1 ================================
2 Application Data Integrity (ADI)
3 ================================
4
5 SPARC M7 processor adds the Application Data I
6 ADI allows a task to set version tags on any s
7 space. Once ADI is enabled and version tags ar
8 address space of a task, the processor will co
9 to memory in these ranges to the version set b
10 previously. Access to memory is granted only i
11 matches the tag set by the application. In cas
12 raises an exception.
13
14 Following steps must be taken by a task to ena
15
16 1. Set the user mode PSTATE.mcde bit. This act
17 the task's entire address space to enable/d
18
19 2. Set TTE.mcd bit on any TLB entries that cor
20 addresses ADI is being enabled on. MMU chec
21 on the pages that have TTE.mcd bit set.
22
23 3. Set the version tag for virtual addresses u
24 and one of the MCD specific ASIs. Each stxa
25 given tag for one ADI block size number of
26 be repeated for entire page to set tags for
27
28 ADI block size for the platform is provided by
29 in machine description tables. Hypervisor also
30 top bits in the virtual address that specify t
31 version tag has been set for a memory location
32 physical memory and the same tag must be prese
33 bits of the virtual address being presented to
34 SPARC M7 processor, MMU uses bits 63-60 for ve
35 size is same as cacheline size which is 64 byt
36 version to, say 10, on a range of memory, must
37 virtual addresses that contain 0xa in bits 63-
38
39 ADI is enabled on a set of pages using mprotec
40 When ADI is enabled on a set of pages by a tas
41 kernel sets the PSTATE.mcde bit for the task.
42 addresses are set with an stxa instruction on
43 ASI_MCD_PRIMARY or ASI_MCD_ST_BLKINIT_PRIMARY.
44 provided by the hypervisor to the kernel. Ker
45 ADI block size to userspace using auxiliary ve
46 info. Following auxiliary vectors are provided
47
48 ============ ======================
49 AT_ADI_BLKSZ ADI block size. This i
50 alignment, in bytes, o
51 AT_ADI_NBITS Number of ADI version
52 ============ ======================
53
54
55 IMPORTANT NOTES
56 ===============
57
58 - Version tag values of 0x0 and 0xf are reserv
59 tag in virtual address and never generate a
60
61 - Version tags are set on virtual addresses fr
62 tags are stored in physical memory. Tags are
63 after it has been allocated to a task and a
64 it.
65
66 - When a task frees a memory page it had set v
67 goes back to free page pool. When this page
68 kernel clears the page using block initializ
69 version tags as well for the page. If a page
70 freed and allocated back to the same task, o
71 task on that page will no longer be present.
72
73 - ADI tag mismatches are not detected for non-
74
75 - Kernel does not set any tags for user pages
76 task's responsibility to set any version tag
77 version tags are preserved if a page is swap
78 swapped back in. It also preserves that vers
79 migrated.
80
81 - ADI works for any size pages. A userspace ta
82 page size when using ADI. It can simply sele
83 range, enable ADI on the range using mprotec
84 for the entire range. mprotect() ensures ran
85 and is a multiple of page size.
86
87 - ADI tags can only be set on writable memory.
88 not be set on read-only mappings.
89
90
91
92 ADI related traps
93 =================
94
95 With ADI enabled, following new traps may occu
96
97 Disrupting memory corruption
98 ----------------------------
99
100 When a store accesses a memory locatio
101 the task is running with ADI enabled (
102 tag in the address used (bits 63:60) d
103 the corresponding cacheline, a memory
104 default, it is a disrupting trap and i
105 first. Hypervisor creates a sun4v erro
106 resumable error (TT=0x7e) trap to the
107 a SIGSEGV to the task that resulted in
108 info::
109
110 siginfo.si_signo = SIGSEGV;
111 siginfo.errno = 0;
112 siginfo.si_code = SEGV_ADIDERR
113 siginfo.si_addr = addr; /* PC
114 siginfo.si_trapno = 0;
115
116
117 Precise memory corruption
