This repository has been archived by the owner on Aug 23, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Separate unsafe from initialization logic of RawPageTable.
* More informative variable name
* Refactor drop of PageTable and PTE.
* Remove TODO
* Update rust toolchain.
* Reduce trivial unsafety at MemoryManager::new
* Update dependency: static_assertions.
* Minor refactoring: Pages
* Use # format specifier rather than manually writing 0x for hex numbers.
Change-Id: Ic3f98b33b34ce5ffe3300a5ca9c9c309ef2c056c
* [DOC] Added missing Debian package to getting started guide
aarch64-linux-gnu-gcc is required (in addition to
binutils-aarch64-linux-gnu) to cross compile linux for AArch64.
Change-Id: I9d1f9f3a163d7833b9bfcdeb95488e2677e44e1b
* Avoid including vm.h header in tests.
Bug: 115484857
Change-Id: I3145826c057d28ddab2c830361a5881e4455f016
* Test that floating-point operations work in primary VM.
Bug: 129131324
Change-Id: Ifc782051d44539afad8149f865f4f92bed2cea0f
* Fix some bugs
* Minor fixes.
* Rollback to the original implementation of Pool::alloc().
* Unmark unsafe at List::pop().
* Trap access to ICC_SRE_EL1 as well.
Bug: 132960440
Change-Id: I3e81ee7bc138f1c2fb411ec6b429b41b9ff630e5
* Hermetic builds inside a container
Adds 'build/docker/Dockerfile' which describes the base container image of
Hafnium compilation environment. This image is built and uploaded to GCP
where users download it from. The feature is always enabled for Kokoro
and can optionally be enabled for local builds too. Once rootless
containers are easier to set up, we might make it the default for local
builds too.
An arbitrary command can be executed inside the container with
'build/run_in_container.sh [-i] <command> ...'. This is done
automatically inside 'Makefile' and 'kokoro/ubuntu/build.sh' which
detect whether they are already running inside the container and respawn
themselves using 'run_in_container.sh' if not.
The feature is guarded with HAFNIUM_HERMETIC_BUILD environment variable,
switched on if the value is "true". All other values switch it off, e.g.
'run_in_container.sh' sets it to 'inside' to avoid recursion.
Bug: 132428451
Test: HAFNIUM_HERMETIC_BUILD=<value> make
Test: HAFNIUM_HERMETIC_BUILD=<value> kokoro/ubuntu/build.sh
Change-Id: I0737a868ab4f67c0fdbf78fa8a97cc91714d2e10
* Keep logs in a circular buffer so they can be extracted from a RAM dump.
Bug: 115484857, 132429213
Change-Id: I7ae3fd6c24ca8b42f581d9d4417fc6c49b23b43d
* Add depfile for linux targets
Linux tree did not use to specify any sources and would therefore never
be rebuilt after first build. Add a script which generates a depfile for
the tree and use it for a target that linux targets depend on.
Test: make ; touch third_party/linux/README; make (should recompile); \
make (should not recompile)
Change-Id: Id0a06be73de2ed31c52f1697ac00f7d45425b43b
* Simplify GN logic by creating a target for prebuilt Linux
The `initrd` GN template currently supports two different ways of
specifying a primary VM image - name of a target or a path to a prebuilt
image. These use different target properties (as GN has no mechanism of
classifying a string as either a target or a path).
Simplify this in anticipation of using different Linux targets for
different HW boards in platform args by creating a target for each
prebuilt image. The `linux_kernel` template accepts a `prebuilt` path
and creates a "${target_name}__prebuilt" target which copies the image
into the out folder. As a side effect, this more closely ties the image
to the source code in the GN file.
Change-Id: I2afa295e666581393e9a80c311d7d8fe56d4fbba
* smc wrapper function conformance
smc wrapper function accepts all arguments and returns all four result
registers.
Bug: 132421503
Change-Id: If3030df8ffe77f26a89d73959d9e05c3bd269c05
* Updating linux submodule
Change-Id: I7ce6e1c5f540c9a619c70949fb99606c89fbabe9
* Create separate path for SMC forwarding
This is the first stage of creating an SMC forwarding path based on
the manifest.
Currently none of the SMCs are forwarded, which maintains existing behavior.
Bug: 132421503
Change-Id: I1c3257b83346d47ff1e71db3898b9b85be14a043
* Fix stack push/pop alignment for SMC wrapper
AArch64 requires stack pointer alignment of two X (8 byte) registers.
