FIG. 1 is an explanatory diagram for describing an example of a translation system from a virtual address to a physical address in related art.
As illustrated in the same drawing, a translation from the virtual address to the physical address is realized by using a page table. The page table is data in which mapping information between a virtual address of a corresponding process and a physical address such as a main storage device is stored in units of pages. That is, one entry of the page table corresponds to one page. The respective entries store an access right and the like for each privilege level (for example, a privilege mode, a non-privilege mode) with respect to the corresponding page. Depending on an architecture, a block of some pages may also be represented by one entry. In FIG. 1, the example has been described in which a translation into a physical memory is performed only by the entry of the page table, but in typically, the page table is hierarchically used to carry out a translation from the virtual address to the physical address.
An address translation using the page table is performed by an MMU (Memory Management Unit). That is, through an occurrence of a context switch, in the MMU, an address of the page table corresponding to the currently executed process is set. The MMU refers to a page table related to the relevant address and executes the address translation. It is noted that the page table is stored in the main storage device or the like, and a cost with respect to the access is high. In view of the above, in general, a TLB (Translation Look-aside Buffer) is used, and an increase in a substantial access speed to the page table is realized.
FIG. 2 is an explanatory diagram for describing an example of a translation system using the TLB from the virtual address to the physical address. The TLB is a cache of the entry of the page table. As the TLB is mounted in the MMU, if an entry corresponding to an address of a translation target exists in the TLB, speeding-up of the address translation is carried out.
It is noted that addresses of the respective virtual spaces may be duplicated. Therefore, an address that may be cached in the TLB around the same time is limited to an entry of the page table of the processing currently in execution. In view of the above, in accordance with the occurrence of the context switch, a content of the TLB is flushed.
To avoid the flush of the TLB and realize a further improvement in the performance, an architecture using the address space ID (ASID (Address Space Identifier)) also exists. The ASID refers to an identifier with respect to a virtual address space of the respective processes.
FIG. 3 is an explanatory diagram for describing an example of a translation system using the ASID from the virtual address to the physical address. In the same drawing, the ASID of one virtual address is set as “0”, and the ASID of the other virtual address is set as “1”. In the architecture where the ASID is valid, in the TLB, the respective entries are assigned with the ASIDs to be managed. Therefore, in the TLB, coexistence of the entries of the page tables corresponding to different processes may be realized. As a result, it is possible to avoid the flush of the TLB in accordance with the occurrence of the context switch.
Thus far, the example of the scheme of the address translation system in related art has been described which becomes a presupposition in the following description.
In the meantime, in recent years, a performance of a CPU used in an embedded device (for example, a mobile phone) is being improved. As a result, in such a CPU, it is being possible to operate a plurality of OSs through virtualization. It is noted that the embedded device uses a CPU specialized for the embedded device instead of a CPU supporting the virtualization like a CPU for a PC or a server. To elaborate, the CPU in the embedded device may realize the virtualization in terms of performance but requests a complement by software in terms of function.
For example, an operation mode of the CPU in the embedded device has only a distinction between the privilege mode and the non-privilege mode. The privilege mode is used as a mode at the time of an operation of a kernel in the OS, and the non-privilege mode is used as a mode at the time of an operation of a user task. However, in a case where the virtualization is carried out, the privilege mode is used by a hypervisor. Therefore, the access right with respect to the virtual access space needs to be distinguished in the non-privilege mode between the time of the operation of the kernels in the respective guest OSs (hereinafter, which will be referred to as “kernel mode”) and the time of the operation of the user task (hereinafter, which will be referred to as “user mode”). This is because a memory access protection in accordance with the kernel mode and the user mode is to be realized. It is noted that the hypervisor refers to a program for realizing a virtual machine where a physical computer is virtualized. The guest OS refers to an OS operating on the virtual machine realized by the hypervisor.
As a scheme for distinguishing the kernel mode and the user mode in the non-privilege mode, up to now, the following methods are discussed.
According to a first method, two page tables are prepared for one process. One of the two page tables is set as a page table at the time when the guest OS operates in the kernel mode. That is, in the respective entries of the relevant page table, as the access right in the non-privilege mode, the access right with respect to the kernel mode is set. The other one of the two page tables is set as a page table at the time when the guest OS operates in the user mode. That is, in the respective entries of the relevant page table, as the access right in the non-privilege mode, the access right with respect to the user mode is set. The hypervisor detects a switch of the operation mode of the guest OS (the kernel mode/the user mode) and sets the address of the page table corresponding to the switch destination mode in the MMU. As a result, with respect to the non-privilege mode, the two operation modes including the kernel mode and the user mode may be substantially realized.
However, according to the first method, each time the switch between the kernel mode and the user mode is performed, it is requested to flush the TLB. This is because in the TLB, the entry of the page table for the kernel mode and the entry of the page table for the user mode may not be distinguished from each other.
