General Question On Object Methods

tunacici7＠gmail.com

8 Sep 2024 8 Sep '24

1:33 a.m.

I've recently started to learn seL4 by following the Tutorials, which have been great so far. I've been also reading the Manual & API reference to understand and gain insight into different mechanisms. However, I have one fundamental question: Are the object methods system calls? It is said that seL4 only has 3 logical system calls: Send, Recv and Yield. (In all the slides, videos and other documents I have seen) And the rest is just variations of those ones. But what about object methods? Are they system calls? Are they executed in kernel space? If they are system calls, then wouldn't all the resources out there be misleading? Since there are way more than just Send, Recv and Yield. If they are not, then how are they handled? Does 'libsel4' have anything to do with it? I can't imagine 'seL4_Untype_Retype' executing in user space. Unfortunately, I couldn't find any answers to this question online. So that's why I'm asking it here. Maybe there are others who wonders the same thing. NOTE The API Reference page confuses me even more. It lists Object Methods in its own category (instead of being under System Calls). Does this means Object Methods are NOT system calls? Or the term System Call is just not what I think it is(basically an endpoint to kernel)?. END NOTE Thanks for the answers in advance. -T

Show replies by date

Gernot Heiser

8 Sep 8 Sep

8:33 a.m.

On 8 Sep 2024, at 01:33, tunacici7@gmail.com wrote:

...

However, I have one fundamental question: Are the object methods system calls?

It is said that seL4 only has 3 logical system calls: Send, Recv and Yield. (In all the slides, videos and other documents I have seen) And the rest is just variations of those ones. But what about object methods? Are they system calls? Are they executed in kernel space?

If they are system calls, then wouldn't all the resources out there be misleading? Since there are way more than just Send, Recv and Yield. If they are not, then how are they handled? Does 'libsel4' have anything to do with it? I can't imagine 'seL4_Untype_Retype' executing in user space.

In a pure capability system, the only operation is invoking an object (though its cap). In seL4, objects are invoked by sending and receiving from them. In fact, they are really invoked by call() (i.e. send+receive). In addition there’s yield(), which is a (arguably unprincipled) special case. Everything (other than yield) is a method invocation on an object. That’s why my slides say that *logically* there are only 3 syscalls. The implementation vectors them onto separate (per-object) syscall numbers for efficiency. Gernot

Demi Marie Obenour

9 Sep 9 Sep

5:48 a.m.

On 9/7/24 18:33, Gernot Heiser via Devel wrote:

...

On 8 Sep 2024, at 01:33, tunacici7@gmail.com wrote:

...
However, I have one fundamental question: Are the object methods system calls?

It is said that seL4 only has 3 logical system calls: Send, Recv and Yield. (In all the slides, videos and other documents I have seen) And the rest is just variations of those ones. But what about object methods? Are they system calls? Are they executed in kernel space?

If they are system calls, then wouldn't all the resources out there be misleading? Since there are way more than just Send, Recv and Yield. If they are not, then how are they handled? Does 'libsel4' have anything to do with it? I can't imagine 'seL4_Untype_Retype' executing in user space.

In a pure capability system, the only operation is invoking an object (though its cap). In seL4, objects are invoked by sending and receiving from them. In fact, they are really invoked by call() (i.e. send+receive). In addition there’s yield(), which is a (arguably unprincipled) special case.

Everything (other than yield) is a method invocation on an object. That’s why my slides say that *logically* there are only 3 syscalls.

The implementation vectors them onto separate (per-object) syscall numbers for efficiency.

Gernot

Are faults (which, obviously, do not require any capabilities) another way to communicate with other code? -- Sincerely, Demi Marie Obenour (she/her/hers)

z5257602＠unsw.edu.au

10:06 a.m.

User-level fault handling does require capabilities and is afaik semantically equivalent to synchronous IPC using seL4_Call/Reply_Recv. The only difference is that instead of the faulting thread populating the IPC buffer and invoking seL4_Call, the kernel constructs the fault message and sends it to the faulting thread's designated fault handler endpoint (if such an endpoint capability has been provided) on its behalf. - Alwin

tunacici7＠gmail.com

10:19 p.m.

