For ARM currently TIMER_PRECISION exists, but that is in microseconds
and not fine-grained enough.
This is needed to make periodic tasks synchronous with the system clock.
If this value is zero every period will be extended with the overhead of
taking an interrupt and reading the system clock. To avoid this drift,
the configured value should be set to at least the average overhead.
See also issue #844.
Signed-off-by: Indan Zupancic <Indan.Zupancic@mep-info.com>
The seL4 CMake build currently uses the `stat` utility to determine the
size of the flattened device tree file. The `stat` utilities in macOS
and GNU coreutils have different interfaces, the CMake build needs to
determine which one it's using.
This change supports building on macOS with GNU coreutils in the PATH,
by only using the macOS `stat` interface with `/usr/bin/stat` on a macOS
host, and otherwise assuming GNU coreutils.
In future, we might be able to avoid the `stat` utility altogether, by
using the built-in `file (SIZE ...)` command that became available in
CMake version 3.14. For now, we avoid updating our build dependencies.
Signed-off-by: Matthew Brecknell <matt@kry10.com>
MacOS X has a BSD-style `stat`, this commit selects the `stat` command
line arguments based on the host OS.
As a small step towards enabling building the kernel on MacOS X, at
least to the degree that kernel.elf can be produced as needed in
verification.
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
Add KernelCustomDTSOverlay option to append user provided DTS overlay
files. This way users do not need to modify the seL4 kernel sources
just because they use a hardware module differently. Also useful for
defining VM memory regions.
Signed-off-by: Indan Zupancic <Indan.Zupancic@mep-info.com>
Check the return value from execute_process calls and fail
with an appropriate message.
This makes debugging of cmake failures much easier.
Signed-off-by: Ben Leslie <benno@brkawy.com>
Define CONFIG_KERNEL_LOG_BUFFER in the same way as all other kernel
config options so that it is present in autoconf.h
Signed-off-by: Kent McLeod <kent@kry10.com>
seL4Config.cmake is responsible for generating a valid
CMAKE_TOOLCHAIN_FILE and setting up platform config options at the start
of the build. The CMAKE_TOOLCHAIN_FILE variable has to be set before the
first cmake `project()` function is processed to take effect.
Previously this file was required to be imported in a CMake script
before the kernel's CMakeLists.txt could be processed. This prevented
the main CMakeLists.txt file from being used without an additional
configuration file:
cmake -G Ninja -C ../configs/ARM_verified.cmake ../
Now it is possible to do:
cmake -G Ninja -DKernelPlatform=imx6 -DKernelARMPlatform=sabre ../
This should make it easier to invoke CMake for building kernel
configurations from other build environments.
Because this file is now imported in the Kernel's CMakeLists.txt
context, there is no longer a requirement to save all the intermediate
settings into the cache and then read them out again.
Signed-off-by: Kent McLeod <kent@kry10.com>
According to the CMake documentation, this is intended for file
redirection. Since we don't redirect to files, but basically enforce
std channels, this conflicts with any existing redirection set up when
CMake is invoked. As a result the messages are lost.
Signed-off-by: Axel Heider <axel.heider@hensoldt-cyber.de>
As this variable bounds both the period and the budget and the period
itself bounds the budget, the name for this variable would be more
appropriately named 'MAX_PERIOD'
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
We need to check if the name of the variable has been defined, not if
its value as a variable name has been defined, when determining whether
to set a default value.
Signed-off-by: Curtis Millar <curtis.millar@data61.csiro.au>
A previous commit (9ec5df5f) to provide more efficient CLZ (count
leading zeros) and CTZ (count trailing zeros) removed the `__clzsi2` and
`__ctzsi2` symbols, due to a misunderstanding of the types of these and
other library functions expected by GCC's intrinsics. 9ec5df5f broke the
riscv32 build.
This commit corrects the misunderstanding:
- `__clzsi2` and `__ctzsi2` are reinstated with correct types.
- The types of `__clzdi2` and `__ctzdi2` are corrected.
- `__clzti2` and `__ctzti2` are removed, since seL4 contains no compiler
intrinsics that would require them.
- `clzl` and `ctzl` dispatch to the appropriate library functions based
on the size of `unsigned long`.
- Configuration options are updated to ensure that the library functions
are included in the kernel binary only when needed.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
For RISC-V platforms that do not provide machine instructions to count
leading and trailing zeros, this commit includes more efficient library
functions. For verification, we expose the bodies of the functions to
the proofs.
Kernel config options `CLZ_BUILTIN` and `CTZ_BUILTIN` allow selection of
whether compiler builtin functions should be used. These are only
supported on platforms where the builtin compiles to inline assembly. By
default, the options are on for all platforms except RISC-V.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
This removes the explicit CMake configuration for the kernel log buffer
and replaces it with a #define that is enabled for the required
configurations.
Signed-off-by: Curtis Millar <curtis@curtism.me>
We need to bound the time the user provides to configure scheduling
contexts to avoid malicious or erraneous overflows of the scheduling
math. Make the max period/budget 1 hour.
1 hour is sufficiently small that it will fit in a 32-bit error message.
1 week is sufficiently small for 64-bit platforms.
Signed-off-by: Kent McLeod <Kent.Mcleod@data61.csiro.au>
Introduced a new config flag to enable
userError format strings to be written to the IPC buffer.
Another config bool has been introduced to toggle
printing the error out and this can also be set at runtime.
Signed-off-by: Saer Debel <saer.debel@data61.csiro.au>
This commit also converts our own copyright headers to directly use
SPDX, but leaves all other copyright header intact, only adding the
SPDX ident. As far as possible this commit also merges multiple
Data61 copyright statements/headers into one for consistency.
