1% 2% Copyright 2014, General Dynamics C4 Systems 3% 4% SPDX-License-Identifier: GPL-2.0-only 5% 6 7\chapter{\label{ch:vspace}Address Spaces and Virtual Memory} 8 9A virtual address space in seL4 is called a VSpace. In a similar 10way to a CSpace (see \autoref{ch:cspace}), a VSpace is composed of objects 11provided by the microkernel. Unlike CSpaces, these objects for managing 12virtual memory largely correspond to those of the hardware. Consequently, 13each architecture defines its own objects for the top-level VSpace and further intermediate paging structures. 14Common to every architecture is the \obj{Page}, representing a frame of physical memory. 15The kernel also includes \obj{ASID Pool} and 16\obj{ASID Control} objects for tracking the status of address spaces. 17 18These VSpace-related objects are sufficient to implement the 19hardware data structures required to create, manipulate, and destroy 20virtual memory address spaces. It should be noted that, as usual, the 21manipulator of a virtual memory space needs the appropriate 22capabilities to the required objects. 23 24\section{Objects} 25 26\subsection{Hardware Virtual Memory Objects} 27 28Each architecture has a top-level paging structure (level 0) and a number of intermediate levels. 29The top-level paging structure corresponds directly to the higher-level concept of a VSpace in seL4. 30For each architecture, the VSpace is realised as a different object, as determined by the 31architectural details. 32 33In general, each paging structure at each level contains slots where the next level paging structure, 34or a specifically sized frame of memory, can be mapped. If the previous level is not mapped, 35a mapping operation will fail. Developers need to manually create and map all paging structures. 36The size and type of structure at each level, and the number of bits in the virtual address resolved 37for that level, is hardware defined. 38 39seL4 provides methods for operating on these 40hardware paging structures including mapping and cache operations. Mapping operations are invoked on 41the capability being mapped, e.g. to map a level 1 paging structure at a specific virtual address, 42the capability to the corresponding object is invoked with a map operation, where the top-level 43structure is passed as an argument. 44 45In general, the top-level structure has no invocations for mapping, but is used as an argument to 46several other virtual-memory related object invocations. 47For some architectures, the top-level page table can be invoked for cache operations. 48By making these cache related operations invocations on page directory capabilities in addition to 49the page capabilities themselves, the 50API allows users more flexible policy options. For example, a process that has delegated a page 51directory can conduct cache operations on all frames mapped from that capability without access 52to those capabilities directly. 53 54The rest of this section details the paging structures for each architecture. 55 56\subsubsection{IA-32} 57 58On IA-32, the VSpace is realised as a \texttt{PageDirectory}, which covers the entire 4\,GiB range 59in the 32-bit address space, and forms the top-level paging structure. Second level page-tables 60(\texttt{PageTable} objects) each cover a 4\,MiB range. 61Structures at both levels are indexed by 10 bits in the virtual address. 62 63\begin{tabularx}{\textwidth}{Xlll} \toprule 64\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 65\texttt{PageDirectory} & 22---31 & 0 & \autoref{group__x86__seL4__X86__PageDirectory} \\ 66\texttt{PageTable} & 12---21 & 1 & \autoref{group__x86__seL4__X86__PageTable} \\ 67\bottomrule 68\end{tabularx} 69 70\subsubsection{x64} 71 72On x86-64, the VSpace is realised as a \texttt{PML4}. Three further levels of paging structure are 73defined, as shown in the table below. All structures are indexed with 9 bits of the virtual 74address. 