osd-contiki/cpu/x86/mm/tss-prot-domains.h

/*
 * Copyright (C) 2015-2016, Intel Corporation. All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * 3. Neither the name of the copyright holder nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef CPU_X86_MM_TSS_PROT_DOMAINS_H_
#define CPU_X86_MM_TSS_PROT_DOMAINS_H_

#include <stdbool.h>
#include <stdint.h>
#include <stdlib.h>
#include "ldt-layout.h"
#include "segmentation.h"
#include "tss.h"

struct dom_kern_data {
  /** Task State Segment */
  tss_t tss;
  /** Local Descriptor Table with per-domain descriptors */
  segment_desc_t ldt[LDT_NUM_DESC];
} __attribute__((packed));

/* relies on dom_kern_data: */
#include "multi-segment.h"

/* relies on ATTR_KERN_ADDR_SPACE: */
#include "syscalls.h"

/**
 * Data associated with each protection domain that is owned by clients of that
 * domain and used to identify the domain.
 */
struct dom_client_data {
  dom_id_t dom_id;
  /** The selector is only 16 bits, but it is padded to 32 bits. */
  uint32_t tss_sel;
};

extern uint32_t prot_domains_main_esp;

#define SYSCALLS_STUB_MIDDLE(nm)                                              \
  /* If already in the callee protection domain, skip the protection */       \
  /* domain switch and directly invoke the system call body */                \
  "  je _syscall_" #nm "\n\t"                                                 \
  "  movl $" EXP_STRINGIFY(_syscall_ent_##nm) ", prot_domains_syscall\n\t"    \
  "  mov %esp, prot_domains_main_esp\n\t"

#define SYSCALLS_STUB(nm)                                                     \
  SYSCALLS_ALLOC_ENTRYPOINT(nm);                                              \
  asm (                                                                       \
    ".text\n\t"                                                               \
    ".global " #nm "\n\t"                                                     \
    #nm ":\n\t"                                                               \
    "  str %ax\n\t"                                                           \
    /* Compare current Task Register selector to selector for callee */       \
    /* protection domain, in tss_sel field of dom_client_data */              \
    "  cmpw %ax, 8(%esp)\n\t"                                                 \
    SYSCALLS_STUB_MIDDLE(nm)                                                  \
    /* This will treat the dom_id field as the offset for the call, but */    \
    /* that is ignored when performing a far call to a task */                \
    "  lcall *4(%esp)\n\t"                                                    \
    "  ret\n\t")

#define SYSCALLS_STUB_SINGLETON(nm, dcd)                                      \
  SYSCALLS_ALLOC_ENTRYPOINT(nm);                                              \
  asm (                                                                       \
    ".text\n\t"                                                               \
    ".global " #nm "\n\t"                                                     \
    #nm ":\n\t"                                                               \
    "  str %ax\n\t"                                                           \
    /* Compare current Task Register selector to selector for callee */       \
    /* protection domain, in tss_sel field of dom_client_data */              \
    "  cmpw %ax, %" SEG_KERN "s:(4 + " #dcd ")\n\t"                           \
    SYSCALLS_STUB_MIDDLE(nm)                                                  \
    /* This will treat the dom_id field as the offset for the call, but */    \
    /* that is ignored when performing a far call to a task */                \
    "  lcall *%" SEG_KERN "s:" #dcd "\n\t"                                    \
    "  ret\n\t")

#define PROT_DOMAINS_ENTER_ISR(exc)                                           \
  MULTI_SEGMENT_ENTER_ISR(exc)                                                \
  /* It is possible that the system call dispatcher is being interrupted, */  \
  /* and some interrupt handlers perform system calls.  Thus, it is       */  \
  /* necessary to save and restore the system call dispatcher parameters  */  \
  /* (in callee-saved registers).                                         */  \
  "mov prot_domains_main_esp, %%esi\n\t"                                      \
  "mov prot_domains_syscall, %%edi\n\t"                                       \
  PROT_DOMAINS_ENTER_ISR_COMMON(exc)
#define PROT_DOMAINS_LEAVE_ISR(exc)                                           \
  PROT_DOMAINS_LEAVE_ISR_COMMON(exc)                                          \
  "mov %%edi, prot_domains_syscall\n\t"                                       \
  "mov %%esi, prot_domains_main_esp\n\t"                                      \
  MULTI_SEGMENT_LEAVE_ISR(exc)

