Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Whitepaper Outline

Section-by-section sketch of the capOS whitepaper. Each section lists its supporting docs and its evidence dependency on evidence-gaps.md. The actual draft now lives at papers/schema-as-abi/main.typ; this file is the structural reference and stays in docs/paper/ alongside the plan and evidence-gap tracker. When a section’s evidence lands, update the draft in the same task that updates this outline and evidence-gaps.md.

§1. Introduction

  • Problem: kernel ABIs are typically C-header syscall conventions plus a separate rights/permission machinery; capability OSes typically still keep rights, IPC, and serialization as three layers.
  • Thesis (one paragraph): schema-as-ABI collapses these layers.
  • Contributions list. Map each contribution to a paper section and to a Tier-1 artifact in evidence-gaps.md.

Backed by: docs/overview.md, docs/capability-model.md.

  • seL4: untyped IPC, kernel-managed rights, formal verification. Source: docs/research/sel4.md.
  • Zircon: typed kernel objects, fixed syscalls. Source: docs/research/ (Zircon notes).
  • EROS / CapROS: persistent capabilities without schema-as-wire.
  • Genode: component-typed RPC over kernel IPC primitives. Source: docs/research/genode.md.
  • Plan 9: universal-interface as file I/O.
  • capnp-rpc: prior art for schema-driven RPC; capOS pulls this layer into the kernel boundary.
  • LLVM/target customization: relevant for the userspace runtime story.

Backed by: docs/research.md and docs/research/*.

§3. Capability Model

  • Typed schema = permission. No parallel rights bitmask.
  • Narrowing via wrapper capabilities, not flag reduction.
  • Generation tags, copy/move semantics, release ABI.
  • Service objects vs. badged endpoints (the badge migration).

Backed by: docs/capability-model.md, docs/proposals/service-object-capabilities-proposal.md, docs/architecture/capability-ring.md, docs/authority-accounting-transfer-design.md.

Evidence dependency: claim C1 in evidence-gaps.md.

§4. Ring Transport

  • SQ/CQ shared-memory ring as the only kernel boundary.
  • cap_enter semantics: flush pending SQEs, wait for completions or timeout.
  • Opcode set: CALL, RECV, RETURN, RELEASE, NOP. Reserved Finish.
  • Direct-switch IPC handoff.
  • Transport errors and CQE error model.
  • Loom protocol model.
  • Backpressure, fairness, scheduler-tick polling rules.

Backed by: docs/architecture/capability-ring.md, docs/architecture/ipc-endpoints.md, code in kernel/src/cap/ring.rs, capos-config/tests/ring_loom.rs, capos-rt/src/ring.rs.

Evidence dependency: C2.

§5. Capability Lifecycle

  • Copy, move, release.
  • Revocation: epoch model, Revocable Read proof.
  • Resource accounting: per-process ledger, exactly-once transfer rollback.
  • Service objects replacing badges.

Backed by: docs/authority-accounting-transfer-design.md, docs/proposals/service-object-capabilities-proposal.md, docs/backlog/stage-6-capability-semantics.md.

Evidence dependency: C1.

§6. System Composition

  • Manifest-driven boot, init service graph.
  • Authority broker, sessions, anonymous/operator/SSH-public-key paths.
  • Demo services: First Chat, Adventure, SSH Shell Gateway as the end-to-end auth/identity boundary.

Backed by: docs/architecture/manifest-startup.md, docs/proposals/service-architecture-proposal.md, docs/proposals/user-identity-and-policy-proposal.md, docs/proposals/ssh-shell-proposal.md, docs/security/trust-boundaries.md.

Evidence dependency: C2 plus completion of selected SSH milestone.

§7. Verification and Engineering Process

  • Kani / Loom / Miri / panic-surface inventory: scope, bounds, gaps.
  • Dependency policy, pinned trusted inputs.
  • Workplan / review discipline as part of the methodology.
  • Collaboration methodology: dedicated worktrees per task, mandatory gates, REVIEW_FINDINGS as durable open-issue tracking, merge-back-to-main rule.

Backed by: docs/proposals/security-and-verification-proposal.md, docs/security/verification-workflow.md, docs/panic-surface-inventory.md, docs/trusted-build-inputs.md, REVIEW.md, REVIEW_FINDINGS.md, WORKPLAN.md.

Evidence dependency: C5.

§8. Evaluation

  • cap_enter round-trip latency.
  • Ring throughput.
  • Endpoint IPC: scheduler path vs. direct-switch.
  • Schema dispatch vs. NullCap baseline.
  • Memory cost per capability slot.
  • Persistence proof-of-concept: round-trip integrity.
  • Network-transparency proof-of-concept: cross-instance call latency.

Evidence dependency: C2, C3, C4. All three artifacts are currently missing or partial; do not begin drafting this section until they exist.

§9. Limitations

Honest framing, written before §1 is tightened. Likely items:

  • Single architecture (x86_64). aarch64 deferred.
  • Partial SMP at time of writing; reflect actual state.
  • Persistence and network-transparency demonstrated as proofs-of-concept, not production subsystems.
  • Verification scoped to listed invariants; not whole-kernel.
  • No production hardware path; QEMU-only artifact.

§10. Future Work

Reference docs/roadmap.md Future Tracks rather than restating them. Topics: aarch64, GPU, live upgrade, persistence-at-scale, formal MAC/MIC, Go/WASI, cloud metadata, federated multi-instance demos.

§11. Collaboration Methodology Note

Short standalone section.

  • Workflow: per-task worktrees, mandatory verification gates, REVIEW.md conventions, REVIEW_FINDINGS.md as durable open-issue tracking, merge-back-to-main discipline.
  • What this enabled: surfacing review and merge hygiene against changing publication assumptions while keeping evidence-driven sequencing intact.
  • Reproducibility kit: pinned toolchains, ISO build, QEMU smoke targets.

§12. Conclusion

To be written last, after §8 numbers exist.

Appendices (candidate)

  • A. Schema excerpt for one representative capability with method-by-method ABI commentary.
  • B. Reproducibility kit: exact commands, pinned commits, expected outputs.
  • C. Build/boot flow diagram.
  • D. Process model diagram.