The MMU insinuate analysis of ARM v7-a series CPU

The MMU insinuate analysis of ARM v7-a series CPU

Summary : The ARM v7-a series CPUs include many extensions, such as multicore processor extensions, large physical address extensions, Trustzone extensions, and virtualization extensions. If large physical addresses are supported, multi-core processors must be supported, and if virtualization is supported, large physical addresses, multicore processors, and TrustZone must be supported. After adding these extensions, the corresponding MMU (virtual address to physical address of the insinuate function) structure also changed a lot. In this paper, we first analyze the whole structure of the added MMU, then introduce the short description format (32-bit) and long description format (64-bit) in the address translation, and how to implement the virtual address to Physical address query, and finally the two-level insinuate problem, give an example to verify.

keywords : cortex-a MMU; large physical Address extension; TrustZone; virtualization; second-level insinuate

1 ARM v7-a MMU Overall Structure Introduction 1.1 overall structure

The overall structure is made up of four parts, as shown in.

HYP (Super Management) mode in Pl2:ns (non-secure mode)

Pl1:s (Safe mode) or NS (non-secure mode) other modes (except user mode)

User mode under PL0:S or NS

Note: Each CPU (support Trustzone extension) can be in safe mode or non-secure mode, in any mode (secure or non-secure) CPU has 8 modes (support Trustzone, virtualization).

These four parts are divided into:

pl1&0 of Safe Mode insinuate , page Table control register TTBCR, page table base Register TTBR0/TTBR1, these registers need the PL1 setting in S mode;

PL2 of non-secure mode insinuate , page Table control register HTCR, page table base register HTTBR, need PL2 set in NS;

pl1&0 of non-secure mode The first level mapping , page Table control register TTBCR, page table base Address register TTBR0/TTBR1, need PL1 setting in NS mode;

pl1&0 of non-secure mode the Level Two mapping , page Table control register VTCR, page table base Address register VTTBR, need to be set in NS PL2 ;

1.2 Problems brought by

Due to the many extensions, the following issues have been brought:

1, in a safe mode of the CPU, with the MMU access to the corresponding physical unit, the same virtual address, can access to a secure physical address, may also access to a non-secure physical address, how to determine the physical address of access is safe, non-secure?

A CPU that is in non-secure mode does not have this capability and can only access non-secure physical addresses.

Answer: for a short descriptor , if the first-level descriptor is a segment or super-segment, then the 19-bit NS means that the s/ns is accessed;

If the first-level descriptor is a page table, the 3rd-digit NS means that the access is s/ns,

Is that the level two descriptor is no longer differentiated, that is, the s/ns is in 1MB.

for long descriptive format , Level Two mapping is only used in NS mode, and S/ns is only used in S mode, so only a one-level mapping is available for this function.

If the first-level descriptor is block, the 5th-bit NS means that the access is s/ns, which is only useful when the final physical address is queried.

If the first-level descriptor is a table, then the 63-bit NS Table represents the S/ns,

If 1, then the subsequent level two and three are non-safe ;

If 0, if level two is block, then NS is determined;

If level two is also table, continue to Judge NS table

If 1, the rear is non-secure.

If 0, the 5th-digit NS of level three is determined.

2, NS pl1&0 whether to enable level two mapping, can not adopt?

Answer: The VM bit of the HCR register, which determines whether the two-level mapping of the NS PL1&0 enables

3, Short/Long descriptor format How to choose, S Pl1&0,ns pl1&0 of the first-level mapping How to decide to use short description format, long descriptor formats?

A : referring to the above description, the Eae bit of the ttbcr is shorter or longer, while the two-level mapping of the NS Pl2,ns pl1&0 must be in long -descriptive format.

2 address translation of short Descriptor Table 2.1 Correlation register and concept description

The virtual address entered is 32 bits, and the physical address of the output is 32 bits/40 bits.

+ bit of ttbcr The format:

+ bit of TTBR0 format:

+ bit of TTBR1 format:

Insinuate classification:

Super Segment: bit, 16MB, whether it is supported by the implementation decision (CORTEX-A7,A9 are different implementations). Physical address can be up to 40 bits maximum

section: bit, 1MB

Big page: bit, 64KB

Small page: bit, 4KB

The short descriptor may have a total of two levels, as described below.

First-level descriptor content:

00: invalid

01: Page table,[31:10] bit is the base address of Level two page table

1 x: De Yin shot, X is PXN (privileged execute never) bit.

18 Bits is 0 is paragraph, 1 is super segment.

, the 12 bits of the physical address are represented by [31:20], and the lower 20 bits of the virtual address are also the physical addresses ;

Super Segment ,[39:36 (8:5) 35:32 (23:20) 31:24] A total of 16 bits , the high 16 bits that make up the physical address, and the low 24 bits of the virtual address are also the physical addresses

PXN: This bit is optional (defined or undefined) when large physical address extensions are not implemented;

If this is done, the bit must be defined.

Second-level descriptor content:

00: invalid

01: Large page,31:16 indicates the high of the physical address, the low 16 bits of the virtual address is also the physical address ,

1 x: Small page,31:12 indicates the high of the physical address, the lower 12 bits of the virtual address is also the physical address .

X is xn (execute never) bit, can execute bit

TTBR0 or TTBR1 . Selection of:

TTBCR 2:0 of these 3 bits of content, is N.