75 76\begin{tabularx}{\textwidth}{Xlll} \toprule 77\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 78\texttt{PML4} & 39---47 & 0 & None \\ 79\texttt{PDPT} & 30---38 & 1 & \autoref{group__x86__64__seL4__X86__PDPT} \\ 80\texttt{PageDirectory} & 21---29 & 2 & \autoref{group__x86__seL4__X86__PageDirectory} \\ 81\texttt{PageTable} & 12---20 & 3 & \autoref{group__x86__seL4__X86__PageTable} \\ 82\bottomrule 83\end{tabularx} 84 85\subsubsection{AArch32} 86 87Like IA-32, Arm AArch32 realise the VSpace as a \texttt{PageDirectory}, which covers the entire 884\,GiB address range, and a second-level \texttt{PageTable}. The second-level structures on AArch32 89cover 1\,MiB address ranges. 90 91Arm AArch32 processors have a two-level page-table structure. 92The top-level page directory covers a range of 4\,GiB and each page table covers a 1\,MiB range. 93 94\begin{tabularx}{\textwidth}{Xlll} \toprule 95\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 96\texttt{PageDirectory} & 20---31 & 0 & \autoref{group__aarch32__seL4__ARM__PageDirectory} \\ 97\texttt{PageTable} & 12---19 & 1 & \autoref{group__arm__seL4__ARM__PageTable} \\ 98\bottomrule 99\end{tabularx} 100 101\subsubsection{AArch64} 102 103Arm AArch64 processors have a four-level page-table structure, where the VSpace is realised as a 104\texttt{PageGlobalDirectory}. All paging structures are index by 9 bits of the virtual address. 105 106\begin{tabularx}{\textwidth}{Xlll} \toprule 107\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 108 \texttt{PageGlobalDirectory} & 39---47 & 0 & \autoref{group__aarch64__seL4__ARM__PageGlobalDirectory} \\ 109 \texttt{PageUpperDirectory} & 30---38 & 1 & \autoref{group__aarch64__seL4__ARM__PageUpperDirectory} \\ 110\texttt{PageDirectory} & 21---29 & 2 & \autoref{group__aarch64__seL4__ARM__PageDirectory} \\ 111\texttt{PageTable} & 12---20 & 3 & \autoref{group__arm__seL4__ARM__PageTable} \\ 112\bottomrule 113\end{tabularx} 114 115\subsection{RISC-V} 116 117RISC-V provides the same paging structure for all levels, \texttt{PageTable}. The VSpace is then 118realised as a \texttt{PageTable}. 119 120\subsubsection{RISC-V 32-bit} 121 12232-bit RISC-V \texttt{PageTables} are indexed by 10 bits of virtual address. 123 124\begin{tabularx}{\textwidth}{Xlll} \toprule 125\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 126\texttt{PageTable} & 22---31 & 0 & \autoref{group__riscv__seL4__RISCV__PageTable} \\ 127\texttt{PageTable} & 12---21 & 1 & \autoref{group__riscv__seL4__RISCV__PageTable} \\ 128\bottomrule 129\end{tabularx} 130 131\subsubsection{RISC-V 64-bit} 132 13364-bit RISC-V follows the SV39 model, where \texttt{PageTables} are indexed by 9 bits of virtual address. 134Although RISC-V allows 135for multiple different numbers of paging levels, currently seL4 only supports exactly three levels 136of paging structures. 137 138\begin{tabularx}{\textwidth}{Xlll} \toprule 139\emph{Object} & \emph{Address Bits} & \emph{Level} & \emph{Methods} \\ \midrule 140\texttt{PageTable} & 30---38 & 0 & \autoref{group__riscv__seL4__RISCV__PageTable} \\ 141\texttt{PageTable} & 21---29 & 1 & \autoref{group__riscv__seL4__RISCV__PageTable} \\ 142\texttt{PageTable} & 12---20 & 2 & \autoref{group__riscv__seL4__RISCV__PageTable} \\ 143\bottomrule 144\end{tabularx} 145 146\subsection{Page} 147 148A \obj{Page} object corresponds to a frame of physical memory that is used to 149implement virtual memory pages in a virtual address space. 150 151The virtual address for a \obj{Page} mapping 152must be aligned to 153the size of the \obj{Page} and must be mapped to a suitable VSpace, and every intermediate paging 154structure required. 