast to address sharing, delegation creates a new local name/reference for the object identity in the target domain/cap space. In my domain the object might be referenced by the name "3" while in a domain I have delegated to, the object might be referenced by the name "987". However, even if delegation would result in the same name "3", the link between this name and the object is unique to the target domain as is that between my "3" and the object. This is well illustrated by § 3.1 Figure 3 in the book.
Is there a semantic difference between "sharing an address" and "sharing the ability to access the object"? I've looked at base/include/base/rpc_server.h and base/include/base/capability.h, but I couldn't see any parts about delegation (I don't have any experience with C++, so it's possible I've missed something obvious).
A major difference is that, even if no one wants to provide you with the address to a local object, you can always guess the address and would thereby gain full access to that object. However, you would never be able to gain access to a remote object by guessing the correct local name, because _there is no local name_ for that object in your protection domain unless someone makes an appropriate delegation to you.
Cheers, Martin