risc-v privileged architecture · risc-v virtual memory control by default, s-mode can’t access...
TRANSCRIPT
![Page 1: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/1.jpg)
RISC-VPrivilegedArchitectureAndrewWaterman
SiFive [email protected]
6th RISC-VWorkshopShanghaiJiaoTongUniversity
May9,2017
![Page 2: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/2.jpg)
NewDraftSpecificationsareReleased
§ UserISAv2.2- Improvementstodocumentation-Defineshownarrow-precisionFPtypesarerepresentedinwiderFPregisters-DefinesbehaviorusingwiderFPoperationsonnarrowoperands
§ PrivilegedISAv1.10-Subjectofthistalk
§ SpecsavailableonGithub (source&PDF)§ https://github.com/riscv/riscv-isa-manual§ Movedtoeditorshipmodel
![Page 3: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/3.jpg)
PrivilegedArchitectureisStable
§ 1.10keepscompatibilitywith1.9.1formachine-mode-onlyimplementations
§ Futurereleasesshouldbecompatiblewith1.10forsupervisorISA,too
§ Caveat:theseareproposals;notyetratifiedbyFoundation
![Page 4: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/4.jpg)
RISC-VPrivilegedArchitecture
§ Providecleansplitbetweenlayersofthesoftwarestack§ ApplicationcommunicateswithApplicationExecutionEnvironment(AEE)viaApplicationBinaryInterface(ABI)
§ OScommunicatesviaSupervisorExecutionEnvironment(SEE)viaSystemBinaryInterface(SBI)
§ HypervisorcommunicatesviaHypervisorBinaryInterfacetoHypervisorExecutionEnvironment
§ AlllevelsofISAdesignedtosupportvirtualization4
2 1.1draft: Volume II: RISC-V Privileged Architectures
ApplicationABIAEE
ApplicationABI
OSSBISEE
ApplicationABI
SBIHypervisor
ApplicationABI
OS
ApplicationABI
ApplicationABI
OS
ApplicationABI
SBI
HBIHEE
Figure 1.1: Di↵erent implementation stacks supporting various forms of privileged execution.
the OS, which provides the AEE. Just as applications interface with an AEE via an ABI, RISC-Voperating systems interface with a supervisor execution environment (SEE) via a supervisor binaryinterface (SBI). An SBI comprises the user-level and supervisor-level ISA together with a set ofSBI function calls. Using a single SBI across all SEE implementations allows a single OS binaryimage to run on any SEE. The SEE can be a simple boot loader and BIOS-style IO system in alow-end hardware platform, or a hypervisor-provided virtual machine in a high-end server, or athin translation layer over a host operating system in an architecture simulation environment.
The rightmost configuration shows a virtual machine monitor configuration where multiple multi-programmed OSs are supported by a single hypervisor. Each OS communicates via an SBI with thehypervisor, which provides the SEE. The hypervisor communicates with the hypervisor executionenvironment (HEE) using a hypervisor binary interface, to isolate the hypervisor from details ofthe hardware platform.
Our graphical convention represents abstract interfaces using black boxes with white text, toseparate them from actual components.
The various ABI, SBI, and HBIs are still a work-in-progress, but we anticipate the SBI and HBIto support devices via virtualized device interfaces similar to virtio [2], and to support devicediscovery. In this manner, only one set of device drivers need be written that can support anyOS or hypervisor, and which can also be shared with the boot environment.
Hardware implementations of the RISC-V ISA will generally require additional features beyond theprivileged ISA to support the various execution environments (AEE, SEE, or HEE), but these weconsider separately as part of a hardware abstraction layer (HAL), as shown in Figure 1.2. Note
ApplicationABIAEEHAL
Hardware
ApplicationABI
OSSBISEE
ApplicationABI
HALHardware
SBIHypervisor
ApplicationABI
OS
ApplicationABI
ApplicationABI
OS
ApplicationABI
SBI
HBIHEE
HardwareHAL
Figure 1.2: Hardware abstraction layers (HALs) abstract underlying hardware platforms from theexecution environments.