155To map a page readable, the capability 156to the page 157that is being invoked must have read permissions. To map the page 158writeable, the capability must have write permissions. The requested 159mapping permissions are specified with an argument of type 160\texttt{seL4\_CapRights} given to the mapping function. 161If the capability does not have 162sufficient permissions to authorise the given mapping, then 163the mapping permissions are silently downgraded. Specific mapping permissions are dependant on the 164architecture and are documented in the \autoref{sec:api_reference} for each function. 165 166At minimum, each architecture defines \texttt{Map}, \texttt{Unmap} and 167\texttt{GetAddress} methods for pages. 168Methods for page objects for each architecture can be found in the \autoref{sec:api_reference}, and 169are indexed per architecture in the table below. 170 171\begin{tabularx}{\textwidth}{Xl} \toprule 172\emph{Architectures} & \emph{Methods} \\ \midrule 173IA32, X64 & \autoref{group__x86__seL4__X86__Page} \\ 174AArch32, AArch64 & \autoref{group__arm__seL4__ARM__Page} \\ 175 RISC-V & \autoref{group__riscv__seL4__RISCV__Page} \\ 176\bottomrule 177\end{tabularx} 178 179Each architecture also defines a range of page sizes. In the next section we show the available page 180sizes, as well as the \emph{mapping level}, which refers to 181the level of the paging structure at which this page must be mapped. 182 183\subsubsection{AArch32 page sizes} 184 185\begin{tabularx}{\textwidth}{Xll} \toprule 186 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 187 \texttt{seL4\_PageBits} & 4\,KiB & 1 \\ 188 \texttt{seL4\_LargePageBits} & 64\,KiB & 1 \\ 189 \texttt{seL4\_SectionBits} & 1\,MiB & 0 \\ 190 \texttt{seL4\_SuperSectionBits} & 16\,MiB & 0 \\ 191 \bottomrule 192\end{tabularx} 193 194Mappings for sections and super sections consume 16 slots in the page table and page directory 195respectively. 196 197\subsubsection{AArch64 page sizes} 198 199\begin{tabularx}{\textwidth}{Xll} \toprule 200 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 201 \texttt{seL4\_PageBits} & 4\,KiB & 3 \\ 202 \texttt{seL4\_LargePageBits} & 2\,MiB & 2 \\ 203 \texttt{seL4\_HugePageBits} & 1\,GiB & 1 \\ 204 \bottomrule 205\end{tabularx} 206 207\subsubsection{IA-32 page sizes} 208 209\begin{tabularx}{\textwidth}{Xll} \toprule 210 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 211 \texttt{seL4\_PageBits} & 4\,KiB & 1 \\ 212 \texttt{seL4\_LargePageBits} & 4\,MiB & 0 \\ 213 \bottomrule 214\end{tabularx} 215 216\subsubsection{X64 page sizes} 217 218\begin{tabularx}{\textwidth}{Xll} \toprule 219 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 220 \texttt{seL4\_PageBits} & 4\,KiB & 3 \\ 221 \texttt{seL4\_LargePageBits} & 2\,MiB & 2 \\ 222 \texttt{seL4\_HugePageBits} & 1\,GiB & 1 \\ 223 \bottomrule 224\end{tabularx} 225 226\subsubsection{RISC-V 32-bit page sizes} 227 228\begin{tabularx}{\textwidth}{Xll} \toprule 229 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 230 \texttt{seL4\_PageBits} & 4\,KiB & 1 \\ 231 \texttt{seL4\_LargePageBits} & 4\,MiB & 0 \\ 232 \bottomrule 233\end{tabularx} 234 235\subsubsection{RISC-V 64-bit page sizes} 236 237\begin{tabularx}{\textwidth}{Xll} \toprule 238 \emph{Constant} & \emph{Size} & \emph{Mapping level} \\ \midrule 239 \texttt{seL4\_PageBits} & 4\,KiB & 2 \\ 240 \texttt{seL4\_LargePageBits} & 2\,MiB & 1 \\ 241 \texttt{seL4\_HugePageBits} & 1\,GiB & 0 \\ 242 \bottomrule 243\end{tabularx} 244 245\subsection{ASID Control} 246 247For internal kernel book-keeping purposes, there is a fixed maximum 248number of applications the system can support. In order to manage 249this limited resource, the microkernel provides an \obj{ASID Control} 250capability. The \obj{ASID Control} capability is used to generate a 251capability that authorises the use of a subset of available address-space identifiers. 