Merge pull request #645 from betrusted-io/pddb-baosec-bringup

Pddb baosec bringup

Author: bunnie

Cargo.lock

@@ -65,6 +65,9 @@ fn translate_flags(req_flags: MemoryFlags) -> MMUFlags {
     if req_flags & xous_kernel::MemoryFlags::X == xous_kernel::MemoryFlags::X {
         flags |= MMUFlags::X;
     }
+    if req_flags & xous_kernel::MemoryFlags::P == xous_kernel::MemoryFlags::P {
+        flags |= MMUFlags::P;
+    }
     flags
 }
 
@@ -80,6 +83,9 @@ fn untranslate_flags(req_flags: usize) -> MemoryFlags {
     if req_flags & MMUFlags::X == MMUFlags::X {
         flags |= xous_kernel::MemoryFlags::X;
     }
+    if req_flags & MMUFlags::P == MMUFlags::P {
+        flags |= xous_kernel::MemoryFlags::P;
+    }
     flags
 }
 

kernel/src/arch/riscv/mem.rs

@@ -6,7 +6,10 @@ use core::fmt;
 use xous_kernel::{MemoryFlags, MemoryRange, PID, arch::*};
 
 pub use crate::arch::mem::MemoryMapping;
-use crate::arch::process::Process;
+use crate::arch::{
+    mem::{MMUFlags, flush_mmu, pagetable_entry},
+    process::Process,
+};
 #[cfg(feature = "swap")]
 use crate::swap::SwapAlloc;
 
@@ -628,13 +631,17 @@ impl MemoryManager {
             // round up to the nearest page boundary
             let end = (virt_ptr as usize + size + PAGE_SIZE - 1) & !(PAGE_SIZE - 1);
             for virt in (start..end).step_by(PAGE_SIZE) {
-                // read/write is provisionally allowed - this allows us to cache writeable
-                // data using the swap mechanism and only do built write-outs when the page is
-                // retired. However this is somewhat dangerous because it means we could lose
-                // data on power-down or if we screw up the tracking of dirty pages (dirty bit is
-                // not automatically set on write/update). Valid is not set, because it's not
+                // Pages are read-only. Writes take a special call to ensure atomicity of write
+                // updates (and subsequent page unmap). Valid is not set, because it's not
                 // wired into memory, and "P" (swap) is set to indicate this is a swapper managed page.
-                mm.reserve_address(self, virt, MemoryFlags::R | MemoryFlags::W | MemoryFlags::P)?;
+                mm.reserve_address(self, virt, MemoryFlags::R | MemoryFlags::P)?;
+
+                // now mark the page as USER
+                let pte = pagetable_entry(virt)?;
+                unsafe {
+                    pte.write_volatile(pte.read_volatile() | MMUFlags::USER.bits());
+                    flush_mmu();
+                }
             }
             // note that the region returned is snapped to the nearest page boundary, even if
             // the use called us with unaligned addresses.

kernel/src/mem.rs

@@ -3,10 +3,11 @@
 
 use core::cmp::Ordering;
 
+use loader::SWAP_FLG_WIRED;
 use xous_kernel::SWAPPER_PID;
 use xous_kernel::arch::EXCEPTION_STACK_TOP;
+use xous_kernel::arch::MMAP_VIRT_BASE;
 use xous_kernel::arch::PAGE_SIZE;
-use xous_kernel::arch::SWAP_FLG_WIRED;
 use xous_kernel::arch::SWAP_RPT_VADDR;
 use xous_kernel::{PID, SysCallResult, TID};
 