Bug: 132421503
Change-Id: Ib93bd47a49286ec9646bfd1f0456c8765fa64aca
* Better error handling in Hafnium tests
When the emulator crashes/times out, instead of generating a json output, hftest
crashes when a json parsing exception is thrown. This patch handles the
exception and tries to print the error it encountered instead.
Change-Id: Ice353e6a53c64ecc2cfdc8045cbde0a1fed2077d
* Generate VM IDs with an offset of 1
The SMCCC reserves VM ID 0 for the hypervisor itself, therefore, other VM IDs
should start after that (at least, but not necessarily at 1).
- Generate VM IDs with an offset defined by HF_VM_ID_OFFSET (currently 1)
- Fix hardcoded IDs and other code that assumes VM IDs start at 0.
Bug: 132421503
Change-Id: I47cff8734ac153dcb1a1a435285153d6caf2877e
* Fix capitalisation of VM in comments.
Change-Id: Ib337ebdebee9cb917029c464f292f1b4cbf11cba
* Autoformat docs.
Change-Id: Ibc270de8cd6d8535e20847098175d8a00c67abe9
* Adding overview of tests, based on David's doc.
Change-Id: I3e2e262966a0584a43a86a49570d0d3db7cff09f
* Add doc about running tests on FVP.
Change-Id: I29063eb7a0ef66f9093740c158cff15512ed15d2
* Enable MMU and caching in VM API tests
VM API tests are failing on real hardware because VMs are not seeing
data written by the hypervisor. The reason for this is that Hafnium has
data caching enabled while the test VMs do not. Solve this discrepancy
by enabling data caching in the VMs too, which requires enabling stage-1
MMU translation.
The entire address space is identity-mapped with read-write-execute
permisssions. Only GIC tests currently require custom device mappings.
Implementation shares ptable management code from src/mm.c and
src/arch/mm.c.
Bug: 138985026
Test: ./kokoro/ubuntu/build.sh
Change-Id: Ib9f599c448d70296a6ca869ddbb51abfcc55148d
* Add Linux Hafnium module socket unit test
Add a Linux module unit test that covers more cases than the basic load/unload.
This test create a secondary VM, and using the socket interface sends a message
and received the same payload as a response.
Bug: 138977432
Change-Id: Ibbc313c1a788924b2f227a28bf0ecd3bf21304a1
* Adding documentation on VM interface, and links from README.
Change-Id: I73e9ce0ff5e4de92f4a86ce78bb49fd6a7f7bda5
* Add script to dump system files used by build
In order to move towards builds which only use resources in the Hafnium
repo, this patch adds a script which runs the build with strace and
dumps all files touched in the process. Files in the Hafnium directory
and in /tmp are automatically filtered out.
Bug: 132428451
Test: ./build/strace_open.sh opened_files.txt
Change-Id: I03a2df4eedf40c456b65920ec8bf98ad08e747c6
* Refactor aarch64 barriers and TLBI commands
Use macros instead of function calls to not rely on LTO inlining.
Make macros take the op-kind argument to generalize.
Test: ./kokoro/ubuntu/build.sh
Change-Id: I8a5553d47cf3a0965fbf35d93c3c925f5f02ac4e
* Add missing instruction barriers to TLB flush code
Also add comments explaining why individual barriers are needed.
Change-Id: I2510ca56682129ffd754e09074e25c478b490c56
* Copy kernel module source including subfolders
Previously the build used the GN copy() target to copy the source
of a to-be-built kernel module into the output directory. However,
the target does not support preserving subfolder structure. Replace
it with a Python script.
A new 'source_dir_copy' template is added, which creates a dependency
on the files in the source directory using the 'source_dir' target.
Then it copies the files into 'target_out_dir'. When the source
directory changes, the copying Python script is invoked again, updating
the copy in the out folder.
Change-Id: I23f2807fbb77bcf6d933e9541f5dbf1f2429b410
* Tidy up some code
Bug: 138977432
Change-Id: Ib3a826b4ea64b42cc229b81cd956f5ecb775d589
* Flush all TLB entries if range too large
Revisions of the ISA prior to ARMv8.4 do not support invalidation of
a range of addresses, only looping per page or invalidating all. Hafnium
currently only supports the former, this patch adds the latter for
performance reasons.