Currently on x86 device untypeds are generated by passing the entire
address space minus any parts that are reserved by the kernel or that
are "real" memory (e.g. kernel image, physical RAM).
On ARM and RISC-V, device untypeds were generated at compile-time from
a device tree. This patch moves ARM and RISC-V to use the same approach
as x86, and moves the code from x86 into a common location that's
shared between the three architectures.
Co-Authored-By: Anna Lyons <anna@gh.st>
This is almost a complete rewrite from the old hardware_gen.py.
It separates the 'parse DT' stage from the 'generate output'
devices more strictly, and is hopefully easier to understand and
easier to extend.
We also no longer generate the 'devices' list (in YAML)
or the dev_p_regs array (in C), as the kernel will implicitly
expose all non-RAM untypeds as devices.
There are platforms/archs that don't support the Kernel Hardware Debug
API and they can now advertise that by setting
KernelHardwareDebugAPIUnsupported.
This prevents accidental declaration of properties or configurations
that are for the incorrect architecture selected. This was previously
required as the variables KernelWordSize and KernelArch were defined in
each arch specific cmake.config file. Now that they are defined in
advance it is possible to exclude the other imports.
This does not implement the timers for any platforms, but
provides the generic arm arch, and aarch32/aarch64 infrastructure for
tickless timer drivers.
This changes the budget/remaining fields in scheduling contexts
to contain timer ticks, not number of abstract sel4ticks.
seL4_SchedControl_Configure now takes microseconds, not ticks.
This commit is plat-independant - the platform and arch specific
timer code follows in later commits.
This is the first part of the seL4 MCS. This commit:
* adds a scheduling context object. Threads without scheduling
context objects cannot be scheduled.
* replaces tcbTimeSlice with the scheduling context object
* adds seL4_SchedControl caps for each core
* adds seL4_SchedControl_Configure which allows users to configure
amount of ticks a scheduling context has, and set a core for the
scheduling context.
* adds seL4_SchedContext_Bind, Unbind and UnbindObject, which allows
a tcb to be bound to a scheduling context.
This switches between master and mcs configurations.
This also adds a build system variable KernelPlatformSupportsMCS that
can be used to error on platforms that don't support MCS due to
unimplemented functionality.
Update all scripts and build system to call python3, given python2's
upcoming doom. Use sys.maxsize instead of sys.maxint in one script
(maxint does not exist in python3).
Correctly defined the macros to translate between virtual and hardware
IRQs such that PPIs can be properly handled on gic_v2. It is now
possible to create a per-core handler for PPIs on platforms using this
GIC.
Allow projects that use the kernel as a subproject to configure the
kernel in -C scripts.
CMake supports providing a script via -C upon first initialisation of a
build directory. This script is expected to populate the configuration
cache for the rest of the build to depend on. This is how standalone
kernel builds are currently configured. However in buildsystems that add
the kernel as a subproject, it was up to the application to modify
configuration properties before or after the kernel was imported. This
lead to circular dependencies where properties were changed by a module
later in the build, but this then invalidated properties that were set
based on the first property's original value. This lead to running CMake
multiple times in order for settings to reach a stable state.
We now assume that most shared system configuration occurs in initial -C
settings evaluation. seL4Config.cmake is a configuration module that the
kernel exports that allows a configuration script to set kernel platform
and architecture settings in a way that doesn't introduce circular
dependencies.
seL4Config can be imported into other configuration files. This should
make it easier for a full system configuration script to query and
configure kernel configuration values without introducing circular
dependencies on configuration properties.
Some platforms and configurations do not allow user code to change the
value of the register used for TLS. On these architectures a syscall can
be used to allow the kernel to update the register on their behalf.
This does not immediately update the value in the user context on many
configurations as the values are only stored in the user context on a
context switch.
Instead of processing each platform CMake file during the arch's
config.cmake file, we process all of the platform CMake files first.
This is primarily motivated by wanting to move platform configuration
into a config file that is processed via a -C argument to the initial
build initialisation command.
Now a platform config is responsible for setting the kernel architecture
and it's own platform/arch specific config settings. Where previously a
platform was chosen in an arch specific way via either setting
KernelARMPlatform or KernelX86Sel4Arch or KernelRiscVPlatform, a
platform can now be set by KernelPlatform. In cases where a platform may
further parameterise its configuration it is free to choose its own
config options to query. Platforms that support multiple seL4
architectures should use KernelSel4Arch to query this. Platforms that
provide sub platforms such as exynos5 and subplatforms exynos5250,
exynos5410 and exynos5422 can be selected by specifying
KernelPlatform=exynos5, KernelARMPlatform=exynos5410 for example.
The DTS compilation was arm platforms only. Moving it to the top level
config file, making it available to RISCV platforms. The generated files
are almost identical with minor differences. A new argument(--arch) is
added to the hardware_gen.py for the differences.
The previous minimum (4) was actually too small to fit more than 1
capability, which would not allow the kernel to boot. A 4K minimum means
on 32-bit, an 8 size is the minimum (256 slots) and on 64-bit, 7 (128
slots).
In addition to being a more practical minimum, this also allows for
simplification of the boot code for future commits.
Introduces a kernel option that, when enabled, reduces the kernel window in a user address
space to just be Static Kernel Image and Microstate (SKIM), instead of the full kernel
address space. This isolates the important kernel data from the user preventing a
Meltdown style attack being able to violate secrecy. The kernel text and read only data,
i.e. anything that is static from boot, is not secret and can be allowed in the SKIM window
and potentially read by the user. Additionally to switch to and from the actual kernel
address space a small amount of state needs to also be in the SKIM window.
This is only an implementation for x86-64, although the same design is applicable to ia32