![Page 5: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/5.jpg)
RISC-VPrivilegeModes
§ Threeprivilegemodes-User(U-mode)- Supervisor(S-mode)-Machine(M-mode)
§ Supportedcombinationsofmodes:-M (simpleembeddedsystems)-M,U (embeddedsystemswithprotection)-M,S,U (systemsrunningUnix-likeoperatingsystems)
§ Plannedsupportforhypervisors
5
![Page 6: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/6.jpg)
SimpleEmbeddedSystems
§ SimplestimplementationneedsonlyM-mode§ Noaddresstranslation§ Minimalmemoryprotection- Trapbadphysicaladdressesprecisely
§ Applicationcodeistrusted
§ Lowimplementationcost- 27 bitsofarchitecturalstate(inadditiontouserISA)- +27 morebitsfortimers- +27 moreforbasicperformancecounters
6
![Page 7: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/7.jpg)
EmbeddedSystemswithProtection
§ Applicationcodeisnottrusted§ AddU-mode;runappcodeinU-modeandtrustedcodeinM-mode
§ PossiblyaddN extensionforuser-levelinterrupts§ Stillnoaddresstranslation§ Needmechanismtoprotectphysicalmemory
7
![Page 8: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/8.jpg)
PhysicalMemoryProtectionUnit
§ Optionalnewfeatureinv1.10§ WhenPMPisimplemented,modesbelowM-modehavenomemorypermissionsbydefault
§ CangrantR/W/Xpermissionson≥4-bytegranularity§ Upto16PMPregions§ EachPMPregionisanynaturally alignedpower-of-2numberofbytes
§ CanconfigureadjacentPMPregisterstoformanarbitrarybase-and-boundsregioninstead
§ PMPscanbelocked (can’tberewrittenuntilreset),inwhichcasetheyaffectM-mode,too
8
![Page 9: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/9.jpg)
SupportforUnix-likeOperatingSystems
§ AddS-modetoprovidevirtualmemory§ Memorydividedinto4KiB basepages§ Radix-treepagetables-2levelsforRV32(Sv32)-3or4levelsforRV64(Sv39,Sv48)-EncodingspacereservedforSv57/Sv64
§ Superpages possibleatalllevelsofpagetable-e.g.2MiB and1GiB forSv39
§ HardwarePTwalksspecifiedinsupervisorISA-CantraptoM-modeforsoftwareTLBrefill
![Page 10: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/10.jpg)
InteractionbetweenPMPandVM
§ PhysicalMemoryProtectionandpage-basedvirtualmemoryarecomposable
§ Addresstranslationhappensfirst,possiblygeneratingpage-faultexceptions
§ PMPunitcheckstranslatedaddress,possiblygeneratingaccessexceptions
§ UsefulwhenS-modecodeisuntrusted
![Page 11: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/11.jpg)
RISC-VPageTableEntries
§ SeparatelycontrolledR,W,Xpermissions- SupportsX-onlypages-W&~Rcombinationreserved
§ Supervisorcan’taccessuserpagesbydefault§ Globalbitindicatesthemappingbelongstoalladdressspaces(e.g.kernelpagesinaUnixsystem)
§ Accessed/DirtybitsoptionallymanagedbyHW-Updatesmustbeatomicw.r.t.permissionscheck- Complextoimplement,sopermittrappingwhenA/Dnotsetinstead
![Page 12: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/12.jpg)
RISC-VVirtualMemoryControl
§ Bydefault,S-modecan’taccessuserpages-HelpsdetectOS/driverbugs-Stillneedabilitytoreadusermemory,e.g.onsystemcall-Set“SupervisorAccesstoUserMemory”bitinsstatus toreadusermemory,thenturnitoffagain
§ Similarly,S-modecan’treadexecute-onlypages-Set“MakeExecutableReadable”bitinsstatus tooverride-Usefulforillegal-instructiontraphandlers
§ S-modecanenable/disableVMandchoosepage-tabledepthinsatp register
![Page 13: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/13.jpg)
RISC-VInterruptDesignGoals
§ Simplicity§ Supportallkindsofplatformsfrommicrocontrollerstovirtualizedservers
§ Enabletradeoffsbetweenperformanceandimplementationcost
§ Flexibilitytosupportspecializedneeds
13
![Page 14: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/14.jpg)
InterruptUsesinDifferentApplications
§ High-performanceUnix-likesystems- Interrupthandlingsmallfractionofprocessingtime- Fastcores,smartdevices
-Minimalinterrupthandler- Schedulinginsoftware
§ Low/midembeddedsystems- Interrupthandlingsignificantfractionofprocessortime- Slowcores,dumbdevices
- Significantfractionofcodeinhandlers- Interruptcontrolleractsastaskscheduler
§ High-performancereal-timesystems- Can’twastetimeoninterruptoverhead- HandlerspollI/Odeviceswithregularheartbeat
§ Andeverythinginbetween
![Page 15: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/15.jpg)
CategorizingSourcesofRISC-VInterrupts
§ LocalInterrupts- Directlyconnectedtoonehart-Noarbitrationbetweenhartstoservice- Determinesourcedirectlythroughxcause CSR-Onlytwostandardlocalinterrupts(software,timer)
§ Global(External)Interrupts- RoutedviaPlatform-LevelInterruptController(PLIC)- PLICarbitratesbetweenmultiplehartsclaiminginterrupt- Readofmemory-mappedregisterreturnssource
15
![Page 16: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/16.jpg)
MachineInterruptPendingCSR(mip)
§ mip reflectspendingstatusofinterruptsforhart§ Separateinterruptsforeachsupportedprivilegelevel(M/S/U)
§ User-levelinterrupthandling(“N”)optionalfeaturewhenU-modepresent(discussedlater)
16
ExternalfromPLIC LocalTimer LocalSoftware
(AddNon-StandardLocalInterruptsHere)
![Page 17: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/17.jpg)
SoftwareInterrupts
§ MSIP-Onlywriteableinmachine-modeviamemory-mappedcontrolregister(mappingisplatform-specific)
-Onehartcanwritetodifferenthart’sMSIPregister-Mechanismforinter-hartinterrupts
§ SSIP andUSIP- HartcanonlywritebitxSIP inownmip registerwhenrunningatprivilegemode xorgreater
§ App/OS canonlyperforminter-hartinterruptsviaABI/SBIcalls- Destinationvirtualhartmightbedescheduled- InterruptsvirtualizedbyM-modesoftwareusingMSIP
17
![Page 18: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/18.jpg)
TimerInterrupts
§ MTIP- Single64-bitreal-timehardwaretimerandcomparatorinM-mode
-MTIPsetwhenmtime >=mtimecmp-MTIPclearedbywritingnewmtimecmp value
§ STIP andUTIP-M-modemultiplexessinglehardwaretimerandcomparatorforlower-privilegemodesonsamehart
- ABI/SBI callstosetuptimer-M-modesoftwarewrites/clearsSTIP/UTIP
§ MostsystemswillalsohaveotherhardwaretimersattachedviaPLICetc.