Change-Id: I2d07c66eaea0dabfdec1b63673103c1f43866784
* Separate mm initialization from enablement.
The configuration is static so it doesn't matter where it is originally
calculated. There were previously multiple paths for enablement, one
being implicit in initialization, so this splits them apart.
Bug: 139269163
Change-Id: Ic82c351b6e84b7d46e79f5886b39d07e53e6fde6
* Make all TLB flushes apply to inner-shareable PEs
Change-Id: I6e61d3a7e1cdf64f18119e946758923cec9764fb
* Separate mm initialization from enablement for VMs.
Change-Id: I891911bcd9087f584aed086f37b1aadf40673ce5
* Save/restore mdcr_el2 with a vCPU system registers
Monitor Debug Configuration Register (EL2) configures performance monitor
extensions, which include debug as well as performance registers. Trapping
on certain accesses to these registers will likely vary between VMs.
Make the code for saving/restoring register state when handling exceptions more
flexible. ldp/stp indices must be in the range [-512, 504]. Use post-index
addressing to keep the base index register up to date.
Bug: 132422368
Change-Id: I5d095b19d8753f2a23b3b089f62a69041314ca08
* Move barriers.h to aarch64 inc folder
The file now contains aarch64 assembly and should not be in the
architecture-agnostic folder.
Change-Id: I4c5c7d98ffe75d95ee35fc360c025a8c68c10cb3
* Introduce a DT-based manifest
These are first steps towards a new manifest format. A new "device_tree"
build target is introduced to compile DTS files to DTB, and
`generate_initrd.py` now does not produce a "vms.txt" file. Instead
"initrd" targets are expected to provide a path to a DTS manifest in the
format:
/dts-v1/;
/ {
hypervisor {
vm1 {
debug_name = "primary";
};
vm2 {
debug_name = "secondary1";
kernel_filename = "filename";
vcpu_count = <N>;
mem_size = <M>;
};
...
};
};
The information provided in the manifest matches "vms.txt".
Bug: 117551352
Test: manifest_test.cc
Test: used by hftest
Change-Id: I6b70bd44d2b110c4f7a6b971018c834084b6d8c4
* Assign correct stack to CPUs.
The CPU should get the corresponding entry from the callstacks for
easier understanding. In particular, the boot CPU must get the 0th
callstack since it has already been using that stack since boot.
Change-Id: I435f5f9580baecae4be233507b72faa4da00d78f
* Lock vCPU when accessing enabled_and_pending_count.
Change-Id: Ic71d89c3b7a8acec71ac593228219e4044e58664
* Print all characters from debug log.
Change-Id: I042384bbd33bcda3a8bde86f6af2beff23ce2d1a
* std.c: Refactor, bring semantics closer to spec.
Small refactor replacing the pattern of verifying inputs in
safe equivalents of stdlib functions with a CHECK-like macro
which adheres to the C11 semantics of filling the destination
buffer when a constraint is not satisfied at runtime.
Semantic changes:
memcpy_s: More permissive memory ranges. Used to check that source does
not overlap with the entire destination buffer, when only the first
`count` bytes matter.
memcpy_s: Used to allow `dest==src`. Safe under our implementation in
aarch64 but not allowed under C11.
strlen_s: Should return 'strsz' if NULL character not found.
Change-Id: If483a97e6ee1c64c7f2afed9a0af1d3087da7002
* Apply minor reviews on #72
* Avoid using `u64::from_bytes` that may cause UB by transmuting `[u8; 8]` into `u64`.
* Make check_or_fill a function.
* SPCI: memory relinquish.
The relinquish mechnism implementation accepts a single memory region
with a single constituent.
Multiple memory region and constituent support will be introduced in
a later commit.
Change-Id: I9588ae597fd56336da135522b74e4a42e4514042
* SPCI: Memory lend with shared access.
Change-Id: I1c6d583b504eea62ba1eee375f53c41d6f846afe
* SPCI Lend and Relinquish: Add initial tests to exercise functionality
Add tests to verify core functionality of `spci_memory_lend`,
`spci_memory_relinquish` and their interactions with
`spci_memory_donate`.
Change-Id: I440d0a385d27f0aad370eb555e2d20e3be726328
* SPCI: Add a buffer of len PAGE_SIZE to each CPU.
The buffers are used to store a copy of the contents of the Tx buffer
when handling an architected message. This is mostly relevant for
memory sharing.
