The ARM (previously, the Advanced RISC Machine, and prior to that the Acorn RISC Machine) processor architecture is a 32-bit RISC processor architecture developed by ARM Holdings PLC, Maidenhead, United Kingdom, that is widely used in a number of embedded designs. Because of their power saving features, ARM processors are used in mobile electronic devices where low power consumption is a design goal. As such, ARM processors are found in nearly all consumer electronics, from portable devices (personal digital assistants (PDAs), mobile phones, media players, handheld gaming units, and calculators) to computer peripherals (hard drives, and desktop routers).
Machine virtualization is well known in the art. As is known, a virtual machine (VM) is a software abstraction—a “virtualization”—of an actual or an abstract physical computer system. As is also well known, the VM runs as a “guest” on an underlying “host” hardware platform, and guest software, such as a guest OS and guest applications, may be loaded onto the VM for execution. Because of the ubiquitous use of the ARM processor architecture in mobile devices, efforts addressed to virtualization of mobile devices have been addressed to virtualization of the ARM processor architecture, for example, by providing a mobile virtualization platform (MVP) hypervisor.
As is well known, a memory protection mechanism for ARM processor architectures versions 4-7 entails use of: (a) memory protection attributes expressed in page table descriptors; and (b) domains. Because hardware assistance does not exist today, virtualizing a memory management unit (MMU) for use in a mobile virtualization platform (MVP) hypervisor typically entails use of shadowing techniques.
The following describes various features of the ARM processor architecture that need to addressed when virtualizing memory protection.
In particular, the ARM virtual memory system architecture (“VMSA”) is present on all ARM processors with an application profile in versions 4-7 of the ARM processor architecture. While there have been changes between such versions of the ARM processor architecture in the expression of memory protection attributes (for example, by introduction of a no-execute bit and semantic changes to attribute representation), all such versions share the following features: (a) two rings; and (b) a two-level tree-structured page table. In particular, there are two rings of protection on an ARM processor where a user mode is less privileged than any privileged mode which shares the same ring. Although there exists a set of security extensions intended to enable features such as secure boot loaders, these introduce a further, more privileged ring, which is ignored herein. The current privilege level is maintained in the CPSR register on an ARM processor. In further particular, a two-level tree-structured page table enables a 32-bit virtual address space to be translated to a 32-bit physical address space (40-bit in ARM processor architecture versions 6-7) by a hardware page table walker and translation lookaside buffer (TLB). The page table entries are referred to as page table descriptors, and the first and second levels of the page table are referred to as L1 and L2, respectively, herein. As is well known, L1 descriptors may either be links to L2 page tables or superpage mappings, which L1 descriptors cover 1 MB regions of address space in both cases—such a 1 MB region is referred to as a section herein. As is also well known, L2 descriptors cover 4 KB of address space.
As is well known, prior to ARM processor architecture version 6, the ARM processor architecture used a single translation table base which was stored in a register known as the TTBR (i.e., the translation table base register). However, since ARM processor architecture version 6, the ARM processor architecture has used two TTBRs, referred to as TTBR0 and TTBR1, respectively. In accordance with this usage, address space is partitioned with a configurable pivot, i.e., all virtual addresses lower than the pivot are translated using TTBR0, and virtual addresses greater than or equal to the pivot are translated using TTBR1. In the rest of this specification, TTBR refers to: (a) TTBR for ARM processor architectures prior to version 6; and (b) TTBR0/TTBR1 for ARM processor architectures version 6 and above.
As is well known, L1 descriptors contain a 4-bit domain value. In addition, L1 and L2 descriptors contain memory type information and access permissions (i.e., memory protection information) that take into account (a) the fact that user and privileged modes may have distinct read and write permissions, and (b) a no-execute bit that applies irrespective of privilege level.
In accordance with the ARM processor architecture, domain-based protection is used in addition to access permissions configured in L1 or L2 descriptors. As is known, the ARM processor architecture uses a domain access control register (DACR) which maps each domain to the following domain access values: No Access, Manager or Client. Domain-based protection only applies when paging is enabled (i.e. only on the virtual address space) and enables fine-grain protection for each 1 MB memory region in the virtual address space. For example, a domain access value of No Access on one 1 MB memory region, a domain access value of Manager on another 1 MB memory region, and a domain access value of Client on yet another 1 MB memory region. Specifically: (a) for a domain access value of No Access, any access (data or instruction) to a 1 MB section of address space that is tagged in the page table with a domain that maps to No Access results in an abort, i.e., access permissions in a corresponding L1 or L2 descriptor are ignored and no access permissions are conveyed; (b) for a domain access value of Manager, any access to a section marked Manager also ignores access permissions present in a corresponding L1 or L2 descriptor, i.e., as long as a valid descriptor exists, read, write and execute access permissions are conveyed in both user and privileged modes; and (c) for a domain access value of Client, any access to a section marked Client respects access permissions present in a corresponding L1 or L2 descriptor.
The DACR may be used by operating systems to switch access control treatment of potentially large and non-contiguous regions of the address space. In addition, it can be used to enable a kernel to enable/disable regions quickly, to enable the kernel to access its own memory when issuing load/store-as-user instructions (for example, as done by Linux), or to implement fast address space switching optimizations on ARM processor architecture versions 4-5.
Lastly, since ARM processor architecture version 6, TLBs, and in some cases instruction caches, have been tagged with address space identifiers (ASIDs) where the 8-bit ASID is specified in a register referred to as the Context ID Register (CONTEXTIDR).
In order to virtualize the ARM processor architecture, there is a need to virtualize ARM memory protection that takes into account the above-described features of the ARM processor architecture.