18
![Page 19: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/19.jpg)
ExternalInterrupts
§ MEIP,SEIP,UEIP- InputsfromaPlatform-LevelInterruptController(PLIC)- EachprivilegemodehasitsowninputfromPLIC- Interruptsclearedwithloads/storestoPLIC- SoftwarecaninjectSEIPandUEIPinterruptstosupportvirtualizingthePLIC
19
![Page 20: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/20.jpg)
Platform-LevelInterruptController(PLIC)
20
PLIC
U TimerSoftware
S TimerSoftware
M TimerSoftware
ExternalInterrupt1
ExternalInterrupt2
LocalInterruptsGlobalInterrupts
ExternalHart0
Hart1U Timer
Software
S TimerSoftware
M TimerSoftware
![Page 21: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/21.jpg)
Gateway
PriorityIP
Interrupt Request
Interrupt 2 Signals
Gateway
PriorityIP
Interrupt Request
Interrupt 1 Signals
PLIC Core
PLIC Gateways
0
0 Max IDThresholdMax Pri.
EIP>? EIP Interrupt Notification
Interrupt ID}To Target
0
IE >?
101
01
IE >?
201
01
0
0 Max IDThresholdMax Pri.
EIP>? EIP Interrupt Notification
Interrupt ID}To Target
1
IE >?
101
01
IE >?
201
01
Platform-LevelInterruptController
21
![Page 22: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/22.jpg)
MachineInterruptEnableCSR(mie)
§ miemirrorslayoutofmip§ providesper-interruptenables
§ Also,globalinterruptenablesinmstatus foreachprivilegemode
§ Interruptsalwaysdisabledforlowerprivilegemodes;alwaysenabledforhigherprivilegemodes
22
ExternalfromPLIC LocalTimer LocalSoftware
![Page 23: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/23.jpg)
AllinterruptstraptoM-modebydefault
§ mcause registerindicateswhichinterruptoccured§ M-modecanredirecttoappropriateprivilegelevelusingMRETinstruction
23
![Page 24: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/24.jpg)
OptionalInterruptHandlerDelegation
§ Candelegateinterrupt(andexception)handlingtolowerprivilegeleveltoreduceoverhead
§ mideleg hassamelayoutasmip§ Ifabitissetinmideleg thencorrespondinginterruptdelegatedtonextlowestprivilegelevel(SorU)
§ Canbedelegatedagainusingsideleg§ Oncedelegated,theinterruptwillnotaffectcurrentprivilegelevel(mie settingignored)
24
![Page 25: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/25.jpg)
HypervisorStatus
§ Previousspecsketchedafourthprivilegemode,H,aboveS(M/H/S/U)
§ DesignedforType-1hypervisorsupport§ FeedbackfromcommunityledustopursueHWsupportforType-2hypervisors(likeKVM)instead-StillworkswellforType-1hypervisors
§ PlanistomakeafullproposalbySeptember
25
![Page 26: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/26.jpg)
ImplementationStatus
§ SpikeandUCBRocket-Chipconformtov1.10§ Linuxporttov1.10workswithSpike/Rocket-Workingonupstreaming theLinuxkernel
§ UpstreamGCCandbinutils portsarecompatible
26
![Page 27: RISC-V Privileged Architecture · RISC-V Virtual Memory Control By default, S-mode can’t access user pages-Helps detect OS/driver bugs-Still need ability to read user memory, e.g](https://reader033.vdocuments.site/reader033/viewer/2022051923/6010f28aac03437e1a44fc07/html5/thumbnails/27.jpg)
Questions?
27
Specsavailableathttps://github.com/riscv/riscv-isa-manual