Think I'm starting to understand this. My current understanding of a syscall is operations like read(), write() or mkdir() are implemented in the kernel. So they are executed at a higher execution level (e.g., Ring 0 in x64, EL1 in ARM64) and each have their own syscall numbers. Most user applications don't directly invoke them, but rather use a libc wrapper with the same syscall name. In seL4, this idea is a bit different. The kernel itself handles send+receive and yield (and also their variations) syscalls inside the kernel at a higher execution level. Object methods are implemented using those syscalls inside libsel4. Which executes at a lower execution level (e.g., Ring 4, EL0). Here I am, again, a little bit confused. Sorry. When I looked at the source and did some debugging I see that, as an example, UntypedRetype is implemented in libsel4 (sel4_client.h) Like you, and others, said it is implemented using send+receive system calls. So, everything is good so far. But, what about their syscall numbers you have mentioned that have been vectored for efficiency? I was not able to find them in the source (both after and before system call stub generation). I looked inside syscall.h after syscall_header_gen.py. I'm sure I'm missing something or my understanding of what a syscall needs more work. Thanks for the previous answers. It motivated me to debug an application (a tutorial) and see how parts of libsel4 is actually implemented. -T

Indan Zupancic

10 Sep 10 Sep

9:07 a.m.

Hello T, "Object methods" are just system calls in the technical sense, they are fully executed in kernel mode. You can find the (generated) syscall numbers in your build directory: build/libsel4/include/sel4/syscall.h It's generated from libsel4/include/api/syscall.xml by a script. The start will look something like: typedef enum { seL4_SysCall = -1, seL4_SysReplyRecv = -2, seL4_SysSend = -3, seL4_SysNBSend = -4, seL4_SysRecv = -5, seL4_SysReply = -6, seL4_SysYield = -7, seL4_SysNBRecv = -8, (The rest is either debug-only or platform dependent.) The "object methods" are a seL4_SysCall on a cap of a specific type. ("Call" in the seL4 sense of doing a send + wait for reply, not to be confused with "syscall".) The call will be decoded depending on the cap's type, and that object's handling code will check the invocation number to see what you want to do. To avoid doing the wrong thing when passing a cap of the wrong type, all invocations have a unique number: build/libsel4/include/sel4/invocation.h This two-tiered numbering system makes it easier to quickly handle IPC seL4_SysCalls. Capabilities in seL4 are a bit like file descriptors in other OSes: A generic interface to do things with specific "objects", via a few standardised system calls (read, write versus recv and send). In the end it's all semantics. If you are confused how the kernel knows whether you are calling a method on the endpoint object or sending a message to another task: That's solved by endpoints not having any methods to call. Same trick is used for notifications. I hope that clears things up. Greetings, Indan On 2024-09-09 13:19, tunacici7@gmail.com wrote:

...

Think I'm starting to understand this. My current understanding of a syscall is operations like read(), write() or mkdir() are implemented in the kernel. So they are executed at a higher execution level (e.g., Ring 0 in x64, EL1 in ARM64) and each have their own syscall numbers. Most user applications don't directly invoke them, but rather use a libc wrapper with the same syscall name.

In seL4, this idea is a bit different. The kernel itself handles send+receive and yield (and also their variations) syscalls inside the kernel at a higher execution level. Object methods are implemented using those syscalls inside libsel4. Which executes at a lower execution level (e.g., Ring 4, EL0).

Here I am, again, a little bit confused. Sorry. When I looked at the source and did some debugging I see that, as an example, UntypedRetype is implemented in libsel4 (sel4_client.h) Like you, and others, said it is implemented using send+receive system calls. So, everything is good so far. But, what about their syscall numbers you have mentioned that have been vectored for efficiency? I was not able to find them in the source (both after and before system call stub generation). I looked inside syscall.h after syscall_header_gen.py.

I'm sure I'm missing something or my understanding of what a syscall needs more work.