@@ -39,6 +40,7 @@ pub enum SwapAbi {
     HardOom = 4,
     StealPage = 5,
     ReleaseMemory = 6,
+    WritePage = 7,
 }
 /// SYNC WITH `xous-swapper/src/main.rs`
 impl SwapAbi {
@@ -51,6 +53,7 @@ impl SwapAbi {
             4 => HardOom,
             5 => StealPage,
             6 => ReleaseMemory,
+            7 => WritePage,
             _ => Invalid,
         }
     }
@@ -64,6 +67,9 @@ pub enum BlockingSwapOp {
     /// PID of the target block, current paddr of block, original vaddr in the space of target block PID,
     /// physical address of block. Returns to PID of the target block.
     ReadFromSwap(PID, TID, usize, usize, usize),
+    /// PID of the target block, current paddr of block, original vaddr in the space of target block PID,
+    /// physical address of block. Returns to PID of the target block.
+    WriteToFlash(PID, TID, PID, usize, usize),
     /// Immediate OOM. Drop everything and try to recover; from here until exit, everything runs in
     /// an un-interruptable context, no progress allowed. This currently can only originate from one
     /// location, if we need multi-location origin then we have to also track the re-entry point in the
@@ -644,7 +650,7 @@ impl Swap {
     /// evict_page)
     ///
     /// This call diverges into the userspace swapper.
-    /// Divergent calls must turn of IRQs before memory spaces are changed.
+    /// Divergent calls must turn off IRQs before memory spaces are changed.
     pub fn retrieve_page_syscall(&mut self, target_vaddr_in_pid: usize, paddr: usize) -> ! {
         let target_pid = crate::arch::process::current_pid();
         let target_tid = crate::arch::process::current_tid();
@@ -670,6 +676,34 @@ impl Swap {
         }
     }
 
+    pub fn write_page_syscall(
+        &mut self,
+        src_pid: PID,
+        flash_offset: usize,
+        page_vaddr_in_swapper: usize,
+    ) -> ! {
+        let target_pid = crate::arch::process::current_pid();
+        let target_tid = crate::arch::process::current_tid();
+
+        #[cfg(feature = "debug-swap-verbose")]
+        println!(
+            "write_page - userspace activate for pid{:?}/tid{:?} for vaddr {:x?} -> offset {:x?}",
+            target_pid, target_tid, page_vaddr_in_swapper, flash_offset
+        );
+        // prevent context switching to avoid re-entrant calls while handling a call
+        self.swap_stop_irq();
+        // this is safe because the syscall pre-amble checks that we're in the swapper context
+        unsafe {
+            self.blocking_activate_swapper(BlockingSwapOp::WriteToFlash(
+                target_pid,
+                target_tid,
+                src_pid,
+                page_vaddr_in_swapper,
+                flash_offset,
+            ));
+        }
+    }
+
     /// Safety:
     ///   - the current page table mapping context must be PID 2 (the swapper's PID) for this to work
     ///   - interrupts must have been disabled prior to setting the context to PID 2
@@ -685,6 +719,12 @@ impl Swap {
                 self.swapper_args[3] = vaddr_in_pid;
                 self.swapper_args[4] = vaddr_in_swap;
             }
+            BlockingSwapOp::WriteToFlash(_pid, _tid, _src_pid, vaddr_in_swap, flash_offset) => {
+                self.swapper_args[0] = self.swapper_state;
+                self.swapper_args[1] = 4; // WriteToFlash
+                self.swapper_args[2] = vaddr_in_swap;
+                self.swapper_args[3] = flash_offset;
+            }
             BlockingSwapOp::HardOomSyscall(_tid, _pid) => {
                 self.swapper_args[0] = self.swapper_state;
                 self.swapper_args[1] = 3; // HardOom
@@ -751,6 +791,33 @@ impl Swap {
                 });
                 (pid, tid)
             }
+            // Called from any process. Clear the dirty bit on the RPT when exiting. No pages are unmapped
+            // by this routine, that would be handled by the OOMer, if at all.
+            Some(BlockingSwapOp::WriteToFlash(pid, tid, src_pid, _vpage_addr_in_swapper, flash_offset)) => {
+                // this works because the V:P mapping for the flash memory is 1:1 for the LSBs
+                let flash_vaddr = MMAP_VIRT_BASE + flash_offset;
+                // evict_page_inner marks the page as swapped/invalid in src_pid, but also maps the page
+                // into the swapper's address space
+                let swap_vaddr = crate::arch::mem::evict_page_inner(src_pid, flash_vaddr).unwrap();
+
+                // release the page from the swapper's address space
+                MemoryManager::with_mut(|mm| {
+                    let paddr = crate::arch::mem::virt_to_phys(swap_vaddr).unwrap() as usize;
+                    #[cfg(feature = "debug-swap-verbose")]
+                    println!("Release flash backing page - paddr {:x}", paddr);
+                    // this call unmaps the virtual page from the page table
+                    crate::arch::mem::unmap_page_inner(mm, swap_vaddr).expect("couldn't unmap page");
+                    // This call releases the physical page from the RPT - the pid has to match that of
+                    // the original owner. This is the "pointy end" of the stick;
+                    // after this call, the memory is now back into the free pool.
+                    mm.release_page_swap(paddr as *mut usize, src_pid)
+                        .expect("couldn't free page that was swapped out");
+                });
+
+                // Unhalt IRQs
+                self.swap_restore_irq();
+                (pid, tid)
+            }
             Some(BlockingSwapOp::HardOomSyscall(tid, pid)) => {
                 // We enter this from the swapper's memory space
                 assert!(