118 -------------------------
119
120 When a store accesses a memory locatio
121 the task is running with ADI enabled (
122 tag in the address used (bits 63:60) d
123 the corresponding cacheline, a memory
124 MCD precise exception is enabled (MCDP
125 exception is sent to the kernel with T
126 a SIGSEGV to the task that resulted in
127 info::
128
129 siginfo.si_signo = SIGSEGV;
130 siginfo.errno = 0;
131 siginfo.si_code = SEGV_ADIPERR
132 siginfo.si_addr = addr; /* add
133 siginfo.si_trapno = 0;
134
135 NOTE:
136 ADI tag mismatch on a load alw
137
138
139 MCD disabled
140 ------------
141
142 When a task has not enabled ADI and at
143 on a memory address, processor sends a
144 trap is handled by hypervisor first an
145 trap through to the kernel as Data Acc
146 fault type set to 0xa (invalid ASI). W
147 sends the task SIGSEGV signal with fol
148
149 siginfo.si_signo = SIGSEGV;
150 siginfo.errno = 0;
151 siginfo.si_code = SEGV_ACCADI;
152 siginfo.si_addr = addr; /* add
153 siginfo.si_trapno = 0;
154
155
156 Sample program to use ADI
157 -------------------------
158
159 Following sample program is meant to illustrat
160 functionality::
161
162 #include <unistd.h>
163 #include <stdio.h>
164 #include <stdlib.h>
165 #include <elf.h>
166 #include <sys/ipc.h>
167 #include <sys/shm.h>
168 #include <sys/mman.h>
169 #include <asm/asi.h>
170
171 #ifndef AT_ADI_BLKSZ
172 #define AT_ADI_BLKSZ 48
173 #endif
174 #ifndef AT_ADI_NBITS
175 #define AT_ADI_NBITS 49
176 #endif
177
178 #ifndef PROT_ADI
179 #define PROT_ADI 0x10
180 #endif
181
182 #define BUFFER_SIZE 32*1024*1024UL
183
184 main(int argc, char* argv[], char* envp[])
185 {
186 unsigned long i, mcde, adi_blksz, ad
187 char *shmaddr, *tmp_addr, *end, *ver
188 int shmid, version;
189 Elf64_auxv_t *auxv;
190
191 adi_blksz = 0;
192
193 while(*envp++ != NULL);
194 for (auxv = (Elf64_auxv_t *)envp; auxv
195 switch (auxv->a_type) {
196 case AT_ADI_BLKSZ:
197 adi_blksz = auxv->a_un
198 break;
199 case AT_ADI_NBITS:
200 adi_nbits = auxv->a_un
201 break;
202 }
203 }
204 if (adi_blksz == 0) {
205 fprintf(stderr, "Oops! ADI is
206 exit(1);
207 }
208
209 printf("ADI capabilities:\n");
210 printf("\tBlock size = %ld\n", adi_blk
211 printf("\tNumber of bits = %ld\n", adi
212
213 if ((shmid = shmget(2, BUFFER_SIZE,
214 IPC_CREAT |
215 perror("shmget failed");
216 exit(1);
217 }
218
219 shmaddr = shmat(shmid, NULL, 0);
220 if (shmaddr == (char *)-1) {
221 perror("shm attach failed");
222 shmctl(shmid, IPC_RMID, NULL
223 exit(1);
224 }
225
226 if (mprotect(shmaddr, BUFFER_SIZE, PRO
227 perror("mprotect failed");
228 goto err_out;
229 }
230
231 /* Set the ADI version tag on the sh
232 */
233 version = 10;
234 tmp_addr = shmaddr;
235 end = shmaddr + BUFFER_SIZE;
236 while (tmp_addr < end) {
237 asm volatile(
238 "stxa %1, [%0]0x90\n
239 :
240 : "r" (tmp_addr), "r
241 tmp_addr += adi_blksz;
242 }
243 asm volatile("membar #Sync\n\t");
244
245 /* Create a versioned address from t
246 * version tag in the upper adi_nbits
247 */
248 tmp_addr = (void *) ((unsigned long)
249 tmp_addr = (void *) ((unsigned long)
250 veraddr = (void *) (((unsigned long)
251 | (unsigned long)tmp
252
253 printf("Starting the writes:\n");
254 for (i = 0; i < BUFFER_SIZE; i++) {
255 veraddr[i] = (char)(i);
256 if (!(i % (1024 * 1024)))
257 printf(".");
258 }
259 printf("\n");
260
261 printf("Verifying data...");
262 fflush(stdout);
263 for (i = 0; i < BUFFER_SIZE; i++)
264 if (veraddr[i] != (char)i)
265 printf("\nIndex %lu
266 printf("Done.\n");
267
268 /* Disable ADI and clean up
269 */
270 if (mprotect(shmaddr, BUFFER_SIZE, PRO
271 perror("mprotect failed");
272 goto err_out;
273 }
274
275 if (shmdt((const void *)shmaddr) !=
276 perror("Detach failure");
277 shmctl(shmid, IPC_RMID, NULL);
278
279 exit(0);
280
281 err_out:
282 if (shmdt((const void *)shmaddr) !=
283 perror("Detach failure");
284 shmctl(shmid, IPC_RMID, NULL);
285 exit(1);
286 }
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.