Thanks for the previous answers. It motivated me to debug an application (a tutorial) and see how parts of libsel4 is actually implemented. -T

tunacici7＠gmail.com

11 Sep 11 Sep

4:17 a.m.

Hey Indan, After reading your (and others) words, it finally clicked for me! Like you (and others) have said in seL4 all interaction are done by invoke objects via capabilities. It sounds obvious at first (many resources talk about this), but understanding is another story:) In case there are others like me that are still having a problem understanding system calls and object methods in seL4, I have collected my thoughts below. System call is, in a more "traditional" sense, in other OSes is like this: - execute 'syscall' with a specific system call number from the user space - there are many syscall numbers defined in those OSes (e.g., read, write, mkdir) In seL4, however, it's a bit different: - still execute 'syscall' from the user space - but this time only Send, Recv, Yield (and other variations) have their syscall numbers defined - those are the only "system calls" that we can directly compare to other "traditional" OSes - now, in handling of the system calls (e.g., Send()) there is a decoder (see 'decodeInvocation(...)') - those decoders determine which specific capability to invoke (see 'libsel4/include/interfaces/sel4.xml' for all invocations) - each of the invocations have their own numbers (similar to system call numbers) - so (like Indan have said) we have a two-tiered system (first is architecture/CPU 'syscall' and second is seL4 'invocations') - because of this we have a separation in API reference between System Calls and Object Methods - and since object methods (like UntypedRetype) are handled inside the seL4 they are executed at higher privilege level Again, thanks everyone for the help & replies. -T

Hugo V.C.

7:02 a.m.

...

Hey Indan,

After reading your (and others) words, it finally clicked for me! Like you (and others) have said in seL4 all interaction are done by invoke objects via capabilities.

It sounds obvious at first (many resources talk about this), but understanding is another story:)

In case there are others like me that are still having a problem understanding system calls and object methods in seL4, I have collected my thoughts below.

System call is, in a more "traditional" sense, in other OSes is like this: - execute 'syscall' with a specific system call number from the user space - there are many syscall numbers defined in those OSes (e.g., read, write, mkdir)

In seL4, however, it's a bit different: - still execute 'syscall' from the user space - but this time only Send, Recv, Yield (and other variations) have

Thanks T. Having this in a documentation would be nice to improve seL4 learning curve. I really appreciated reading all the explanations, but this T summary is very helpful, like the few really important things an experienced skydiver say to beginners to increase their self confidence. On Tuesday, September 10, 2024, wrote: their syscall numbers defined

...

- those are the only "system calls" that we can directly compare to

other "traditional" OSes

...

- now, in handling of the system calls (e.g., Send()) there is a

decoder (see 'decodeInvocation(...)')

...

- those decoders determine which specific capability to invoke (see

'libsel4/include/interfaces/sel4.xml' for all invocations)

...

- each of the invocations have their own numbers (similar to system

call numbers)

...

- so (like Indan have said) we have a two-tiered system (first is

architecture/CPU 'syscall' and second is seL4 'invocations')

...

- because of this we have a separation in API reference between

System Calls and Object Methods

...

- and since object methods (like UntypedRetype) are handled inside

the seL4 they are executed at higher privilege level

...

Again, thanks everyone for the help & replies.

-T _______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems

Gernot Heiser

9:20 a.m.

On 11 Sep 2024, at 07:02, Hugo V.C. wrote:

...

Thanks T. Having this in a documentation would be nice to improve seL4 learning curve. I really appreciated reading all the explanations, but this T summary is very helpful, like the few really important things an experienced skydiver say to beginners to increase their self confidence.

I don’t think tutorials on microkernels and capabilities belong into the seL4 kernel documentation. However, the white paper could be more explicit about this, I’ll think about that. (I guess the white paper is due for an upgrade anyway, given that the Microkit is now the preferred way for building seL4-based systems.) Incidentally, I yesterday delivered my first Advanced OS lecture for the year, and I had strengthened the explanation of cap invocation, see - p16ff of https://cgi.cse.unsw.edu.au/~cs9242/24/lectures/01a-intro.pdf - p4 of https://cgi.cse.unsw.edu.au/~cs9242/24/lectures/01b-sel4.pdf Gernot

Hugo V.C.