kernel/src/swap.rs

@@ -1114,6 +1114,20 @@ pub fn handle_inner(pid: PID, tid: TID, in_irq: bool, call: SysCall) -> SysCallR
                         Err(xous_kernel::Error::AccessDenied)
                     }
                 }
+                SwapAbi::WritePage => {
+                    if pid.get() != xous_kernel::SWAPPER_PID {
+                        return Err(xous_kernel::Error::AccessDenied);
+                    }
+                    let src_pid = PID::new(a1 as u8).unwrap();
+                    // strip off the virtual addres prefix: by definition this region is 1:1 mapped in the
+                    // LSBs
+                    let flash_offset = a2 & 0x0FFF_FFFF;
+                    let page_vaddr_in_swapper = a3;
+                    Swap::with_mut(|swap| {
+                        swap.write_page_syscall(src_pid, flash_offset, page_vaddr_in_swapper);
+                    });
+                    Ok(xous_kernel::Result::Ok)
+                }
                 SwapAbi::Invalid => {
                     println!(
                         "Invalid SwapOp: {:x} {:x} {:x} {:x} {:x} {:x} {:x}",

kernel/src/syscall.rs

@@ -30,8 +30,7 @@ pub const APP_UART_IFRAM_ADDR: usize = utralib::HW_IFRAM0_MEM + utralib::HW_IFRA
 // display buffer: 1 page for double-buffering, rounded up to 1 page for commands
 pub const DISPLAY_IFRAM_ADDR: usize = utralib::HW_IFRAM0_MEM + utralib::HW_IFRAM0_MEM_LEN - 5 * 4096;
 
-// Flash needs 4096 bytes for Rx, and 0 bytes for Tx + 16 bytes for cmd for 2 pages total. This is released
-// after boot.
+// Flash needs 4096 bytes for Rx, and 0 or 256 bytes for Tx + 16 bytes for cmd for 2 pages total.
 pub const SPIM_FLASH_IFRAM_ADDR: usize = utralib::HW_IFRAM0_MEM + utralib::HW_IFRAM0_MEM_LEN - 7 * 4096;
 
 // one page for the I2C driver

libs/cramium-hal/src/board/baosec.rs

@@ -584,8 +584,8 @@ impl Spim {
             // last iteration falls through without waiting...
             if words_sent < total_words {
                 while self.udma_busy(Bank::Tx) {
-                    #[cfg(feature = "std")]
-                    xous::yield_slice();
+                    // #[cfg(feature = "std")]
+                    // xous::yield_slice();
                 }
             }
         }
@@ -842,8 +842,8 @@ impl Spim {
         let cmd_list = [SpimCmd::SendCmd(self.mode, 8, cmd as u16)];
         self.send_cmd_list(&cmd_list);
         while self.udma_busy(Bank::Custom) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
     }
 
