/Documentation/arm/msm/emulate_domain_manager.txt

https://bitbucket.org/sammyz/iscream_thunderc-2.6.35-rebase · Plain Text · 282 lines · 203 code · 79 blank · 0 comment · 0 complexity · 4d0044513d85543797d88b089dd9be0e MD5 · raw file

  1. Copyright (c) 2009, Code Aurora Forum. All rights reserved.
  2. Redistribution and use in source form and compiled forms (SGML, HTML, PDF,
  3. PostScript, RTF and so forth) with or without modification, are permitted
  4. provided that the following conditions are met:
  5. Redistributions in source form must retain the above copyright notice, this
  6. list of conditions and the following disclaimer as the first lines of this
  7. file unmodified.
  8. Redistributions in compiled form (transformed to other DTDs, converted to
  9. PDF, PostScript, RTF and other formats) must reproduce the above copyright
  10. notice, this list of conditions and the following disclaimer in the
  11. documentation and/or other materials provided with the distribution.
  12. THIS DOCUMENTATION IS PROVIDED BY THE CODE AURORA FORUM "AS IS"
  13. AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  14. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  15. AND NON-INFRINGEMENT ARE DISCLAIMED. IN NO EVENT SHALL THE FREEBSD
  16. DOCUMENTATION PROJECT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  17. SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
  18. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
  19. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
  20. WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
  21. OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, EVEN IF
  22. ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  23. Introduction
  24. ============
  25. 8x50 chipset requires the ability to disable HW domain manager function.
  26. The ARM MMU architecture has a feature known as domain manager mode.
  27. Briefly each page table, section, or supersection is assigned a domain.
  28. Each domain can be globally configured to NoAccess, Client, or Manager
  29. mode. These global configurations allow the access permissions of the
  30. entire domain to be changed simultaneously.
  31. The domain manger emulation is required to fix a HW problem on the 8x50
  32. chipset. The problem is simple to repair except when domain manager mode
  33. is enabled. The emulation allows the problem to be completely resolved.
  34. Hardware description
  35. ====================
  36. When domain manager mode is enabled on a specific domain, the MMU
  37. hardware ignores the access permission bits and the execute never bit. All
  38. accesses, to memory in the domain, are granted full read, write,
  39. execute permissions.
  40. The mode of each domain is controlled by a field in the cp15 dacr register.
  41. Each domain can be globally configured to NoAccess, Client, or Manager mode.
  42. See: ARMv7 Architecture Reference Manual
  43. Software description
  44. ====================
  45. In order to disable domain manager mode the equivalent HW functionality must
  46. be emulated in SW. Any attempts to enable domain manager mode, must be
  47. intercepted.
  48. Because domain manager mode is not enabled, permissions for the
  49. associated domain will remain restricted. Permission faults will be generated.
  50. The permission faults will be intercepted. The faulted pages/sections will
  51. be modified to grant full access and execute permissions.
  52. The modified page tables must be restored when exiting domain manager mode.
  53. Design
  54. ======
  55. Design Goals:
  56. Disable Domain Manager Mode
  57. Exact SW emulation of Domain Manager Mode
  58. Minimal Kernel changes
  59. Minimal Security Risk
  60. Design Decisions:
  61. Detect kernel page table modifications on restore
  62. Direct ARMv7 HW MMU table manipulation
  63. Restore emulation modified MMU entries on context switch
  64. No need to restore MMU entries for MMU entry copy operations
  65. Invalidate TLB entries on modification
  66. Store Domain Manager bits in memory
  67. 8 entry MMU entry cache
  68. Use spin_lock_irqsave to protect domain manipulation
  69. Assume no split MMU table
  70. Design Discussion:
  71. Detect kernel page table modifications on restore -
  72. When restoring original page/section permission faults, the submitted design
  73. verifies the MMU entry has not been modified. The kernel modifies MMU
  74. entries for the following purposes : create a memory mapping, release a
  75. memory mapping, add permissions during a permission fault, and map a page
  76. during a translation fault. The submitted design works with the listed
  77. scenarios. The translation fault and permission faults simply do not happen on
  78. relevant entries (valid entries with full access permissions). The alternative
  79. would be to hook every MMU table modification. The alternative greatly
  80. increases complexity and code maintenance issues.
  81. Direct ARMv7 HW MMU table manipulation -
  82. The natural choice would be to use the kernel provided mechanism to manipulate
  83. MMU page table entries. The ARM MMU interface is described in pgtable.h.
  84. This interface is complicated by the Linux implementation. The level 1 pgd
  85. entries are treated and manipulated as entry pairs. The level 2 entries are
  86. shadowed and cloned. The compromise was chosen to actually use the ARMv7 HW
  87. registers to walk and modify the MMU table entries. The choice limits the
  88. usage of this implementation to ARMv7 and similar ARM MMU architectures. Since
  89. this implementation is targeted at fixing an issue in 8x50 ARMv7, the choice is
  90. logical. The HW manipulation is in distinct low level functions. These could
  91. easily be replaced or generalized to support other architectures as necessary.
  92. Restore emulation modified MMU entries on context switch -
  93. This additional hook was added to minimize performance impact. By guaranteeing
  94. the ASID will not change during the emulation, the emulation may invalidate each
  95. entry by MVA & ASID. Only the affected page table entries will be removed from
  96. the TLB cache. The performance cost of the invalidate on context switch is near
  97. zero. Typically on context switch the domain mode would also change, forcing a
  98. complete restore of all modified MMU entries. The alternative would be to
  99. invalidate the entire TLB every time a table entry is restored.
