On Tue, May 12, 2020 at 10:58 AM Utkarsh Rai <utkarsh.ra...@gmail.com> wrote: > > > > On Tue, May 12, 2020 at 9:27 AM Gedare Bloom <ged...@rtems.org> wrote: >> >> On Thu, May 7, 2020 at 9:59 PM Hesham Almatary >> <hesham.almat...@cl.cam.ac.uk> wrote: >> > >> > Hello Utkarsh, >> > >> > I'd suggest you don't spend too much efforts on setting up BBB >> > hardware if you haven't already. Debugging on QEMU with GDB is way >> > easier, and you can consider either qemu-xilinx-zynq-a9 or rpi2 BSPs. >> > Later, you can move your code to BBB if you want, since both are based >> > on ARMv7. >> +1 >> >> Past work has also used psim successfully I thought? Or am I mistaken there. >> >> > >> > On Thu, 7 May 2020 at 18:26, Utkarsh Rai <utkarsh.ra...@gmail.com> wrote: >> > > >> > > Hello, >> > > This is to ensure that all the interested parties are on the same page >> > > before I start my project and can give their invaluable feedback. >> Excellent, thank you for getting the initiative. >> >> I'll be taking on the primary mentorship for your project, with >> support from the co-mentors (Peter, Hesham, Sebastian). For now, I >> prefer you to continue to make your presence on the mailing list. We >> will establish other forms of communication as needed and will take on >> IRC meetings once coding begins in earnest. >> >> > > My GSoC project, providing user-configurable thread stack protection, >> > > requires adding architecture-specific low-level support as well as >> > > high-level API support. I will be starting my project with ARMv7-A (on >> > > BBB) based MMU since RTEMS already has quite mature support for it. As >> > > already mentioned in my proposal I will be focusing more on the >> > > High-level interface and let it drive whatever further low-level support >> > > is needed. >> > > Once the application uses MMU for thread stack address generation each >> > > thread will be automatically protected as the page tables other than >> > > that of the executing thread would be made dormant. When the user has to >> > > share thread stacks they will have to obtain the stack attributes of the >> > > threads to be shared by pthread_attr_getstack() and then get a file >> > > descriptor of the memory to be mapped by a call to shm_open() and >> > > finally map this to the stack of the other thread through >> > > mmap(), this is the POSIX compliant way I could think of. Now at the low >> > > level, it means mapping the page table of the thread to be shared into >> > > the address space of the executing thread. This is an area where the >> > > low-level support has to be provided. At the high-level, this means >> > > providing support to mmap and shared-memory interface as mmap provides >> > > support for a file by simply >> > > copying the memory from the file to the destination. For shared memory >> > > objects it can >> > > provide read/write access but cannot provide restriction of write/read >> > > access. One of the areas that I have to look into more detail is thread >> > > context-switch, as after every context switch the TLBs need to be >> > > flushed and reinitialized lest we get an invalid address for the >> > > executing thread. Since context-switch is low-level >> > > architecture-specific, this also has to be provided with more support. >> >> This is really dense text. Try to break apart your writing a little >> bit to help clarify your thoughts. You should also translate some of >> your proposal into a wiki page if you haven't started that yet, and a >> blog post. Both of those will help to focus your thoughts into words. >> >> "mapping the page table" is not meaningful to me. I think you mean >> something like "mapping a page from the page table"? >> >> Will the design >> support sharing task stacks using MPUs with 4 regions? 8? (It seems >> challenging to me, but might be possible in some limited >> configurations. Having support for those kinds of targets might still >> be useful, with the caveat that sharing stacks is not possible.) > > > I will have to look into this in a bit more detail before I can give you a > comprehensive answer. > >> >> The first step is to get a BSP running that has sufficient >> capabilities for you to test out memory protection with. Do a little >> bit of digging, but definitely simulation is the way to go. > > > As suggested by Hesham, I have been able to run the qemu-Xilinx-zynq-a9 BSP > on qemu and I have learned how to debug it through GDB. > The BSP supports memory protection and as pointed out once I get it done on > this, I can move my code for other BSP with ARMv7 (RPI, BBB ). > >> >> The second step from my perspective is to determine how to introduce >> strict isolation between task stacks. Don't worry about sharing at >> this stage, but rather can you completely isolate tasks? Then you can >> start to poke holes in the isolation. > > > My understanding of this is that to completely isolate the tasks and page > tables of the task will be placed in two separate regions (user and system > mode respectively), the page tables will be accessed only by the kernel code > and not by the application. This will prevent dormant tasks from interfering > with the current task through the application code. >