/* Allocate two additional GDT entries for each protection domain.  Note that
 * the particular storage allocated by this statement may actually be used for
 * some other protection domain, depending on how the linker happens to arrange
 * all of the GDT storage.  The GDT_IDX_TSS and GDT_IDX_LDT macros in
 * gdt-layout.h determine which storage is used for each protection domain.
 * Thus, this storage should not be referenced directly by its variable name.
 */
#define PROT_DOMAINS_ALLOC_IMPL(nm)                                           \
  static segment_desc_t ATTR_BSS_GDT_MID _gdt_storage_##nm[2]

#endif /* CPU_X86_MM_TSS_PROT_DOMAINS_H_ */
x86: Add TSS-based protection domain support This patch extends the protection domain framework with an additional plugin to use Task-State Segment (TSS) structures to offload much of the work of switching protection domains to the CPU. This can save space compared to paging, since paging requires two 4KiB page tables and one 32-byte page table plus one whole-system TSS and an additional 32-byte data structure for each protection domain, whereas the approach implemented by this patch just requires a 128-byte data structure for each protection domain. Only a small number of protection domains will typically be used, so n * 128 < 8328 + (n * 32). For additional information, please refer to cpu/x86/mm/README.md. GCC 6 is introducing named address spaces for the FS and GS segments [1]. LLVM Clang also provides address spaces for the FS and GS segments [2]. This patch also adds support to the multi-segment X86 memory management subsystem for using these features instead of inline assembly blocks, which enables type checking to detect some address space mismatches. [1] https://gcc.gnu.org/onlinedocs/gcc/Named-Address-Spaces.html [2] http://llvm.org/releases/3.3/tools/clang/docs/LanguageExtensions.html#target-specific-extensions 2015-08-08 00:43:10 +02:00			`/*`
			`* Copyright (C) 2015-2016, Intel Corporation. All rights reserved.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`* 1. Redistributions of source code must retain the above copyright`
			`* notice, this list of conditions and the following disclaimer.`
			`* 2. Redistributions in binary form must reproduce the above copyright`
			`* notice, this list of conditions and the following disclaimer in the`
			`* documentation and/or other materials provided with the distribution.`
			`*`
			`* 3. Neither the name of the copyright holder nor the names of its`
			`* contributors may be used to endorse or promote products derived`
			`* from this software without specific prior written permission.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS`
			* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
			`* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS`
			`* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE`
			`* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,`
			`* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES`
			`* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR`
			`* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,`
			`* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED`
			`* OF THE POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`#ifndef CPU_X86_MM_TSS_PROT_DOMAINS_H_`
			`#define CPU_X86_MM_TSS_PROT_DOMAINS_H_`

			`#include <stdbool.h>`
			`#include <stdint.h>`
			`#include <stdlib.h>`
			`#include "ldt-layout.h"`
			`#include "segmentation.h"`
			`#include "tss.h"`

			`struct dom_kern_data {`
			`/** Task State Segment */`
			`tss_t tss;`
			`/** Local Descriptor Table with per-domain descriptors */`
			`segment_desc_t ldt[LDT_NUM_DESC];`
			`} __attribute__((packed));`

			`/* relies on dom_kern_data: */`
			`#include "multi-segment.h"`

			`/* relies on ATTR_KERN_ADDR_SPACE: */`
			`#include "syscalls.h"`

			`/**`
			`* Data associated with each protection domain that is owned by clients of that`
			`* domain and used to identify the domain.`
			`*/`
			`struct dom_client_data {`
			`dom_id_t dom_id;`
			`/** The selector is only 16 bits, but it is padded to 32 bits. */`
			`uint32_t tss_sel;`
			`};`

