[cap-talk] Another "core" principle - virtualize capabilities

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Thu Jan 4 15:11:56 CST 2007


At Thu, 04 Jan 2007 15:24:11 -0500,
"Jonathan S. Shapiro" <shap at eros-os.com> wrote:
> 
> On Thu, 2007-01-04 at 21:24 +0100, Marcus Brinkmann wrote:
> 
> > Let's start with the L4 mapping hierarchy model.  In this case, there
> > exists exactly one mapping tree per delegated resource.  To allow for
> > the above additional requirement, we would need to admit for a
> > "cross-link" from the invoked capability to the fetched resource.
> > 
> > The costs for this seems to be one additional pointer plus constant
> > overhead per delegated resource.  This would be accounted together
> > with the other data from the delegation.
> 
> No. The cost of this is one additional pointer plust constant resource
> **per transfer**. Every map operation in L4 allocates a resource in the
> L4 mapping database.

Yes.  The above should have been "per resource delegation", rather
than "per delegated resource".

In this model there are no "transfers", only revocable delegations.
This is already true for L4, and the associated resource issues have
to be solved (L4.sec?) independently of the question of membrane-like
functionality.

I tentatively suggest that the extra cost on top of this if
membrane-like functionality is required is a constant overhead per
delegation, that can be attributed to the receiver of the delegation
in the same manner as the other costs for the delegation.  Do you
still disagree?

Thanks,
Marcus



More information about the cap-talk mailing list