If n is 0, it is always used TTBR0;

If n>0, follow the table below to infer the content.

n the maximum is 7, if n is 7, then 0x0200 0000 ~ 0x03ff FFFF The beginning of the virtual address using TTBR0, this total 0x20, each 4 bytes, so TTBR0 just 128 bytes can be;

And for TTBR1, because the address is not contiguous, it needs 16KB size, 16KB/4=4KB,4*1024*1MB=4GB, covering the entire range.

2.2 Virtual address to Physical Address conversion 2.2.1 Super Segment Lookup

2.2.2 section of the search

2.2.3 Large pages of search

2.2.4 Small Page Search

3 address translation format for long descriptors

There may be a total of three levels, respectively, described below.

3.1 First level query

The first-level query is shown in the diagram.

3.1.1 Stage 1 insinuate

for Stage 1 insinuate : Input 32-bit, output 40-bit

HYP mode , the 64-bit HTTBR is defined as follows.

The value of X is determined based on Htcr.t0sz (that is, the value of HTCR low 3 bits).

If Htcr.t0sz > 1, it is 14-htcr.t0sz; otherwise it is 5 -HTCR. T0sz.

The 32-bit HTCR is defined as follows.

In other modes , the 64-bit TTBR0/TTBR1 is defined as follows.

Where the value of x is determined by TTBCR.T0SZ/T1SZ, the formula is the same as above.

TTBCR's 22nd A1, decided to use TTBR0 or TTBR1 ASID (address space ID)

The 32-bit TTBCR is defined as follows.

TTBR0 or TTBR1 . Selection of:

Refer to the following table formula, there may be a segment of the virtual address space, can not find the page table base address, cannot be accessed.

3.1.2 Stage 2 insinuate

For Stage 2 insinuate: Enter 40 bits, output 40 bits.

The 64-bit VTTBR definition is as follows.

Where the value of x is determined by the Vtcr.t0sz, the calculation method is the same as above.

The 32-bit VTCR is defined as follows.

The first-level query and the descriptor format for level Two queries are shown in.

according to, if the first level of the query comes block , remove the 39:30 as the address of the high, virtual address of the 30:0 as low, the size is in 1GB as a unit.

If the first level of the query comes out of the page table, according to take out 39:12 as the high address, the virtual address of the 29:21 Act as 11:3 Low , continue to query.

3.2 Level Two query

According to, if the query is block, then take out 39:21 as the physical address of the high, virtual 20:0 as the low, the size is 2MB for the unit.

If the query is still a page table, take 39:12 as the high address, again the virtual address of the 20:12 as the 11:3 bit , continue to query.

3.3 Level Three Query

First-level mapping, a complete three-level query is shown.

According to, level three query results must be a page table , will be taken out of 39:12 as the physical high address, the virtual address of 11:0 as the low address, this is the final physical address.

Two-level insinuate function verification in 4 NS mode

Verify the Platform:

Memory size 2gb:0x0000 0000 ~ 0x8000 0000

Cpu:cortex-a7

In Uboot, the memory address size passed to the kernel is 1024-16m and the address range is 0x0000 0000 ~ 0x4000 0000-16MB.

Turn on the two-level insinuate function under NS. Set the VTTBR address to table_base_stage_2, level two insinuate the page table contents as follows.

. Globl table_base_stage_2

Table_base_stage_2:

. Quad 0X00000000000007FD//Mapping guest ' s IPA 0x0000,0000-0x3fff,ffff to PA 0x0000,0000-0x3fff,ffff (RAM space)

. Quad 0x0000000000000000

. Quad 0x00400000800004c9//Mapping guest ' s IPA 0x8000,0000-0xbfff,ffff to PA 0x8000,0000-0xbfff,ffff (Device space)

. Quad 0x00400000800004c9//Mapping guest ' s IPA 0xc000,0000-0xffff,ffff to PA 0xc000,0000-0xffff,ffff (Device space)

. Quad 0x0000000000000000//Mark everything else as aborting

. Quad 0x0000000000000000

Each descriptor content is 64 bits, 8 bytes.

The first 0x0000 0000 0000 07fd,[39:30] is [0000 0000 00] and the lowest bit is 1 1 0 1, which indicates a block mapping. That is, the IPA 0xXX 0000 0000 ~ 0xXX 3FFF FFFF This address space corresponds to the

The physical address is a block, and the corresponding physical address range is 0x00 0000 0000 ~ 0x00 3FFF FFFF.

For the second, 0x0000000000000000, the lowest bit is 0 0 0 0, according to the following description,

That is, the IPA 0x4000 0000 ~ 0x7FFF FFFF corresponding PA is indeterminate and will produce conversion invalidation.

Kernel, create a 16M short descriptor of De Yin, Insinuate described as:

Virtual address 0xfd00 0000 ~ FE00 0000 Corresponding IPA intermediate address is 0x 4000 0000 ~ 0x4100 0000.

Then the kernel accesses the 0xfd00 0004 virtual address space, according to the first insinuate, the corresponding IPA is 0x4000 0004;

in the two-level stealth, this IPA address can not find the corresponding physical address, will be wrong , but will not panic, observed that the thread occupies more than 90% of the CPU.

Reference : ddi0406c_arm_architecture_reference_manual.pdf

The MMU insinuate analysis of ARM v7-a series CPU