			`extern uint32_t prot_domains_main_esp;`

			`#define SYSCALLS_STUB_MIDDLE(nm) \`
			`/* If already in the callee protection domain, skip the protection */ \`
			`/* domain switch and directly invoke the system call body */ \`
			`" je _syscall_" #nm "\n\t" \`
			`" movl $" EXP_STRINGIFY(_syscall_ent_##nm) ", prot_domains_syscall\n\t" \`
			`" mov %esp, prot_domains_main_esp\n\t"`

			`#define SYSCALLS_STUB(nm) \`
			`SYSCALLS_ALLOC_ENTRYPOINT(nm); \`
			`asm ( \`
			`".text\n\t" \`
			`".global " #nm "\n\t" \`
			`#nm ":\n\t" \`
			`" str %ax\n\t" \`
			`/* Compare current Task Register selector to selector for callee */ \`
			`/* protection domain, in tss_sel field of dom_client_data */ \`
			`" cmpw %ax, 8(%esp)\n\t" \`
			`SYSCALLS_STUB_MIDDLE(nm) \`
			`/* This will treat the dom_id field as the offset for the call, but */ \`
			`/* that is ignored when performing a far call to a task */ \`
			`" lcall *4(%esp)\n\t" \`
			`" ret\n\t")`

			`#define SYSCALLS_STUB_SINGLETON(nm, dcd) \`
			`SYSCALLS_ALLOC_ENTRYPOINT(nm); \`
			`asm ( \`
			`".text\n\t" \`
			`".global " #nm "\n\t" \`
			`#nm ":\n\t" \`
			`" str %ax\n\t" \`
			`/* Compare current Task Register selector to selector for callee */ \`
			`/* protection domain, in tss_sel field of dom_client_data */ \`
			`" cmpw %ax, %" SEG_KERN "s:(4 + " #dcd ")\n\t" \`
			`SYSCALLS_STUB_MIDDLE(nm) \`
			`/* This will treat the dom_id field as the offset for the call, but */ \`
			`/* that is ignored when performing a far call to a task */ \`
			`" lcall *%" SEG_KERN "s:" #dcd "\n\t" \`
			`" ret\n\t")`

			`#define PROT_DOMAINS_ENTER_ISR(exc) \`
			`MULTI_SEGMENT_ENTER_ISR(exc) \`
			`/* It is possible that the system call dispatcher is being interrupted, */ \`
			`/* and some interrupt handlers perform system calls. Thus, it is */ \`
			`/* necessary to save and restore the system call dispatcher parameters */ \`
			`/* (in callee-saved registers). */ \`
			`"mov prot_domains_main_esp, %%esi\n\t" \`
			`"mov prot_domains_syscall, %%edi\n\t" \`
			`PROT_DOMAINS_ENTER_ISR_COMMON(exc)`
			`#define PROT_DOMAINS_LEAVE_ISR(exc) \`
			`PROT_DOMAINS_LEAVE_ISR_COMMON(exc) \`
			`"mov %%edi, prot_domains_syscall\n\t" \`
			`"mov %%esi, prot_domains_main_esp\n\t" \`
			`MULTI_SEGMENT_LEAVE_ISR(exc)`

			`/* Allocate two additional GDT entries for each protection domain. Note that`
			`* the particular storage allocated by this statement may actually be used for`
			`* some other protection domain, depending on how the linker happens to arrange`
			`* all of the GDT storage. The GDT_IDX_TSS and GDT_IDX_LDT macros in`
			`* gdt-layout.h determine which storage is used for each protection domain.`
			`* Thus, this storage should not be referenced directly by its variable name.`
			`*/`
			`#define PROT_DOMAINS_ALLOC_IMPL(nm) \`
			`static segment_desc_t ATTR_BSS_GDT_MID _gdt_storage_##nm[2]`

			`#endif /* CPU_X86_MM_TSS_PROT_DOMAINS_H_ */`