The exec spec typically requires that invocations have a decode phase
that can fail followed by an invoke phase that can not fail.
A switch block is not required when there is only a single valid
invocation label.
Signed-off-by: Kent McLeod <kent@kry10.com>
Provide seL4_BootInfoFrameSize (and seL4_BootInfoFrameBits) for
userland, to there is no longer a need to hard-code the 4 KiByte
assumption.
Signed-off-by: Axel Heider <axelheider@gmx.de>
C parser has issues with `return f(...)` when f's return type is void.
Rephrase `vcpu_hw_write_reg` to look like its AArch32 equivalent, using
`break` in the switch statement.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Verification infrastructure can only handle word-sized variable access
in __asm__ statements. The following functions use 32-bit access on a
64-bit arch and are now marked DONT_TRANSLATE:
* readCIDR
* writeCIDR
* readAFSR0
* writeAFSR0
* readAFSR1
* writeAFSR1
* readESR
* writeESR
* readISR
* vcpu_init_vtcr
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
C parser and verification don't handle taking addresses of local
variables. Use direct `_cap_set_*` and pass by value instead of
pointer-based `_cap_ptr_set_*`.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Latest AArch64 only uses pte_C which is already declared in common
setup, so pde_C only needs to be declared on AArch32.
Affects bitfield generator and verification.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- print period and budget with units
- print tick value also
- use proper format specifiers and avoid casting
Signed-off-by: Axel Heider <axel.heider@hensoldt.net>
Add helper functions to get kernel image location. This removes any
dependencies from the rest of the code on symbols and defines. It
also avoid passing a parameter though various functions.
Signed-off-by: Axel Heider <axelheider@gmx.de>
Currently getting the timestamp for RISC-V platforms uses the
`rdtime` pseudo-instruction which ends up invoking OpenSBI
and then accessing the CLINT memory-mapped `mtime` register.
This patch eliminates the use of `rdtime` in favour of
directly getting the timestamp for performance.
Signed-off-by: Ivan-Velickovic <i.velickovic@unsw.edu.au>
Additional header files may now be included in non-C contexts and so we
need to guard some C definitions with the __ASSEMBLER__ guards
convention.
Signed-off-by: Kent McLeod <kent@kry10.com>
Using branch instructions only allows -+4 KiB offseting range
from the current PC. If the C code is placed (depending on
linkers and address layout) far more than -+4 KiB, linking
will fail (e.g., R_RISCV_BRANCH out of range: 4735 is not in
[-2048, 2047]; references c_handle_fastpath_call.
This commit accounts for this case and uses jumps when jumping
to C code that should give enough offset range (-+ 1 MiB) and
make the assembly code more portable.
Signed-off-by: Hesham Almatary <hesham.almatary@cl.cam.ac.uk>
Some slot positions in the rootnode would depend on configuration.
However that makes it difficult to add new root caps, especially if
multiple caps only exist based on configuration. Make all caps always
there, but null if not configured.
Signed-off-by: Robbie VanVossen <robert.vanvossen@dornerworks.com>
Now the vspace_cap is used for all vspace roots and all other page
tables are referred to by page table caps.
Signed-off-by: Kent McLeod <kent@kry10.com>
Remove the pde_t type and replace all usages with pte_t.
This doesn't remove the page directory cap type yet. Now the page
directory cap refers to a table of pte_t entries and is treated the same
as the object that a page table cap refers to.
Signed-off-by: Kent McLeod <kent@kry10.com>
This first commit only handles 4k pages.
4k pages are mapped using level 3 descriptor formats which annoyingly
have an opposite type definition (bit[1]) from all other levels. At all
other levels, a bit value of 0 is page and 1 is table. At level 3, a bit
value of 1 is page (and there is no bit value for a table).
This prevents us from using a single tagged-union type definition for
all page table descriptor definitions. For now we treat 4k pages as
special and try and push on ahead with the single type definition
anyway.
Signed-off-by: Kent McLeod <kent@kry10.com>
Commit f4c41f39 removed a check that dereferenced tcbSchedContext. It
should have removed this assert() also then.
Signed-off-by: Axel Heider <axelheider@gmx.de>
Without this patch, user-level programs have the ability to
map in the core-local interrupt controller on RISC-V platforms
which contains the memory-mapped registers for the core-local
timer the kernel uses. This is a level of privilege that
user-level programs should not have. Writing to the `mtime`
register is possible which can then affect the timer interrupts
are delivered to the kernel.
Signed-off-by: Ivan-Velickovic <i.velickovic@unsw.edu.au>
These are only called when CONFIG_DEBUG_BUILD is on, which *usually*
means that CONIFG_PRINTING is also enabled, but, it's not necessarily
the case.
Signed-off-by: Ivan-Velickovic <i.velickovic@unsw.edu.au>
Guard the new implementation of 64-bit x86 guests behind a config
option. This is done so that existing projects that use x86_64 hosts
with ia32-bit guests can continue to be supported until either the old
feature is preferred to be deprecated, or support can be added to
support both simmultaneously.
Signed-off-by: Kent McLeod <kent@kry10.com>
This commit combines a number of smaller commits which do the following:
* Enter IA-32e mode when running a 64-bit host
* Handle additional general purpose registers in 64-bit mode
* Handle 64-bit specific MSR events
* Properly save and restore FS, GS, and Shadow GS registers
CCDC-GVSC DISTRIBUTION A. Approved for public release; distribution
unlimited. OPSEC#4481.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
CCDC-GVSC DISTRIBUTION A. Approved for public release; distribution
unlimited. OPSEC#4481.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
The verification C parser is failing to translate this function, but it
does not actually need to since this is behind the machine interface
anyway. Mark the function as dont-translate to avoid the problem.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Use `ARM_HYP_verified.cmake` from branch exynos5-ver as
`ARM_HYP_exynos5_verified.cmake` on master, so both can be used by
verification CI without switching branches.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