There exists a single buffer per CPU.
Change-Id: I60c4eab865b01fb73825308439faa72c8af85fb2
* manifest_test: Build DTs programatically
Manifest unit tests used to come with binary blobs of DTs to test.
This results in having the refresh all the blobs whenever a new required
property is added to the manifest. This patch adds a DTBuilder class
for programatically constructing a DT and compiling it with `dtc`.
Bug: 117551352
Change-Id: Ic6962ad494c200d612988cf25648dd23b9d76c93
* Use DTC from prebuilts
Sibling CL I2444a8574cf41e0ca92cf92b9bd4aa3a2de8b4ec adds a prebuilt
of the Device Tree Compiler. Switch our scripts to using it instead of
the one in system.
This is necessary because:
(a) hermetic builds, and
(b) dtc in Ubuntu is outdated.
Note that we cannot remove dtc from the compilation container yet as it
is still required for compiling the Linux kernel.
Bug: 117551352
Bug: 132428451
Change-Id: I68a9c266b0212d8bbfb60c5389b28d3f6fe5e8cf
* manifest: Require 'compatible' property in 'hypervisor' node
Other hypervisors also use a 'hypervisor' node in the FDT to pass
config information to the VMs. Add requirement to specify which
hypervisors the node is compatible with. The 'compatible' property
is a list of NULL-separated strings in the format
"<manufacturer>,<model>". Following the naming convention of other
projects, we will use "hafnium,hafnium" as a match-all-versions value,
and later add "hafnium,hafnium_<version>" values to match specific
releases of Hafnium.
Bug: 117551352
Change-Id: Ie6dadcdace37318d4d122e80fefe989715ee9cc9
* Factor out handling of SPCI calls into a separate function.
Bug: 132395846
Change-Id: I3e985e0d06b4b59ee25abfc011a472f3397ed28b
* Don't modify the FID when forwarding SMCs.
If the VM called as 32-bit, it should be forwarded as such. The same
goes for 64-bit. The causes problems when the target doesn't accept both
versions.
Change-Id: I229b489030bf84a0093254acda224645746600e0
* Let hvc_handler return 4 registers rather than just one.
Bug: 132395846
Change-Id: Ibc86ba2f24fdfcb55f08aae48e5769cea31c2cd5
* Fix example path in launch.json.
Change-Id: I4d7b9739656fcd30e031bfb53cd4b82483077882
* Refactor hftest.py
Changes will be required to hftest.py to support DT overlays, driving
tests over serial port, etc. Refactor into classes with well-defined
roles to make this easier.
Change-Id: Ib4855281456d27627b9a5c6c7642a6cd5519b64f
* Add support for accessing EL1 debug registers
For now, the primary vm can access all debug registers, whereas secondary vms
cannot. Debug event exceptions are disabled for secondary vms, so a malicious
primary cannot have active breakpoints or watchpoints for secondary vms.
This code allows us in the future to add debug support to secondary vms, and to
have fine-grained control over which registers are allowed, either by the
primary or secondary, as well as change the behavior for such accesses.
Bug: 132422368
Change-Id: I616454cc12bea6b8dfebbbdb566ac64c0a6625c2
* Fix bug in hftest.py
Previous CL Ib4855281456d27627b9a5c6c7642a6cd5519b64f refactored
hftest.py but left a function call unresolved. When a test failed,
code which printed path to the log would throw. Fix the problem.
Test: modify test to fail, run ./kokoru/ubuntu/build.sh
Change-Id: I653a0410e4064ce45c729d1bac63ecce76d5c384
* Merge manifest into the board DT, add boot flow drivers
Hafnium currently supports two kinds of boot flow:
(a) Linux-like, where the board FDT is passed by the boot loader to
the OS kernel in first kernel arg (this is used by QEMU, FVP, RPi, ...),
(b) Android-like, where the FDT used by Hafnium is compiled into it and
the VMs have their own.
This used to be implemented using weak symbols and each board spec
overriding it with its own implementation. This patch introduces the
concept of boot-flow drivers in the main tree, and the corresponding
driver selected using a config option in board spec. Drivers for the two
boot-flows described above are implemented.
Simultaneously, the manifest is now read from the FDT available at
Hafnium init time. This required two notable changes:
(1) all values are copied into the manifest struct because FDT is
unmapped, modified and passed to the primary VM,
(2) manifest is now written as an overlay; QEMU and FVP test drivers
overlay it automatically.