12 Sep 12 Sep

6:41 a.m.

...

On 11 Sep 2024, at 07:02, Hugo V.C. wrote:

...
Thanks T. Having this in a documentation would be nice to improve seL4 learning curve. I really appreciated reading all the explanations, but

Thanks for the links Gernot. "I don’t think tutorials on microkernels and capabilities belong into the seL4 kernel documentation" Sure. I have no idea how you guys can deal with this... I'm on the commercial side, just thinking about how people can "easily" become seL4 developer... On Wednesday, September 11, 2024, Gernot Heiser via Devel wrote: this

...

...
T summary is very helpful, like the few really important things an experienced skydiver say to beginners to increase their self confidence.

I don’t think tutorials on microkernels and capabilities belong into the seL4 kernel documentation. However, the white paper could be more explicit about this, I’ll think about that. (I guess the white paper is due for an upgrade anyway, given that the Microkit is now the preferred way for building seL4-based systems.)

Incidentally, I yesterday delivered my first Advanced OS lecture for the year, and I had strengthened the explanation of cap invocation, see - p16ff of https://cgi.cse.unsw.edu.au/~cs9242/24/lectures/01a-intro.pdf - p4 of https://cgi.cse.unsw.edu.au/~cs9242/24/lectures/01b-sel4.pdf

Gernot

_______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems

Gernot Heiser

7:01 a.m.

On 12 Sep 2024, at 06:41, Hugo V.C. wrote:

...

"I don’t think tutorials on microkernels and capabilities belong into the seL4 kernel documentation"

Sure. I have no idea how you guys can deal with this... I'm on the commercial side, just thinking about how people can "easily" become seL4 developer…

How is this affected by low-level technical details that are hidden behind libraries, especially if you use higher-level frameworks such as the Microkit? Gernot

Hugo V.C.

8:15 a.m.

...

On 12 Sep 2024, at 06:41, Hugo V.C. wrote:

...
"I don’t think tutorials on microkernels and capabilities belong into

Well, people usually like to understand how things work, moreover on a system like seL4. And, whether you like or not, there will be forks, hacks, modifications... the more info you provide, the more involved the community will be. Frameworks are a must to speed up real life adoption, but ideally, all the low level info must be clear and the easier the better. I used to pentest an RTOS derivative of VxWorks on top of some Marvel Armada cpus, at the beginning with public very abstract info, but the fun came when I got (legit) access to confidential low level cpu specs of the different models... then I undestood why some fault injection attacks were being successful. Developers can do their job with just Mikrokit, but many of them, will have curiosity to understand why they need to do things the way they are forced. By being able to fully understand how things really work at low level, they get more involved, they can also contribute with improvements, and, hopefully, they will be happier than just blindly trust. It's about letting the door open to developers and engineers to learn at deeper level, as easy as possible. Maybe a door some people will never open, but for those who dare to open, would be nice to be sure they get engaged. On Wednesday, September 11, 2024, Gernot Heiser via Devel wrote: the seL4 kernel documentation"

...

...
Sure. I have no idea how you guys can deal with this... I'm on the

commercial side, just thinking about how people can "easily" become seL4 developer…

How is this affected by low-level technical details that are hidden behind libraries, especially if you use higher-level frameworks such as the Microkit?

Gernot

_______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems

Indan Zupancic

8:59 a.m.