  100. No need to restore MMU entries for copy operations -
  101. Operations which copy MMU entries are relatively rare in the kernel. Because
  102. we modify the level 2 pte entries directly in hardware, the Linux shadow copies
  103. are left untouched. The kernel treats the shadow copies as the primary pte
  104. entry. Any pte copy operations would be unaffected by the HW modification.
  105. On translation section fault, pgd entries are copied from the kernel master
  106. page table to the current thread page table. Since we restore MMU entries on
  107. context switch, we guarantee the master table will not contain modifications,
  108. while faulting on a process local entry. Other read, modify write operations
  109. occur during permission fault handling. Since we open permission on modified
  110. entries, these do not need to be restored, because we guarantee these
  111. permission fault operations will not happen.
  112. Invalidate TLB entries on modification -
  113. No real choice here. This is more of a design requirement. On permission
  114. fault, the MMU entry with restricted permissions will be in the TLB. To open
  115. access permissions, the TLB entry must be invalidated. Otherwise the access
  116. will permission fault again. Upon restoring original MMU entries, the TLB
  117. must be invalidated to restrict memory access.
  118. Store Domain Manager bits in memory -
  119. There was only one alternative here. 2.6.29 kernel only uses 3 of 16
  120. possible domains. Additional bits in dacr could be used to store the
  121. manager bits. This would allow faster access to the manager bits.
  122. Overall this would reduce any performance impact. The performance
  123. needs did not seem to justify the added weirdness.
  124. 8 entry MMU entry cache-
  125. The size of the modified MMU entry cache is somewhat arbitrary. The thought
  126. process is that typically, a thread is using two pointers to perform a copy
  127. operation. In this case only 2 entries would be required. One could imagine
  128. a more complicated operation, a masked copy for instance, which would require
  129. more pointers. 8 pointer seemed to be large enough to minimize risk of
  130. permission fault thrashing. The disadvantage of a larger cache would simply
  131. be a longer list of entries to restore.
  132. Use spin_lock_irqsave to protect domain manipulation -
  133. The obvious choice.
  134. Assume no split MMU table -
  135. This same assumption is documented in cpu_v7_switch_mm.
  136. Power Management
  137. ================
  138. Not affected.
  139. SMP/multi-core
  140. ==============
  141. SMP/multicore not supported. This is intended as a 8x50 workaround.
  142. Security
  143. ========
  144. MMU page/section permissions must be manipulated correctly to emulate domain
  145. manager mode. If page permission are left in full access mode, any process
  146. can read associated memory.
  147. Performance
  148. ===========
  149. Performance should be impacted only minimally. When emulating domain manager
  150. mode, there is overhead added to MMU table/context switches, set_domain()
  151. calls, data aborts, and prefetch aborts.
  152. Normally the kernel operates with domain != DOMAIN_MANAGER. In this case the
  153. overhead is minimal. An additional check is required to see if domain manager
  154. mode is on. This minimal code is added to each of emulation entry points :
  155. set, data abort, prefetch abort, and MMU table/context switch.
  156. Initial accesses to a MMU protected page/section will generate a permission
  157. fault. The page will be manipulated to grant full access permissions and
  158. the access will be retried. This will typically require 2-3 page table
  159. walks.
  160. On a context switch, all modified MMU entries will be restored. On thread
  161. resume, additional accesses will be treated as initial accesses.
  162. Interface
  163. =========
  164. The emulation does not have clients. It is hooked to the kernel through a
  165. small list of functions.
  166. void emulate_domain_manager_set(u32 domain);
  167. int emulate_domain_manager_data_abort(u32 dfsr, u32 dfar);
  168. int emulate_domain_manager_prefetch_abort(u32 ifsr, u32 ifar);
  169. void emulate_domain_manager_switch_mm(
  170. unsigned long pgd_phys,
  171. struct mm_struct *mm,
  172. void (*switch_mm)(unsigned long pgd_phys, struct mm_struct *));
  173. emulate_domain_manager_set() is the set_domain handler. This replaces the
  174. direct manipulation of CP15 dacr with a function call. This allows emulation
  175. to prevent setting dacr manager bits. It also allows emulation to restore
  176. page/section permissions when domain manger is disabled.
  177. emulate_domain_manager_data_abort() handles data aborts caused by domain
  178. not being set in HW, and handles section/page manipulation.
  179. emulate_domain_manager_prefetch_abort() is the similar prefetch abort handler.
  180. emulate_domain_manager_switch_mm() handles MMU table and context switches.
  181. This notifies the emulation that the MMU context is changing. Allowing the
  182. emulation to restore page table entry permission before switching contexts.
  183. Config options
  184. ==============
  185. This option is enable/disable by the EMULATE_DOMAIN_MANAGER_V7 option.
  186. Dependencies
  187. ============
  188. Implementation is for ARMv7, MMU, and !SMP. Targets solving issue for 8x50
  189. chipset.
  190. User space utilities
  191. ====================
  192. None
  193. Other
  194. =====
  195. Code is implemented in kernel/arch/arm/mm.
  196. arch/arm/mm/emulate_domain_manager.c contains comments. No additional public
  197. documentation available or planned.
  198. Known issues
  199. ============
  200. No intent to support SMP or non ARMv7 architectures
  201. To do
  202. =====
  203. None