We don't have a privilege separation in rtems, and we don't want to add one in this project. When an application calls into rtems there should not need to be a page table switch. The only time the protection hw should be manipulated is a context switch. And that should be configurable. The way I see it, a page/region should be allocated for each task stack, and that should be the only entry that changes during a context switch. The goal is to prevent accidental (non-malicious) task stack interference. The shm/mmap interface will be used to allow sharing that entry with other tasks. In the future we may be able to move toward more comprehensive memory protection, but I suspect if we try to get it all in one go the scope will be way too big for you to attempt over the summer. >> As you say, you'll also need to start to understand the context switch >> code. Start looking into it to determine where you might think to >> implement changing the address space of the executing thread. Another >> challenge is that RTEMS can dispatch to a new task from the interrupt >> handler, which may cause some problems for you as well to handle. > > > The above way of page-table and task separation should handle the interrupt > case as most of the interrupts are executed in the system mode. > No. There is a subtle problem when you dispatch to a new task while handling an interrupt for a prior task. You need to be prepared to return to a new address space context. Dispatching from an ISR is different from context switching, and I think there will be some problems to deal with there. Further, it is a common design pattern to share memory between interrupt handlers and application tasks (e.g., an event queue) so we need to be careful what we assume is/isn't available in the interrupt context. >> Have you figured out where in the code thread stacks are allocated? >> How do you plan to make the thread stacks known to other threads? > > > If I understand your question correctly this would be useful during stack > sharing. Stack sharing, as I described earlier would be through explicit > calls to mmap(), shm_open(). For obtaining the thread stack size and address > the user will first have to make a call to pthread_attr_getstack*(). Now, > this can return the attributes the user explicitly sets during > pthread_create(), or as the RTEMS docs describe the memory will be allocated > from the RTEMS workspace area as described here. I will have to look into it > more detail as this is BSP specific and any stack configuration will have to > be done after the initialization of the MPU. > >> >> TLB shootdown can be extremely expensive. Try to find ways to optimize >> that cost earlier rather than later. (One of those cases where >> premature optimization will be acceptable.) Tagged TLB architectures >> or those with "superpages" may incur less overhead if you can >> selectively shoot-down the entry (entries) used for task stacks. > > > Added to my TO-DO list. >> >> >> A final thought is that the method to configure this support is >> necessary. Configuration is undergoing some heavy changes lately, and >> application-level configuration is going to be completely different in >> rtems6. You may want to consider raising a new thread with CC to >> Sebastian to get his input on how the best way to configure something >> like this might look, now and in the future. I would have leaned >> toward a high-level configure switch (--enable-task-protection) in the >> past, but now I don't know. This capability is however something that >> should be considered disabled by default due to the extra overhead. >> >> >> Gedare >> >> > > Kindly provide your feedback if I have missed something or I have a >> > > wrong idea about it. >> > > >> > > Regards, >> > > Utkarsh Rai. >> > > >> > > _______________________________________________ >> > > devel mailing list >> > > devel@rtems.org >> > > http://lists.rtems.org/mailman/listinfo/devel >> > _______________________________________________ >> > devel mailing list >> > devel@rtems.org >> > http://lists.rtems.org/mailman/listinfo/devel _______________________________________________ devel mailing list devel@rtems.org http://lists.rtems.org/mailman/listinfo/devel