Hello Hugo, The thing is, to fully understand how things work on a low level you can read the seL4 source, it's not that much, it's open and available to everyone. And it's really the best way to find out specific details. So the door is wide open already. People are welcome to ask questions to increase their understanding of how seL4 works, that's how this thread started. Perhaps it's nice to have a medium level description of how seL4 works on a technical level, but it will always describe someone's personal mental model, and will always be a simplification, hence slightly incorrect for some corner cases. However, the seL4 manual is not the place for such info, it's strength is exactly its terseness. Its goal is to give an overview of seL4, if there is too much detail that overview becomes lost and the manual becomes huge and not easily readable any more. The information should be limited to what the user needs to know when using sel4. Giving too much details too early only leads to confusion, people need to build a mental model of how seL4 works first and then they can adjust it when learning more. We can add more information to the website, feel free to open a pull request or open an issue to request specific documentation. I agree that there is so much more to say about seL4, but manpower is limited. Greetings, Indan On 2024-09-11 23:15, Hugo V.C. wrote:

...

Well, people usually like to understand how things work, moreover on a system like seL4. And, whether you like or not, there will be forks, hacks, modifications... the more info you provide, the more involved the community will be.

Frameworks are a must to speed up real life adoption, but ideally, all the low level info must be clear and the easier the better.

I used to pentest an RTOS derivative of VxWorks on top of some Marvel Armada cpus, at the beginning with public very abstract info, but the fun came when I got (legit) access to confidential low level cpu specs of the different models... then I undestood why some fault injection attacks were being successful.

Developers can do their job with just Mikrokit, but many of them, will have curiosity to understand why they need to do things the way they are forced. By being able to fully understand how things really work at low level, they get more involved, they can also contribute with improvements, and, hopefully, they will be happier than just blindly trust.

It's about letting the door open to developers and engineers to learn at deeper level, as easy as possible.

Maybe a door some people will never open, but for those who dare to open, would be nice to be sure they get engaged.

...
On 12 Sep 2024, at 06:41, Hugo V.C. wrote:

...
"I don’t think tutorials on microkernels and capabilities belong into

...
...
Sure. I have no idea how you guys can deal with this... I'm on the

commercial side, just thinking about how people can "easily" become seL4 developer…

How is this affected by low-level technical details that are hidden behind libraries, especially if you use higher-level frameworks such as

On Wednesday, September 11, 2024, Gernot Heiser via Devel wrote: the seL4 kernel documentation" the Microkit?

...
Gernot

Hugo V.C.

5:11 p.m.

...

Hello Hugo,

The thing is, to fully understand how things work on a low level you can read the seL4 source, it's not that much, it's open and available to everyone. And it's really the best way to find out specific details. So the door is wide open already.

People are welcome to ask questions to increase their understanding of how seL4 works, that's how this thread started.

Perhaps it's nice to have a medium level description of how seL4 works on a technical level, but it will always describe someone's personal mental model, and will always be a simplification, hence slightly incorrect for some corner cases.

However, the seL4 manual is not the place for such info, it's strength is exactly its terseness. Its goal is to give an overview of seL4, if there is too much detail that overview becomes lost and the manual becomes huge and not easily readable any more. The information should be limited to what the user needs to know when using sel4. Giving too much details too early only leads to confusion, people need to build a mental model of how seL4 works first and then they can adjust it when learning more.

We can add more information to the website, feel free to open a pull request or open an issue to request specific documentation. I agree that there is so much more to say about seL4, but manpower is limited.

Greetings,

Indan

On 2024-09-11 23:15, Hugo V.C. wrote:

...
Well, people usually like to understand how things work, moreover on a system like seL4. And, whether you like or not, there will be forks,

hacks,

...
modifications... the more info you provide, the more involved the community will be.

Frameworks are a must to speed up real life adoption, but ideally, all

...

...
low level info must be clear and the easier the better.

I used to pentest an RTOS derivative of VxWorks on top of some Marvel Armada cpus, at the beginning with public very abstract info, but the fun came when I got (legit) access to confidential low level cpu specs of the different models... then I undestood why some fault injection attacks were being successful.

Developers can do their job with just Mikrokit, but many of them, will have curiosity to understand why they need to do things the way they are forced. By being able to fully understand how things really work at low level,

...

...
get more involved, they can also contribute with improvements, and, hopefully, they will be happier than just blindly trust.

It's about letting the door open to developers and engineers to learn at deeper level, as easy as possible.

