e0aefd11d9
This patch extends the protection domain framework with a third plugin that is a hybrid of the previous two. The hardware task switching mechanism has a strictly-defined format for TSS data structures that causes more space to be consumed than would otherwise be required. This patch defines a smaller data structure that is allocated for each protection domain, only requiring 32 bytes instead of 128 bytes. It uses the same multi-segment memory layout as the TSS-based plugin and leaves paging disabled. However, it uses a similar mechanism as the paging plugin to perform system call dispatches and returns. For additional information, please refer to cpu/x86/mm/README.md.
87 lines
3.8 KiB
C
87 lines
3.8 KiB
C
/*
|
|
* Copyright (C) 2015, Intel Corporation. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* 3. Neither the name of the copyright holder nor the names of its
|
|
* contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
|
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
|
* COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef CPU_X86_MM_SWSEG_PROT_DOMAINS_H_
|
|
#define CPU_X86_MM_SWSEG_PROT_DOMAINS_H_
|
|
|
|
#include <stdint.h>
|
|
#include <stdlib.h>
|
|
#include <stdbool.h>
|
|
#include "ldt-layout.h"
|
|
#include "paging.h"
|
|
#include "segmentation.h"
|
|
#include "syscalls-int.h"
|
|
|
|
struct dom_kern_data {
|
|
/** Local Descriptor Table with per-domain descriptors */
|
|
segment_desc_t ldt[LDT_NUM_DESC];
|
|
/** Flags are defined with the prefix PROT_DOMAINS_FLAG in prot-domains.h */
|
|
uint32_t flags;
|
|
/**
|
|
* Original return address from call stack when this protection domain
|
|
* invoked some other protection domain. This serves to control the return
|
|
* entrypoint. The callee is not permitted to modify this value (unless the
|
|
* callee is the kernel protection domain).
|
|
*/
|
|
uintptr_t orig_ret_addr;
|
|
|
|
/* This structure is precisely 32 bytes in length, a power of 2. If its size
|
|
* changes, add an alignment attribute to keep it aligned at a power of 2 so
|
|
* that dereferencing arrays of these structures uses shift instructions
|
|
* instead of multiplication. Shifting is faster than multiplication.
|
|
*/
|
|
};
|
|
|
|
/* relies on dom_kern_data: */
|
|
#include "multi-segment.h"
|
|
|
|
#define PROT_DOMAINS_ENTER_ISR(exc) \
|
|
MULTI_SEGMENT_ENTER_ISR(exc) \
|
|
PROT_DOMAINS_ENTER_ISR_COMMON(exc)
|
|
#define PROT_DOMAINS_LEAVE_ISR(exc) \
|
|
PROT_DOMAINS_LEAVE_ISR_COMMON(exc) \
|
|
MULTI_SEGMENT_LEAVE_ISR(exc)
|
|
|
|
#define prot_domains_impl_init syscalls_int_init
|
|
|
|
#define prot_domains_set_wp(en)
|
|
|
|
/* Allocate one additional GDT entry for each protection domain. Note that
|
|
* the particular storage allocated by this statement may actually be used for
|
|
* some other protection domain, depending on how the linker happens to arrange
|
|
* all of the GDT storage. The GDT_IDX_LDT macro in gdt-layout.h determine
|
|
* which storage is used for each protection domain. Thus, this storage should
|
|
* not be referenced directly by its variable name.
|
|
*/
|
|
#define PROT_DOMAINS_ALLOC_IMPL(nm) \
|
|
static segment_desc_t ATTR_BSS_GDT_MID _gdt_storage_##nm
|
|
|
|
#endif /* CPU_X86_MM_SWSEG_PROT_DOMAINS_H_ */
|