9 \note{We do not implement capability rights yet.}
14 \item[Origin] A capability type is either \emph{primitive}, which
18   capability. For primitive types, we specify how the capabilities of
20   capability types may be retyped to yield a capability of the given
23 \item[Retypability] Some types of capability may be \emph{retyped} to
26   capability it may be retyped.
34   capability rights is type-specific. A capability type defines the
39   or may not be possible to transfer a capability to another core.
42   the last copy of a capability is deleted. For capability types
46 \item[Concrete representations] Each capability type has one or more
52 \item[Invocations] Most capability types support one or more
64 described in \ref{sec:cspace}.  All capability management is
67 CNodes are organized as a two-level table with distinct capability types for
69 CNodes which have a fixed size of 256 capability slots.
70 The two-level CNode table forms a 32-bit capability address space for each
73 \emph{capability address}.
74 The high 24 bits of the capability address are used as an index into the L1
82 capability address are used as an index into the L2 CNode.
84 capability.
88 invocations to refer to a L2 CNode capability that is located in a L1 slot,
101   This means that every user domain holding a capability has full
105   another core, capability is implicitly retyped to a Foreign CNode
118     datatype L1CNode "L1 CNode capability" {
126       datatype L2CNode "L2 CNode capability" {
147 The Mint invocation creates a new capability in an existing CNode
148 slot, given an existing capability.  The new capability will be a copy
149 of the existing capability, except for changes to the
185 specified type in the specified slots, given a source capability and a
187 It will fail if the source or destination are invalid, or if the capability
188 already has descendants which overlap the requested region (some capability
196 base address and size does not fit into the source capability.
198 capability, and it's size is given as the number of capabilities to create
222   \caption{Valid capability retyping paths}\label{fig:cap_types}
230 This invocation deletes the capability at the given address, freeing
238 This invocation revokes the capability at the given address.
240 The capability itself is left untouched while all its descendants and
246 The foreign CNode capability gives a domain on a core the ability to
247 specify a capability that actually resides on another core.  This
248 capability allows for the holder to create local copies of the
250 implemented.  The capability tracks on which core the actual CNode
254 \item[Origin] When a CNode capability are copied to another core.
269     datatype fcnode_cap "Foreign CNode capability" {
273       core_id     8  "Core id of the core the actual CNode capability
315     datatype physaddr_cap "Physical address range capability" {
324 A RAM capability refers to a naturally-aligned power-of-two-sized
344     datatype ram_cap "RAM capability" {
352 This capability type refers to the kernel object associated with a
373     datatype dcb_cap "Dispatcher capability" {
381  \arg Address of dispatcher capability relative to dispatchers caller's cspace
385  \arg Frame capability for dispatcher structure relative to cspace for new dispatcher.
402 endpoint capability when it is retyped from a dispatcher capability is
403 zero; the capability cannot be used to send IDC until the the offset
410   badge on the capability
412   \item Parameter 1: The endpoint offset to set on the capability.
413   \item Parameter 2: The endpoint buffer size to set on the capability.
429     datatype idc_cap "IDC endpoint capability" {
438 \item[Invocation] Any invocation of an endpoint capability causes the
444 A VNode capability refers to a hardware page table and is used to
451 We define one VNode capability type per hardware page table type per
485     datatype vnode_cap "VNode capability" {
493   \arg CSpace address of the root (L1) CNode of the capability to map
494   \arg CSpace address of the capability to map
495   \arg Level of the capability to map
497   \arg Offset in bytes into the source capability of the region to map
499   \arg CSpace address of the root (L1) CNode of the capability slot in which
500   to create the mapping capability
501   \arg CSpace address of the CNode of the capability slot in which to create
502   the mapping capability
503   \arg Level of the CNode of the capability slot in which to create
504   the mapping capability
505   \arg Slot in the CNode in which to create the mapping capability
511 The invocation may fail if the source capability cannot be found, the
512 requested mapping region is not entirely covered by the source capability, the
513 source capability does not have a type which is mappable into the VNode, given
515 already occupied, or the slot of the mapping capability cannot be found or is
520   \arg Level of the mapping capability
529 A frame capability refers to a page-aligned\footnote{We coloquially refer to
532 A frame capability may be mapped into a domain's virtual address space (by
534 When a frame capability is created (ie.~retyped from RAM), the kernel
552   page table entries that exist for this copy of the frame capability.
556     capability. If not, return create a new RAM capability and return it to a
562     datatype frame_cap "Frame capability" {
573 A device frame capability refers to a page-aligned region of physical address
594   page table entries that exist for this copy of the frame capability.