Maybe a door some people will never open, but for those who dare to open, would be nice to be sure they get engaged.

On Wednesday, September 11, 2024, Gernot Heiser via Devel wrote:

...
On 12 Sep 2024, at 06:41, Hugo V.C. wrote:

...
"I don’t think tutorials on microkernels and capabilities belong into

the seL4 kernel documentation"

...
...
Sure. I have no idea how you guys can deal with this... I'm on the

commercial side, just thinking about how people can "easily" become seL4 developer…

...
How is this affected by low-level technical details that are hidden

behind libraries, especially if you use higher-level frameworks such as

Hi Indan, yes source code is available, but people is not reading source code of a "standard" system, so just reading it, even if the most accurate way to know what's going on (this is how anyone will do it for Linux Kernel, in example) in the specific case of seL4, can be a bit frustrating, as most things we know about OS here do not apply. To be more clear, for anyone comming from Linux Kernel, seL4 is an alien... :-) And yes, door is open to read the code, that's why is open source. Sure. But I talk about another kind of door, the one of understanding how things work, maybe, with that medium level description you mention, really I don't know. Please don't misunderstand me 🙏, I'm not telling seL4 is opaque, it's Open Source, that's wonderful! I'm just telling that maybe having access to source code and the technical manual, is not enougth to the average seL4 newbie engineer. You guys do an amazing job. Manpower is probably the "problem". I know. I really know. Ok, step by step. On Thursday, September 12, 2024, Indan Zupancic wrote: the they the

...

...
Microkit?

...
Gernot

Indan Zupancic

11 Sep 11 Sep

8:18 a.m.

New subject: More about Objects (was: General Question On Object Methods)

Hello T, Great to hear it clicked! Now that you understand this, I'd like to mention that seL4 kernel "objects" are not as clear-cut as they seem. This is currently not very well explained in the manual and only something you will run into when actually using seL4, mostly manifesting as peculiar limitations. The straightforward kernel objects are the ones that need to be allocated with seL4_Untyped_Retype(): Those store their state in the allocated memory and you get access to it via a cap. You usually can do anything you would expect with caps to such objects, like moving and copying them around. There is a clear distinction between the object and the cap that grants access to it. However, some "objects" don't require any state, so they don't need any memory. For these having a cap is enough. Caps to such "objects" are always passed on to the rootserver. Examples are IRQControl, ASIDControl and Domain caps. If they are used to create other "objects" (e.g. IRQHandles, ASIDPools), then usually it's not allowed to copy the caps, as they are needed to keep track of the created derived caps. Here the line between objects and caps gets fuzzy, in a sense there are no objects as such, just caps that grant the right to perform certain system actions. Other objects have very little state and store that state in their cap. Examples are SchedControl and IRQhandler. If that state is read-only, like core or IRQ number, then there are no limitations on what you can do with those caps. If it is writeable state, then you usually can't copy the cap. Lastly, there are the tricky objects: Those that require both memory and also keep state in their cap. Examples are Untyped, VSpace, PageTable and Page. Because of this caps to these objects have peculiar properties and restrictions: Untyped caps can be copied, but only if it is empty and no derived object have been created yet, because the state can only be kept up-to-date in one place. VSpace related caps can be copied and need a copy per mapping, because the mapping information is stored in the cap and there is only enough space to store one mapping. I'd like to improve the manual to make the above clearer, but not sure how to approach it. Call everything an object, even if it doesn't require state? Does that make things clearer or more confusing? The manual sidesteps the issue by not really mentioning it at all currently. Or call everything a resource and only resources that require storage objects? Or call the stateless ones kernel services and make an explicit list of them? But in a sense it's an implementation detail whether something needs state and whether that fits in the cap or not, so why call it differently? Greetings, Indan On 2024-09-10 19:17, tunacici7@gmail.com wrote:

...

Hey Indan,

After reading your (and others) words, it finally clicked for me! Like you (and others) have said in seL4 all interaction are done by invoke objects via capabilities.

