RTOS/seL4
1
0
Fork 0
forked from Imagelibrary/seL4
Code Pull Requests Activity

Mark CLINT as reserved device on RISC-V platforms

Browse Source 
Without this patch, user-level programs have the ability to
map in the core-local interrupt controller on RISC-V platforms
which contains the memory-mapped registers for the core-local
timer the kernel uses. This is a level of privilege that
user-level programs should not have. Writing to the `mtime`
register is possible which can then affect the timer interrupts
are delivered to the kernel.

Signed-off-by: Ivan-Velickovic <i.velickovic@unsw.edu.au>
This commit is contained in:
Ivan-Velickovic
2023-06-09 22:13:42 +10:00
committed by Gerwin Klein
parent 625fb14e9b
commit 2730e65796
11 changed files with 126 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -49,6 +49,9 @@ Upcoming release: BREAKING
* Changed how `gen_config.h` files are generated. Previously, they were generated at CMake configure time. Now, they
are generated at build time as a dependency of the `${prefix}_Gen` target. To manually build the kernel
`gen_config.h` file after running `cmake`, run `ninja gen_config/kernel/gen_config.h`.
* Remove the ability for user-space on RISC-V platforms to access the core-local interrupt controller (CLINT). The
CLINT contains memory-mapped registers that the kernel depends on for timer interrupts and hence should not be
accessible by user-space.
## Upgrade Notes

13
src/plat/ariane/overlay-ariane.dts
View File

@@ -7,6 +7,19 @@
/ {
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/interrupt-controller@c000000};
};
/*
* The size and address of the CLINT is from the memory map listed in the
* CVA6 documentation. It can be found here:
* https://docs.openhwgroup.org/projects/cva6-user-manual/05_cva6_apu/cva6_apu.html#memory-map
*/
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x00000000 0x2000000 0x00000000 0x0000c0000>;
};
};
};

20
src/plat/hifive/overlay-hifive.dts
View File

@@ -5,8 +5,20 @@
*/
/ {
chosen {
seL4,kernel-devices =
&{/soc/interrupt-controller@c000000};
};
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/interrupt-controller@c000000};
};
/*
* According to the SiFive "FU540-C000 Manual" (version v1p4)
* the CLINT is mapped from 0x0200_0000 to 0x0200_FFFF.
*/
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x00000000 0x2000000 0x00000000 0x000010000>;
};
};
};

12
src/plat/polarfire/overlay-polarfire.dts
View File

@@ -7,6 +7,18 @@
/ {
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/interrupt-controller@c000000};
};
/*
* According to the "PolarFire SoC MSS Technical Reference Manual"
* (revision H), the CLINT is mapped from 0x0200_0000 to 0x0200_FFFF.
*/
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x00000000 0x2000000 0x00000000 0x000010000>;
};
};
};

9
src/plat/qemu-riscv-virt/overlay-qemu-riscv-virt.dts
View File

@@ -15,6 +15,15 @@
*
*/
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/plic@c000000};
};
/* The size and address of the CLINT is derived from QEMU source code. */
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x00000000 0x2000000 0x00000000 0x000010000>;
};
};
};

1
src/plat/rocketchip/config.cmake
View File

@@ -50,6 +50,7 @@ if(KernelPlatformRocketchip)
INTERRUPT_CONTROLLER drivers/irq/riscv_plic0.h
)
else()
list(APPEND KernelDTSList "src/plat/rocketchip/overlay-rocketchip-base.dts")
config_set(KernelOpenSBIPlatform OPENSBI_PLATFORM "generic")
# This is an experimental platform that supports accessing peripherals, but
# the status of support for external interrupts via a PLIC is unclear and

21
src/plat/rocketchip/overlay-rocketchip-base.dts Normal file
View File

@@ -0,0 +1,21 @@
/*
* Copyright 2023, UNSW
*
* SPDX-License-Identifier: GPL-2.0-only
*/
/ {
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/interrupt-controller@c000000};
};
/* The size and address of the CLINT is derived from the Rocketchip source code. */
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x2000000 0x10000>;
};
};
};

17
src/plat/rocketchip/overlay-rocketchip-zcu102.dts
View File

@@ -5,10 +5,19 @@
*/
/ {
chosen {
seL4,kernel-devices =
&{/soc/interrupt-controller@c000000};
};
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000},
&{/soc/interrupt-controller@c000000};
};
/* The size and address of the CLINT is derived from the Rocketchip source code. */
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x2000000 0x10000>;
};
};
/delete-node/ memory@80000000;

1
src/plat/spike/config.cmake
View File

@@ -26,6 +26,7 @@ if(KernelPlatformSpike)
else()
list(APPEND KernelDTSList "tools/dts/spike.dts")
endif()
list(APPEND KernelDTSList "src/plat/spike/overlay-spike.dts")
declare_default_headers(
TIMER_FREQUENCY 10000000 PLIC_MAX_NUM_INT 0
INTERRUPT_CONTROLLER drivers/irq/riscv_plic_dummy.h

26
src/plat/spike/overlay-spike.dts Normal file
View File

@@ -0,0 +1,26 @@
/*
* Copyright 2023, UNSW
*
* SPDX-License-Identifier: GPL-2.0-only
*/
/ {
chosen {
seL4,kernel-devices =
&{/soc/clint@2000000};
};
/*
* The size and address of the CLINT is derived from the source code
* of QEMU (which supports the Spike as a platform) and the Spike RISC-V
* ISA simulator. At the time of writing the two simulators do not agree
* on the size of the CLINT. We take the larger of the two sizes (0xc0000)
* in order to be safe.
*/
soc {
clint@2000000 {
compatible = "riscv,cpu-intc";
reg = <0x00000000 0x2000000 0x00000000 0x0000c0000>;
};
};
};

11
tools/hardware.yml
View File

@@ -208,6 +208,17 @@ devices:
kernel: PLIC_PPTR
kernel_size: 0x04000000
# SiFive CLINT (HiFive, Polarfire, Ariane, QEMU RISC-V virt, Spike)
# Note that not all CLINTs with this compatible string are of the same size.
# However, omitting the kernel_size field works as each kernel device frame
# is of size 0x200000, which is currently larger than the CLINT's of all
# supported platforms.
- compatible:
- riscv,cpu-intc
regions:
- index: 0
kernel: CLINT_PPTR
# elfloader rules
- compatible:
- arm,psci-0.2