Bug: 117551352
Change-Id: Ieae7fe4ef5b3047174ec0ad057e487660ccd5a03
* Implement SMC calls with inline assembly rather than a separate file.
This will let the compiler do better optimisation by inlining the call,
rather than having to put parameters on the stack.
Bug: 132429380
Change-Id: I51d57460d2826dc24b6f6b01ceebdf5f053c5c17
* Implement hf_call with assembly inline rather than entire function.
This should allow the compiler to inline and better optimise it.
Bug: 132429380
Change-Id: I4adf5adbc59ebd71bb2b8effecb07ce16bca49cc
* Align stacks to page boundaries.
Page alignment supersedes the previous alignment that was a requirement
of aarch64. It also ensures cache lines don't contain data other than
the stack which could be accessed from other cores.
Change-Id: I3a9eca651e52062c93d8e6b3278e158a65f1c1f5
* Panic when boot_flow_init() failed
Small oversight from CL Ieae7fe4ef5b3047174ec0ad057e487660ccd5a03.
Hafnium would continue to execute even if it could not parse the FDT.
Add a panic() in the caller to correct it.
Also fix a dlog message missing a newline.
Bug: 117551352
Change-Id: I9024800232013f92431db173315dfd379081d7f9
* Preserve MDCR_EL2 values that are potentially set by bootcode
The MDCR_EL2 register's HPMN and E2PB fields depend on whether certain features
are implemented by the current processor, and should be setup by the
bootcode. Preserve their values.
Bug: 132422368
Change-Id: Id21b8458a53863db990358f27efb72132688f9bf
* Fix cache line size calculation.
CTR_EL0 gives the line size in 4-byte words so the lines are 4 times
larger than we've been giving them credit for.
Change-Id: I6f11dfd0df84ec7d6be0c9b6363bd92cf224cb6a
* Switch to fully flushing the data cache.
PSCI says the caches should be clean and invalidated at the entry point
so that is what we should do. Shared memory should also be flushed to
reduce the chance of coherency issues in the VMs.
Change-Id: I99c1f1fa7b44d290dc81e7d5496f4f90192c08c5
* Fix bugs in saving register state before debug register exceptions
- Fixes changing value of status register before saving it
- Fixes uneven saving/restoring of register x18
- Some tidying up and refactoring
Bug: 132422368
Change-Id: I23c63de0ac1c6b7d218c6f02b2c49f40e9eef28e
* Initialize the number of accessible event counters
Set the number of event counters accessible from all exception levels
(MDCR_EL2.HPMN) to be the number of implemented event counters (PMCR_EL0.N).
This might have other security implications later. Later work to investigate
how Hafnium should handle access to event counters.
Bug: 132394973
Change-Id: I7e63949dde2dcec58d929da4bb3e3efab5d3adee
* hftest: Write-back cpu_start_state before starting a new vCPU
New vCPU is started with caching disabled but it is meant to read data
provided by the vCPU which started it and had caching enabled. Because
the data is needed before it is possible to set up the MMU and enable
data caching, the original vCPU must ensure that the data is written
back to memory prior to spawning the new vCPU.
This patch restructures the way hftests start new CPUs to accommodate
this requirement. A new architecture-agnostic power_mgmt build target is
created which handles the high-level logic of this process. The
power_mgmt target in src/arch is reduced to the thinnest layer possible,
merely performing an SMC call to spawn a new vCPU and then setting up
the stack pointer and jumping to the high-level entry point when the
vCPU is powered up.
It is now the task of the high-level power_mgmt module to ensure the
state struct is properly written back to memory and that it does not get
freed until the new vCPU is finished both low- and high-level
initialization.
Bug: 141103913
Test: smp.two_vcpus on RPi4
Change-Id: Ie77c6b5ad0aeecaceb0b56623908353843d03c3e
* Resolve warnings.
* Fix comment.
Co-authored-by: Andrew Walbran <[email protected]>
Co-authored-by: hyunsukimsokcho <[email protected]>
Co-authored-by: Andrew Scull <[email protected]>
Co-authored-by: Jose Marinho <[email protected]>
Co-authored-by: Marc Bonnici <[email protected]>- Loading branch information
6 people
authored
Feb 4, 2020
1 parent
45c587d
commit 988b40d