It sounds obvious at first (many resources talk about this), but understanding is another story:)

In case there are others like me that are still having a problem understanding system calls and object methods in seL4, I have collected my thoughts below.

System call is, in a more "traditional" sense, in other OSes is like this: - execute 'syscall' with a specific system call number from the user space - there are many syscall numbers defined in those OSes (e.g., read, write, mkdir)

In seL4, however, it's a bit different: - still execute 'syscall' from the user space - but this time only Send, Recv, Yield (and other variations) have their syscall numbers defined - those are the only "system calls" that we can directly compare to other "traditional" OSes - now, in handling of the system calls (e.g., Send()) there is a decoder (see 'decodeInvocation(...)') - those decoders determine which specific capability to invoke (see 'libsel4/include/interfaces/sel4.xml' for all invocations) - each of the invocations have their own numbers (similar to system call numbers) - so (like Indan have said) we have a two-tiered system (first is architecture/CPU 'syscall' and second is seL4 'invocations') - because of this we have a separation in API reference between System Calls and Object Methods - and since object methods (like UntypedRetype) are handled inside the seL4 they are executed at higher privilege level

Again, thanks everyone for the help & replies.

-T

Mark Jones

8 Sep 8 Sep

8:54 a.m.

The way I think about this is that many of the things that you might traditionally consider “system calls” are just special cases of sending a message to a kernel object using a capability. For example, the “system call” for changing the priority of a thread is actually implemented by sending a simple message (that includes the new priority) through a capability for the target thread (or rather, for the associated TCB object). Even sending a message to another thread by IPC is just a special case in which the capability you specify references an endpoint object (or a notification object, depending on which kind of IPC you are using). Libsel4 makes it easier to write user-level code that accesses these functions, but the implementations (including for things like seL4_Untype_Retype) are running in kernel space. One interesting detail is that, unless the user-level code has a hand in creating its own capability space, there is no general way for it to determine the types of the objects that it can access. For example, you might have code that you think is sending a “SetPriority” message to a thread, when in fact the object that it references is an endpoint whose messages are received and handled by another thread. So long as the latter provides a convincing simulation of a TCB object, the caller won’t notice a difference. This provides an interesting way to wrap additional functionality or restrictions around built-in kernel objects. I hope that helps! Best wishes, Mark [*] I used SetPriority as a simple example, but perhaps should mention that the real SetPriority message also requires a second TCB capability that provides the authority to change the first thread's priority.

...

On Sep 7, 2024, at 8:33 AM, tunacici7@gmail.com wrote:

I've recently started to learn seL4 by following the Tutorials, which have been great so far. I've been also reading the Manual & API reference to understand and gain insight into different mechanisms.

However, I have one fundamental question: Are the object methods system calls?

It is said that seL4 only has 3 logical system calls: Send, Recv and Yield. (In all the slides, videos and other documents I have seen) And the rest is just variations of those ones. But what about object methods? Are they system calls? Are they executed in kernel space?

If they are system calls, then wouldn't all the resources out there be misleading? Since there are way more than just Send, Recv and Yield. If they are not, then how are they handled? Does 'libsel4' have anything to do with it? I can't imagine 'seL4_Untype_Retype' executing in user space.

Unfortunately, I couldn't find any answers to this question online. So that's why I'm asking it here. Maybe there are others who wonders the same thing.

NOTE The API Reference page confuses me even more. It lists Object Methods in its own category (instead of being under System Calls). Does this means Object Methods are NOT system calls? Or the term System Call is just not what I think it is(basically an endpoint to kernel)?. END NOTE

Thanks for the answers in advance. -T _______________________________________________ Devel mailing list -- devel@sel4.systems To unsubscribe send an email to devel-leave@sel4.systems

Age (days ago)

Last active (days ago)

List overview

Download

15 comments

7 participants

participants (7)

Demi Marie Obenour
Gernot Heiser
Hugo V.C.
Indan Zupancic
Mark Jones
tunacici7＠gmail.com
z5257602＠unsw.edu.au

General Question On Object Methods

tags

participants (7)