252This newly created capability is called an 253\obj{ASID Pool}. \obj{ASID Control} only has a single \texttt{MakePool} method for each 254architecture, listed in the table below. 255 256\begin{tabularx}{\textwidth}{Xl} \toprule 257\emph{Architectures} & \emph{Methods} \\ \midrule 258IA32, X64 & \autoref{group__x86__seL4__X86__ASIDControl} \\ 259AArch32, AArch64 & \autoref{group__arm__seL4__ARM__ASIDControl} \\ 260RISC-V & \autoref{group__riscv__seL4__RISCV__ASIDControl} \\ 261\bottomrule 262\end{tabularx} 263 264\subsection{ASID Pool} 265 266An \obj{ASID Pool} confers the right to create a subset of the available 267maximum applications. For a VSpace to be usable by an application, it 268must be assigned to an ASID. This is done using a capability to an 269\obj{ASID Pool}. The \obj{ASID Pool} object has a single method, \texttt{Assign}, for each 270architecture: 271 272\begin{tabularx}{\textwidth}{Xl} \toprule 273\emph{Architectures} & \emph{Methods} \\ \midrule 274IA32, X64 & \autoref{group__x86__seL4__X86__ASIDPool} \\ 275AArch32, AArch64 & \autoref{group__arm__seL4__ARM__ASIDPool} \\ 276RISC-V & \autoref{group__riscv__seL4__RISCV__ASIDPool} \\ 277\bottomrule 278\end{tabularx} 279 280\section{Mapping Attributes} 281A parameter of type \texttt{seL4\_ARM\_VMAttributes} or 282\texttt{seL4\_x86\_VMAttributes} is used to specify the cache behaviour of the 283page being mapped; possible values for Arm that can be bitwise OR'd together are 284shown in \autoref{tbl:vmattr_arm} \ifxeightsix and an enumeration of valid values 285for IA-32 are shown in \autoref{tbl:vmattr_ia32}\fi. Mapping attributtes can be updated on existing mappings using the Map invocation with the same virtual address. 286 287\begin{table}[htb] 288 \begin{center} 289 \begin{tabularx}{\textwidth}{p{0.33\textwidth}X} 290 \toprule 291 Attribute & Meaning \\ 292 \midrule 293 \texttt{seL4\_ARM\_PageCacheable} & Enable data in this mapping 294 to be cached \\ 295 \texttt{seL4\_ARM\_ParityEnabled} & Enable parity checking for 296 this mapping\\ 297 \texttt{seL4\_ARM\_ExecuteNever} & Map this memory as non-executable \\ 298 \bottomrule 299 \end{tabularx} 300 \caption{\label{tbl:vmattr_arm} Virtual memory attributes for Arm page 301 table entries.} 302 \end{center} 303\end{table} 304 305\begin{table}[htb] 306 \begin{center} 307 \begin{tabularx}{\textwidth}{p{0.33\textwidth}X} 308 \toprule 309 Attribute & Meaning \\ 310 \midrule 311 \texttt{seL4\_x86\_WriteBack} & Read and writes are cached \\ 312 \texttt{seL4\_x86\_CacheDisabled} & Prevent data in this mapping 313 from being cached \\ 314 \texttt{seL4\_x86\_WriteThrough} & Enable write through cacheing for this mapping \\ 315 \texttt{seL4\_x86\_WriteCombining} & Enable write combining for this mapping \\ 316 \bottomrule 317 \end{tabularx} 318 \caption{\label{tbl:vmattr_ia32} Virtual memory attributes for x86 page 319 table entries.} 320 \end{center} 321\end{table} 322 323\section{Sharing Memory} 324 325seL4 does not allow \obj{Page Table}s to be shared, but does allow 326pages to be shared between address spaces. 327To share a page, the capability to the 328\obj{Page} must first be 329duplicated using the \apifunc{seL4\_CNode\_Copy}{cnode_copy} method and the new copy must 330be used in the \apifunc{seL4\_ARM\_Page\_Map}{arm_page_map} \ifxeightsix or \apifunc{seL4\_x86\_Page\_Map}{x86_page_map} \fi method that maps the page into the second 331address space. Attempting to map the same capability 332twice will result in an error. 333 334 335\section{Page Faults} 336 337Page faults are reported to the exception handler of the executed thread. 338See \autoref{sec:vm-fault}. 339