From fce223cddc0d52e675102815e01971513200f512 Mon Sep 17 00:00:00 2001 From: Ravi Sahita Date: Thu, 3 Oct 2024 16:43:34 -0700 Subject: [PATCH 1/4] add check for pa width during MTT walk Signed-off-by: Ravi Sahita --- chapter4.adoc | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/chapter4.adoc b/chapter4.adoc index 52ed8a7..d6cbb3b 100644 --- a/chapter4.adoc +++ b/chapter4.adoc @@ -233,26 +233,37 @@ supervisor domain are ascertained as follows: is 2^12^; MTT_PTE_SIZE = 8 bytes (for RV32, MTT_PTE_SIZE = 4 bytes). The `mttp` register must be active, i.e., the effective privilege mode must not be M-mode. -2. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_ +2. If _pa_ has any bits set above the maximum physical address width supported +by the hart, then stop and raise an access-fault exception corresponding to the +original access type. + +[NOTE] +==== +Restricting the _pa_ to the maximum PA width supported by a hart allows for +optimizing memory requirements of the MTT structures such as the MTTL2 and MTTL3 +entry tables, when the PA width is not exactly 34, 46 or 56 bits. +==== + +3. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_ x MTT_PTE_SIZE. If accessing _mpte_ violates a PMA or PMP check, raise an access-fault exception corresponding to the original access type. -3. If any bits or encodings that are reserved for future standard use are +4. If any bits or encodings that are reserved for future standard use are set within _mpte_, stop and raise an access-fault exception corresponding to the original access type. -4. Otherwise, the _mpte_ is valid. If (_i_=1) or (_i_=2 and _mpte.type_ is not +5. Otherwise, the _mpte_ is valid. If (_i_=1) or (_i_=2 and _mpte.type_ is not `MTT_L1_DIR`), go to step 5. Otherwise, the _mpte_ is a pointer to the next level of the `MTT`. Let _i_ = _i_-1. Let _a_ = _mpte.ppn_ x PAGESIZE and go to step 2. Note that when _mpte.type_ = `MTT_L1_DIR`, the _mpte.ppn_ is the value of the _mpte.info_ field. -5. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_ +6. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_ and _mpte.info_ that are reserved for future standard use, per <>, are set within _mpte_, stop and raise an access-fault exception corresponding to the access type. -6. The _mpte_ is a valid leaf _mpte_. Fetch the access-permissions for the +7. The _mpte_ is a valid leaf _mpte_. Fetch the access-permissions for the physical address per the steps described below: * if _i_=2, and the _mpte.type_ field directly specifies the access-permissions @@ -271,11 +282,11 @@ encodings for 4 KiB pages. The entry is selected by _pa.pn[0]_. The least significant 2 bits of each entry specify the access-permission encoding for the _pa_. The encodings are specified in <>. -7. Determine if the requested physical memory access is allowed per the +8. Determine if the requested physical memory access is allowed per the access-permissions. If access is not permitted, stop and raise an access-fault exception corresponding to the original access type. -8. The access is allowed per the `MTT` lookup. +9. The access is allowed per the `MTT` lookup. All implicit accesses to the memory tracking table data structures in this algorithm are performed using width MTT_PTE_SIZE. @@ -302,7 +313,7 @@ MTT is checked for all accesses to physical memory, unless the effective privile mode is M, including accesses that have undergone virtual to physical memory translation, but excluding MTT checker accesses to MTT structures. Data accesses in M-mode when the MPRV bit in mstatus is set and the MPP field in mstatus contains S -or U are subject to MTT checks. MTT checker accesses to MTT structures are to be +or U are subject to MTT checks. MTT checker accesses to MTT structures are to be treated as implicit M-mode accesses and are subject to PMP/Smepmp and IOPMP checks. The MTT checker indexes the MTT using the physical address of the access to lookup and enforce the access permissions. From d0c1ff0fe4113274c608dc087028f5ac1cd1edd6 Mon Sep 17 00:00:00 2001 From: Ravi Sahita Date: Mon, 7 Oct 2024 11:08:17 -0700 Subject: [PATCH 2/4] Apply suggestions from PR review Co-authored-by: Ved Shanbhogue <91900059+ved-rivos@users.noreply.github.com> Signed-off-by: Ravi Sahita --- chapter4.adoc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/chapter4.adoc b/chapter4.adoc index d6cbb3b..61e69b9 100644 --- a/chapter4.adoc +++ b/chapter4.adoc @@ -233,15 +233,19 @@ supervisor domain are ascertained as follows: is 2^12^; MTT_PTE_SIZE = 8 bytes (for RV32, MTT_PTE_SIZE = 4 bytes). The `mttp` register must be active, i.e., the effective privilege mode must not be M-mode. -2. If _pa_ has any bits set above the maximum physical address width supported +2. If _pa_ is beyond the maximum accessible physical address space of the platform by the hart, then stop and raise an access-fault exception corresponding to the original access type. [NOTE] ==== -Restricting the _pa_ to the maximum PA width supported by a hart allows for -optimizing memory requirements of the MTT structures such as the MTTL2 and MTTL3 -entry tables, when the PA width is not exactly 34, 46 or 56 bits. +Restricting the _pa_ to the maximum accessible PA width supported by a platform allows +for optimizing memory requirements of the MTT structures such as the MTTL2 and MTTL3 +entry tables, when the PA width is not exactly 34, 46 or 56 bits. Also note that the intent +of using the maximum _accessible_ physical address space versus the maximum +_implemented_ physical address width also allows for the case where an Smmtt +mode is used that is lower width than what is implemented by the platform, +for example, Smmtt46 used with a platform maximum PA of say 56 bits. ==== 3. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_ From ca34196641cf3b49a2c159cf53ab66a3fcedf37c Mon Sep 17 00:00:00 2001 From: Ravi Sahita Date: Mon, 7 Oct 2024 15:33:22 -0700 Subject: [PATCH 3/4] Apply suggestions from PR review Co-authored-by: Samuel Holland Signed-off-by: Ravi Sahita --- chapter4.adoc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/chapter4.adoc b/chapter4.adoc index 61e69b9..3f4b86e 100644 --- a/chapter4.adoc +++ b/chapter4.adoc @@ -233,8 +233,9 @@ supervisor domain are ascertained as follows: is 2^12^; MTT_PTE_SIZE = 8 bytes (for RV32, MTT_PTE_SIZE = 4 bytes). The `mttp` register must be active, i.e., the effective privilege mode must not be M-mode. -2. If _pa_ is beyond the maximum accessible physical address space of the platform -by the hart, then stop and raise an access-fault exception corresponding to the +2. If _pa_ is greater than maximum physical address mappable under the current +MTT mode, or is greater than a platform-defined maximum physical address for +the hart, then stop and raise an access-fault exception corresponding to the original access type. [NOTE] @@ -257,9 +258,9 @@ set within _mpte_, stop and raise an access-fault exception corresponding to the original access type. 5. Otherwise, the _mpte_ is valid. If (_i_=1) or (_i_=2 and _mpte.type_ is not -`MTT_L1_DIR`), go to step 5. Otherwise, the _mpte_ is a pointer to the next +`MTT_L1_DIR`), go to step 6. Otherwise, the _mpte_ is a pointer to the next level of the `MTT`. Let _i_ = _i_-1. Let _a_ = _mpte.ppn_ x PAGESIZE and go to -step 2. Note that when _mpte.type_ = `MTT_L1_DIR`, the _mpte.ppn_ is the value +step 3. Note that when _mpte.type_ = `MTT_L1_DIR`, the _mpte.ppn_ is the value of the _mpte.info_ field. 6. A leaf _mpte_ has been found. If any bits or encodings within _mpte.type_ From 3e00c39f854ed427f4f747d9bb01e8dacb8e6504 Mon Sep 17 00:00:00 2001 From: Ravi Sahita Date: Mon, 7 Oct 2024 16:14:37 -0700 Subject: [PATCH 4/4] Addressing pr review comments on max-addressable pa checks Signed-off-by: Ravi Sahita --- chapter4.adoc | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/chapter4.adoc b/chapter4.adoc index 3f4b86e..6f9a346 100644 --- a/chapter4.adoc +++ b/chapter4.adoc @@ -233,20 +233,16 @@ supervisor domain are ascertained as follows: is 2^12^; MTT_PTE_SIZE = 8 bytes (for RV32, MTT_PTE_SIZE = 4 bytes). The `mttp` register must be active, i.e., the effective privilege mode must not be M-mode. -2. If _pa_ is greater than maximum physical address mappable under the current -MTT mode, or is greater than a platform-defined maximum physical address for -the hart, then stop and raise an access-fault exception corresponding to the -original access type. +2. If _pa_ is greater than maximum-addressable physical address under the +current MTT mode, or is greater than a platform-defined maximum-addressable +physical address for the hart, then stop and raise an access-fault exception +corresponding to the original access type. [NOTE] ==== -Restricting the _pa_ to the maximum accessible PA width supported by a platform allows -for optimizing memory requirements of the MTT structures such as the MTTL2 and MTTL3 -entry tables, when the PA width is not exactly 34, 46 or 56 bits. Also note that the intent -of using the maximum _accessible_ physical address space versus the maximum -_implemented_ physical address width also allows for the case where an Smmtt -mode is used that is lower width than what is implemented by the platform, -for example, Smmtt46 used with a platform maximum PA of say 56 bits. +Restricting the _pa_ to the maximum-addressable PA width supported by a platform +allows for optimizing memory requirements of the MTT structures such as the +MTTL2 and MTTL3 entry tables, when the PA width is not 34, 46, or 56 bits. ==== 3. Let _mpte_ be the value of the `MTT` table entry at address _a_ + _pa.pn[i]_ @@ -273,14 +269,14 @@ physical address per the steps described below: * if _i_=2, and the _mpte.type_ field directly specifies the access-permissions for 1 GiB page regions (via 32 MTTL2 entries with identical _mpte.type_ values - -see <>); go to step 7, else +see <>); go to step 8, else * if _i_=2, and for XLEN = 64 and the _mpte.type_ field value `2M_PAGES`, the _mpte.info_[31:0] field contains 16 entries of 2-bit access-permission encodings for 16 2 MiB address regions; For XLEN=32 and _mpte.type_ field value of `4M_PAGES`, the _mpte.info_[16:0] field contains 8 entries of 2-bit access-permission encodings for 8 4 MiB regions - see <>; -go to step 7, else +go to step 8, else * if _i_=1, the _mpte_ contains XLEN/4 4-bit entries that hold access-permission encodings for 4 KiB pages. The entry is selected by _pa.pn[0]_. The least