Trying to understand how capabilities are implemented

Martin Stein martin.stein at genode-labs.com
Tue Sep 5 09:52:59 CEST 2023 

Hi Albin,

On 04.09.23 19:01, Albin Otterhäll wrote:
>>> 3. Protection domain 1 has a capability space insied the kernel.
>>>      Q2: Is the protection domain seperate from the capability space in
>>> the kernel, and they're "connected" with some map somewhere?
>>
>> In general, this is very kernel-specific. However, I know the internals
>> only for the "base-hw" kernel. In this kernel, the cap space is not
>> separate from its protection domain. Each domain object [5] contains a
>> tree _cap_tree of all RPC object names known to this domain (see [6] for
>> more details).
> 
> Okey! Didn't know that it could be different between the different
> kernels. Thought that they were abstracted out, but apparently not. :)

At the level of Genode's Core component (the "root" component of the 
component tree) and Genode's base library (the basic environment for 
each Genode component) the differences between the kernels are indeed 
abstracted out. So, to every component other than Core capability 
management looks the same: Genode-like. However, as your question 
involved kernel internals, I wanted to mention that there are differences.
>>>      Q4: If the answer to Q3 is yes, does that mean that delegagion is
>>> some form of mechanism to share the adress of the object identity with
>>> other protection domains?
>>
>> If I understand you correctly, yes and no. To the user it looks like
>> sharing an address in OO but you might better think of it as sharing the
>> _ability_ to access the object. In contrast to address sharing,
>> delegation creates a new local name/reference for the object identity in
>> the target domain/cap space. In my domain the object might be referenced
>> by the name "3" while in a domain I have delegated to, the object might
>> be referenced by the name "987". However, even if delegation would
>> result in the same name "3", the link between this name and the object
>> is unique to the target domain as is that between my "3" and the object.
>> This is well illustrated by § 3.1 Figure 3 in the book.
> 
> Is there a semantic difference between "sharing an address" and "sharing
> the ability to access the object"? I've looked at
> base/include/base/rpc_server.h and base/include/base/capability.h, but I
> couldn't see any parts about delegation (I don't have any experience
> with C++, so it's possible I've missed something obvious).

A major difference is that, even if no one wants to provide you with the 
address to a local object, you can always guess the address and would 
thereby gain full access to that object. However, you would never be 
able to gain access to a remote object by guessing the correct local 
name, because _there is no local name_ for that object in your 
protection domain unless someone makes an appropriate delegation to you.

Cheers,
Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xC965544047C34F92_and_old_rev.asc
Type: application/pgp-keys
Size: 8607 bytes
Desc: OpenPGP public key
URL: <http://lists.genode.org/pipermail/users/attachments/20230905/377f786b/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.genode.org/pipermail/users/attachments/20230905/377f786b/attachment.sig>

More information about the users mailing list