598     capability. If not, return create a new RAM capability and return it to a
604     datatype device_cap "Device Frame capability" {
616 capability copies that are mapped in a VNode, which led to a lot of
617 unnecessary heavy-weight Frame capability copies in the system, we redesigned
618 the shadow page table implementation to use additional capability types, one
619 for each capability type that can be copied to a VNode type.
621 We define one mapping type per mappable capability type.
639 \item[Origin] Created when copying a mappable capability to a VNode.
649 \item[Any copy deleted] Use information stored in capability to delete that
650   mapping that caused this capability to be created.
657     datatype mapping "Mapping capability" {
658       cap        64  "Kernel address of capability this mapping tracks";
660       offset     32  "Offset into capability for the mapped region";
667  \arg CSpace address of mapping capability
669   first page in the mapping identified by the mapping capability.
674 Invocation that uses mapping capability to efficiently find relevant VNode
678   \arg Cspace address of mapping capability
683 An IO capability gives the holder the ability to read and write to IO ports.
687 \item[Origin] A single IO capability covering the whole IO region created at
692 \item[Mint parameters] Used to specify the region of io space the capability can access.
707     datatype io_cap "IO capability" {
747 \subsection{IRQ table capability}
748 The IRQ table capability allows the holder to configure the user-level
767 \item[Concrete representations] This capability type has no
775   \arg CSpace address of asynchronous endpoint capability
788 This capability is used to confer authority to the user-space part of the
790 Some other privileged domains also receive a copy of the kernel capability,
791 but we should factor those operations out and create different capability
812     datatype kernel_cap "Kernel capability" {
816     The kernel capability does not convey any information, it is simply a
822   \arg CSpace address of the RAM capability to use to relocate the new kernel
823   \arg CSpace address of the Dispatcher capability of the first domain to run
824   \arg Number of valid bits for the root CNode to associate with the Dispatcher capability
825   \arg CSpace address of the root CNode to associate with the Dispatcher capability
826   \arg CSpace address of the VNode to associate with the Dispatcher capability
827   \arg CSpace address of the dispatcher frame to associate with the Dispatcher capability
838 \begin{invocation}{Identify capability}
839   \arg CSpace address of the capability to identify
840   \arg Level of the capability to identify
841   \arg Location of buffer to hold capability representation
844 capability into the given buffer.
846 \begin{invocation}{Identify another dispatcher's capability}
847   \arg CSpace address of the dispatcher's L1 cnode capability
848   \arg Level in our CSpace of the L1 cnode capability
849   \arg CSpace address relative to the dispatcher's CSpace of the capability to
851   \arg Level in the dispatcher's CSpace of the capability to identify
852   \arg Location of buffer to hold capability representation
855 dispatcher's capability into the given buffer.
857 \begin{invocation}{Create capability}
858   \arg In memory representation of a capability
859   \arg CSpace address of the CNode the place the created capability in
861   \arg Slot number to place the capability in
862   \arg Owning core of the new capability
864 Creates the given capability in the given slot in the given CNode with the
869 \begin{invocation}{Set capability's remote relations}
870   \arg CSpace address of CSpace (L1 CNode) in which to look for capability
871   \arg Level of root capability.
872   \arg CSpace address of capability
873   \arg Level of capability
882 \begin{invocation}{Read capability's remote relations}
883   \arg CSpace address of capability
884   \arg Level of capability
886 Returns bitmask of currently set remote relations on capability.
888 Further Kernel capability invocations that we will have to document:
891   \item \verb|KernelCmd_Nullify_cap|: Set the capability to NULL allowed it to be reused
895   \item \verb|KernelCmd_Get_cap_owner|: Get capability's owning core
896   \item \verb|KernelCmd_Set_cap_owner|: Set capability's owning core
897   \item \verb|KernelCmd_Lock_cap|: Lock capability when performing distributed
899   \item \verb|KernelCmd_Unlock_cap|: Unlock capability when distributed
903     copy of a capability.
906   \item \verb|KernelCmd_Revoke_mark_target|: Mark a capability for revocation.
907   \item \verb|KernelCmd_Revoke_mark_relations|: Mark a capability's relations
913   \item \verb|KernelCmd_Retype|: Perform a retype for a capability with remote
915   \item \verb|KernelCmd_Has_descendants|: Check whether a capability has
931 A kernel control block capability captures all the state for a single CPU
946   This means that every user domain holding a capability has full
958       kcb     64  "Kernel address of the KCB represented by this capability"

Indexes created Thu May 30 22:23:56 MDT 2024