Linus Torvalds (torvalds.delete@this.linux-foundation.org) on September 25, 2021 11:31 am wrote:
> sr (nobody.delete@this.nowhere.com) on September 25, 2021 11:11 am wrote:
> > And about costs -x86 segmentation is basically free.
>
> Not even close.

I think it is possible you are confusing segments and capabilities. They aren't the same thing!

I agree with the viewpoint that capabilities can be costly and have performance implications if they are, on average, describing memory regions smaller than a page size.

Note that I used "can be" in the previous sentence. Because there are cases where code using capabilities is fast. For example, using capabilities a user-space process can directly access kernel data structures in read-only mode, instead of using syscalls for that purpose. It is however questionable whether HW support for capabilities is actually needed in this case since you could achieve the same kind of safety guarantees (without any HW support for capabilities) using NaCl-style (Native Client) assembly code verification implemented in software in the kernel. Using the same method, it would also be possible for user-space to directly access data of an open file if the file's data is in kernel's filesystem cache (instead of using the read() syscall). This can be extended to the write() syscall. If the kernel schedules another process to run or another core mutates kernel data structures, the process which was using capabilities to access kernel data structures would need to be reset to a known safe state, of course. Despite this, it might be faster than using syscalls for the purposes of safely navigating through security boundaries/layers.

-atom