According to a second method, pages are sorted through a concept of domains, and by setting access rights in units of domains, the distinction between the kernel mode and the user mode of the guest OS in the non-privilege mode of the CPU is realized.
FIG. 4 is an explanatory diagram for describing a scheme of a setting on an access right utilizing a domain. In the page table in the same drawing, with regard to items of three entries e1 to e3 (a physical address, a domain, and a flag), specific values are exemplified. The physical address is a physical address with respect to a virtual address related to the entry. The domain is a number of the domain to which the page belongs. In the same drawing, the domain numbers have values of 0 to n. The flag is a flag indicating an access right with respect to the page in the non-privilege mode.
In the same drawing, for a setting of the access right with respect to the domain (domain setting), an example is illustrated in which access permitted, access not permitted, flag, access permitted are respectively set to domains 0, 1, 2, and n.
In this case, with regard to the page related to the entry e1 belonging to the domain 0, irrespectively of a value of the flag for the entry e1, the access is permitted. With regard to the page related to the entry e2 belonging to the domain 1, irrespectively of a value of the flag for the entry e2, the access is forbidden. With regard to the page related to the entry e3 belonging to the domain 2, the access right is determined while following a value of the flag.
By utilizing the domain setting in which overwrite may be performed on the access rights of the page table in this manner, it is possible to change the access rights with respect to the respective pages while the same page table is used. That is, by changing the domain setting with the kernel mode and the user mode, without flushing the TLB, it is possible to realize the access protection of the memory in accordance with the respective operation modes. It is noted that as an architecture adopting the domain, an ARM architecture exists.
U.S. Laid-open Patent Publication No. 2008/0244206, Japanese Laid-open Patent Publication No. 2007-122305, and “Jun Nakajima, Asit Mallick, Ian Pratt, Keir Fraser, “X86-64 XenLinux: Architecture, Implementation, and Optimizations”, in Proceedings of the Linux Symposium, July 2006” are examples of related art.
However, according to the second method, in one domain, all the combinations of the access rights with the kernel mode and the user mode may not be realized, and a problem of a lack of flexibility occurs.
FIG. 5A and FIG. 5B are explanatory diagrams for describing a problem of a second method. FIG. 5A illustrates two realized patterns in one domain with regard to combinations of the user mode and the kernel mode with the access rights. In a pattern 1, the access right of the user mode is “access forbidden”, and the access right of the kernel mode is “read write permitted”. In a pattern 2, the access right of the user mode and the access right of the kernel mode are both “read permitted”. It is noted that a state in which the pattern 1 and the pattern 2 are realized in one domain means that the pattern 1 is realized for a certain page belonging to the same domain and the pattern 2 is realized for any of the other pages.
FIG. 5B illustrates contents of the setting on the access rights with respect to the non-privilege mode of the page table and the domain setting for realizing the respective patterns of FIG. 5A. It is noted that as the domain setting is switched between the user mode and the kernel mode, the setting contents are respectively illustrated.
In FIG. 5B, the setting for the pattern 1 is a setting content for realizing the pattern 1. In the setting for the pattern 1, a value that may be set as the access right of the page table is “access forbidden”, “any”, or “read write permitted”. It is noted that “any” means any access right may be adopted.
In a case where “access forbidden” is set in the page table, to realize the pattern 1, it is requested that the domain setting of the user mode is “flag” and the domain setting of the kernel mode is “access permitted”. In this case, the access right of the user mode becomes “access forbidden” that is the access right of the page table, and the access right of the page table is overwritten on the access right of the kernel mode to become “access permitted (=read write permitted)”. Therefore, the pattern 1 is realized.
In a similar concept, in a case where the access right of the page table is “any”, it is requested that the domain setting of the user mode is “access not permitted” and the domain setting of the kernel mode is “access permitted”. Also, in a case where the access right of the page table is “read write permitted”, it is requested that the domain setting of the user mode is “access not permitted” and the domain setting of the kernel mode is “flag” or “access permitted”.
In FIG. 5B, the setting for the pattern 2 is a setting content for realizing the pattern 2. In the setting for the pattern 2, a value that may be set as the access right of the page table is limited to “read permitted”. In this case, to realize the pattern 2, it is requested that the domain settings on both the user mode and the kernel mode are “flag”.
At this time, the content of the domain setting in the setting for the pattern 1 and the content of the domain setting in the setting for the pattern 2 are compared with each other, the setting contents that are common in both the settings do not exist. Therefore, the content of FIG. 5A may not be realized in one domain accordingly.
It is noted that Patent Documents proposes that with respect to the operation mode of the guest OS, the page table and the ASID are allocated, and in accordance with a switch instruction of the operation mode from the guest OS, by switching the page table and the ASID, the TLB flush at the time of the mode switch is avoided.
However, as the operation mode of the guest OS does not suppose a pair like the user mode and the kernel mode, the hypervisor may not forcibly perform the switch to the kernel mode instead of the instruction from the guest OS.