Introducing Iris

Bas Wijnen wijnen at
Tue Jul 28 02:20:41 EDT 2009


On Tue, Jul 28, 2009 at 09:28:43AM +0800, yajin wrote:
> I do not dig into too much about Iris, but what's the main differences
> between Iris and L4 family(such as pistachio and OKL4)?

L4 doesn't support capabilities with kernel protection.  That means that
if they are implemented, they are slow, and the access control is done
by the server.  This isn't always acceptable: When running an untrusted
server, I want to decide who it can listen to; it must not be allowed to
decide for itself.

As I explained, one of my main goals is to create a system where users
can trust their computer.  That includes the ability to totally sandbox
programs, not just for their outgoing traffic, but also incoming.  I
need kernel-protected capabilities for that.  Possibly it costs some
performance (I expect it will not be a lot, but I haven't tested), but
that's well worth it.

> One of the main disvantage is big IPC overhead?

That is a microkernel problem in general.  The problem is that there is
a lot more IPC than in a monolithic system, so even if it's fast, it
still is the main effect for performance.

AFAIK the L4 team managed to get their IPC really fast.  Iris' IPC still
needs to be fine-tuned; at the moment I just aimed for getting it to
work (in particular the assembly functions in iris.h are totally
non-optimal, because I didn't succeed in getting the values into the
registers the way I wanted).  But I did learn from the Mach-problem:
they have loads of features built into the IPC operation.  Most programs
don't use them, but do suffer a performance overhead from them.  This
makes Mach very slow.  Iris doesn't have any extra features built into
IPC, and it tries to keep the most used path (thread-to-thread IPC) as
fast as possible.  I have not done any performance tests, and as I
wrote, I didn't tune anything yet, so I don't know how well that worked.

- IPC is the main performance issue for any microkernel, including Iris.
- Iris tries to make it fast by letting programs implement optional
  features when they need them.
- For Iris, a "good" system with well-separated units and
  kernel-protected capabilities is considered more important than
  performance.  This means it's probably a bit slower, but much more
  hackable and trustable than something like Linux.


I encourage people to send encrypted e-mail (see
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <>

More information about the discussion mailing list