@@ -868,8 +868,8 @@ impl Spim {
         };
         self.send_cmd_list(&cmd_list);
         while self.udma_busy(Bank::Rx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
 
         let ret = u32::from_le_bytes([self.rx_buf()[0], self.rx_buf()[1], self.rx_buf()[2], 0x0]);
@@ -899,8 +899,8 @@ impl Spim {
         };
         self.send_cmd_list(&cmd_list);
         while self.udma_busy(Bank::Rx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
 
         let ret =
@@ -947,8 +947,8 @@ impl Spim {
         self.send_cmd_list(&cmd_list);
 
         while self.udma_busy(Bank::Tx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         self.mem_cs(false);
     }
@@ -1140,8 +1140,8 @@ impl Spim {
         };
         self.send_cmd_list(&cmd_list);
         while self.udma_busy(Bank::Rx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         let ret = self.rx_buf()[0];
 
@@ -1163,8 +1163,8 @@ impl Spim {
         };
         self.send_cmd_list(&cmd_list);
         while self.udma_busy(Bank::Rx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         let ret = self.rx_buf()[0];
 
@@ -1183,8 +1183,8 @@ impl Spim {
         self.send_cmd_list(&cmd_list);
 
         while self.udma_busy(Bank::Tx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         self.mem_cs(false);
     }
@@ -1237,8 +1237,8 @@ impl Spim {
         self.send_cmd_list(&cmd_list);
 
         while self.udma_busy(Bank::Tx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         self.mem_cs(false);
     }
@@ -1290,7 +1290,7 @@ impl Spim {
         true
     }
 
-    /// This routine can data that is strictly a multiple of a page length (256 bytes)
+    /// This routine can write data that is strictly a multiple of a page length (256 bytes)
     pub fn mem_flash_write_page(&mut self, addr: u32, buf: &[u8; FLASH_PAGE_LEN]) -> bool {
         // crate::println!("write_page: {:x}, {:x?}", addr, &buf[..8]);
         // enable writes: set wren mode
@@ -1321,8 +1321,8 @@ impl Spim {
         self.send_cmd_list(&cmd_list);
 
         while self.udma_busy(Bank::Tx) {
-            #[cfg(feature = "std")]
-            xous::yield_slice();
+            // #[cfg(feature = "std")]
+            // xous::yield_slice();
         }
         self.mem_cs(false);
 

libs/cramium-hal/src/udma/spim.rs

@@ -22,6 +22,11 @@ pub const FLG_D: usize = 0x80;
 pub const FLG_P: usize = 0x200;
 
 pub const SWAP_FLG_WIRED: u32 = 0x1_00;
+// Note: this flag is currently not used. It was an aborted attempt to do
+// auto-write on dirty page but due to lack of hw synchronization we couldn't
+// guarantee atomicity. Flag can be removed or re-used in the future if another
+// attempt is tried on a system that has hardware dirty page updating.
+pub const SWAP_FLG_DIRTY: u32 = 0x2_00;
 pub const FLG_SWAP_USED: u32 = 0x8000_0000;
 
 // Locate the hard-wired IFRAM allocations for UDMA

loader/src/lib.rs

@@ -512,6 +512,9 @@ fn clear_ram(cfg: &mut BootConfig) {
     // stay there forever, if not explicitly cleared. This clear adds a couple seconds
     // to a cold boot, but it's probably worth it. Note that it doesn't happen on a suspend/resume.
     let ram: *mut u32 = cfg.sram_start as *mut u32;
+    #[cfg(feature = "swap")]
+    let clear_limit = ((2 * 4096 + core::mem::size_of::<BootConfig>()) + 4095) & !4095;
+    #[cfg(not(feature = "swap"))]
     let clear_limit = ((4096 + core::mem::size_of::<BootConfig>()) + 4095) & !4095;
     if VDBG {
         println!("Stack clearing limit: {:x}", clear_limit);