

## **Project 7: Hypervisory (4%)**

ENEE 447: Operating Systems — Spring 2016

Assigned: Monday, Mar 28; Due: Friday, Apr 8

## Purpose

In this project you will figure out how to use three levels of privileges via three different levels of virtual memory. We still will not run separate application and kernel/ukernel binaries (we need SD card access for that), but we can run each piece of code in its own separate domain, translated through its own page table. This is how datacenters operate, for example: the "guest" operating system runs within a virtual memory session, unaware that it is in fact running in virtual memory. This allows the hypervisor -- the operating system for operating systems — to protect itself and keep the system secure. So, for example, a hypervisor could juggle several different instances of Windows, plus several instances of Linux, plus instances of MacOSX as well, all on the same machine, all at the same time, all completely unaware of each other.

## Your Task

Your code will build on the last project's code: you will use both TTBR0 and TTBR1 to translate references, so that the ukernel's references are translated whenever the machine is in privileged mode (e.g., whenever the ukernel on core1 is handling interrupts), and the "user" code's references are also translated. The following page of ARM documentation shows what needs to happen:



There are two page tables: one for the bottom portion of the address space (where the ukernel will live), and one for the top portion of the address space. What this documentation says is that the smallest bottom portion ends at 0x02000000 ... meaning a 32MB space.

The ARM architecture defines three levels of access privilege:

```
A3 Application Level Memory Mode
A3.6 Access rights
A3.6
              Access rights
                      ARMv7 defines additional memory region attributes, that define access permissions that can:
                             Restrict data accesses, based on the privilege level of the access. See Privilege level access controls for data
                             accesses on page A3-143
                             Restrict instruction fetches, based on the privilege level of the process or thread making the fetch. See
                             Privilege level access controls for instruction accesses on page A3-143.
                             On a system that implements the Security Extensions, restrict accesses so that only memory accesses with
                             the Secure memory attribute are permitted. See Memory region security status on page A3-144.
                      These attributes are defined:
                             In a VMSA implementation, in the MMU, see Memory access control on page B3-1356, Memory region
                             attributes on page B3-1366, and The effects of disabling MMUs on VMSA behavior on page B3-1314
                             In a PMSA implementation, in the MPU, see Memory access control on page B5-1761 and Memory region
                             attributes on page B5-1762.
A3.6.1
               Processor privilege levels, execution privilege, and access privilege
                      As introduced in About the Application level programmers' model on page A2-38, within a security state, the
                      ARMv7 architecture defines different levels of execution privilege
                             in Secure state, the privilege levels are PL1 and PL0
                             in Non-secure state, the privilege levels are PL2, PL1, and PL0
                      PL0 indicates unprivileged execution in the current security state
                      The current processor mode determines the execution privilege level, and therefore the execution privilege level can
                      be described as the processor privilege level.
                      Every memory access has an access privilege, that is either unprivileged or privileged.
                      The characteristics of the privilege levels are:
                      PL0
                                       The privilege level of application software, that executes in User mode. Therefore, software
                                       executed in User mode is described as unprivileged software. This software cannot access some features of the architecture. In particular, it cannot change many of the configuration settings.
                                       Software executing at PL0 makes only unprivileged memory accesses.
                      PL1
                                       Software execution in all modes other than User mode and Hyp mode is at PL1. Normally, operating
                                       system software executes at PL1. Software executing at PL1 can access all features of the
                                      architecture, and can change the configuration settings for those features, except for some features 
added by the Virtualization Extensions that are only accessible at PL2.
                                               - Note
                                       In many implementation models, system software is unaware of the PL2 level of privilege, and of
                                       whether the implementation includes the Virtualization Extensions
                                       The PL1 modes refers to all the modes other than User mode and Hyp mode.
                                       Software executing at PL1 makes privileged memory accesses by default, but can also make
                                       unprivileged accesses
                      PL2
                                       Software executing in Hyp mode executes at PL2.
                                       Software executing at PL2 can perform all of the operations accessible at PL1, and can access some
                                       additional functionality.
                                       Hyp mode is normally used by a hypervisor, that controls, and can switch between, Guest OSs, that
                                       execute at PL1
A3-142
                                Copyright © 1996-1998, 2000, 2004-2012, 2014 ARM. All rights reserved.
                                                                                                                        ARM DDI 0406C.c
                                                                                                                                  ID051414
                                                             Non-Confident
```

User-level code runs in PL0, which your boot code invokes as USR mode; guest operating system code (our "ukernel") runs in PL1, typically in SVC, SYS, IRQ, and FIQ modes; the main kernel runs in HYP mode which is PL2.

Note that ARM doesn't actually restrict the ability of code running in PL1 to take over the machine. So their differentiation between PL1 and PL2 is kind of a fake security thing. But whatever. Presumably

whatever real machine you use out in industry to build your systems will have multiple priority levels that actually work. We will fake it by translating the middle-level OS's references through the TLB. The following pages describe a bit about this:



There is a new version of the "memmap" linker script, which looks like this:

```
MEMORY
{
    ram : ORIGIN = 0x0000, LENGTH = __SIZE__
}
SECTIONS
{
    .text : { *(.text*) } > ram
    .rodata : { *(.rodata*) } > ram
    .bss : { *(.bss*) } > ram
    .data : { *(.data*) } > ram
    .usercode 0x02000000 : { *(.usercode* ) }
}
```

The "usercode" portion is new and tells the linker to put the code in that section way up into the region of (virtual) memory starting at 32MB, which happens to be covered by TTBR1.

So you will have two page tables: one to cover the ukernel, and another to cover user space. This will be enabled on cores other than core0, which will run the kernel in physical space.

## Build It, Load It, Run It

Once you have it working, show us.