Add new APIs for generating SGIs #1222
Conversation
|
@kent-mcleod could you please add the sign-off to your commit? |
Allow SGIs to be generated from non-SMP kernels. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
- introduce arch interface for IRQControlCap dependencies as well as for isMDBParentOf (Arch_isIRQControlDescendant, Arch_isMDBParentOf). This mirrors the corresponding interface in the proofs and Haskell and avoids #ifdef proliferation in generic code. - Arch_isIRQControlDescendant is currently only used for SGISignalCaps - Arch_isMDBParentOf is used for SGISignalCaps and SMCCaps - fix argument checking in Arch_decodeIRQControlInvocation (+ style tweak) - Arch_sameObjectAs must return false for SGISignalCaps to align with finality definition of caps, i.e. SGISignalCaps are always final. This has no behaviour change, because finality doesn't matter for behaviour for SGISignalCaps, but we require for the proofs that the concept of finality aligns with the spec. - simplify checks for IRQControlCap in sameObjectAs: sameObjectAs can never be true for IRQControlCap. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
lsf37
added
verification
There was a problem hiding this comment.
I can't think of any useful use case where the user would want to send IPIs to multiple cores and knows which those are beforehand, with the only exception being all other cores.
I don't think supporting sending multiple IPIs at once is necessary or worth the added complexity. But if it is added, it should fully expose the hardware in a useful way. The current implementation is limited to systems with one cluster of at most 16 cores.
With that in mind, I propose the API is changed to either allowing only one target core, or:
- Add a mask parameter to the call which is ANDed with the configured mask.
- Configure
Aff1,Aff2andAff3at creation time (but good luck to user space figuring out what they need to fill in though). - Give an option to send to all other cores (
IRM = 1). - Expose
RS.
Then at least the API is future proof for a while, till ARM comes with a new interface for sending multiple IPIs. Mind that with the above changes it probably doesn't make any sense to share ipi_send_target().
| } | ||
| } | ||
|
|
||
| SYSTEM_WRITE_64(ICC_SGI1R_EL1, sgi1r_base | cpuTargetList); |
There was a problem hiding this comment.
This seems to assume zero aff1, aff2 and aff3? Probably true for currently supported platforms, but it doesn't seem future proof.
| @@ -77,6 +90,54 @@ exception_t Arch_decodeIRQControlInvocation(word_t invLabel, word_t length, | |||
|
|
|||
| setThreadState(NODE_STATE(ksCurThread), ThreadState_Restart); | |||
| return Arch_invokeIRQControl(irq, destSlot, srcSlot, trigger); | |||
| #if CONFIG_MAX_NUM_NODES == 1 | |||
| } else if (invLabel == ARMIRQIssueSGISignal) { | |||
There was a problem hiding this comment.
I would add this to the end of the function, after ARMIRQIssueIRQHandlerTriggerCore, perhaps as an #else for ENABLE_SMP_SUPPORT?
There was a problem hiding this comment.
I like it slightly better here. The case is very close in content (which checks it does) to ARMIRQIssueIRQHandlerTrigger. Moving it further away will mean they will diverge more easily.
There was a problem hiding this comment.
Fair enough.
Having both ENABLE_SMP_SUPPORT and CONFIG_MAX_NUM_NODES == 1 next to each other is very weird though. What about #ifnde ENABLE_SMP_SUPPORT and then an else?
Also, wouldn't it make more sense to test for #ifndef ENABLE_SMP_SUPPORT everywhere? CONFIG_MAX_NUM_NODES == 1 is used nowhere else.
| <method id="ARMIRQIssueSGISignal" name="IssueSGISignal" manual_name="IssueSGISignal" | ||
| manual_label="irq_controlissuesgisignal" condition="CONFIG_MAX_NUM_NODES == 1"> | ||
| <brief> | ||
| Create an SGI signal capability. |
There was a problem hiding this comment.
| Create an SGI signal capability. | |
| Create a software generated interrupt (SGI) signal capability. |
| <param dir="in" name="root" type="seL4_CNode" description="CPTR to the CNode that forms the root of the destination CSpace. Must be at a depth equivalent to the wordsize."/> | ||
| <param dir="in" name="index" type="seL4_Word" description="CPTR to the destination slot. Resolved from the root of the destination CSpace."/> |
There was a problem hiding this comment.
| <param dir="in" name="root" type="seL4_CNode" description="CPTR to the CNode that forms the root of the destination CSpace. Must be at a depth equivalent to the wordsize."/> | |
| <param dir="in" name="index" type="seL4_Word" description="CPTR to the destination slot. Resolved from the root of the destination CSpace."/> | |
| <param dir="in" name="root" type="seL4_CNode" description="CPtr to the CNode that forms the root of the destination CSpace. Must be at a depth equivalent to the wordsize."/> | |
| <param dir="in" name="index" type="seL4_Word" description="CPtr to the destination slot. Resolved from the root of the destination CSpace."/> |
Fix condition syntax; comparison operators are currently not supported in the XML description conditions. Use `!CONFIG_ENABLE_SMP_SUPPORT` instead, which equivalent to `CONFIG_MAX_NUM_NODES == 1`. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
When evaluating XML condition expressions, properly treat undefined values as undefined, not as False. Otherwise, the negation of an undefined value may make an entire expression true and incorrectly label some methods as MCS methods. Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
|
It's a bit early to review the PR (should have left it on draft). We should sort out the API in the RFC discussion first. |
|
@kent-mcleod there are a few Arm platforms that don't use |
The RFC is higher level and doesn't propose a specific API though, it actually says:
|
Fair enough, the code actually has slightly more than the RFC proposes. We should update the RFC then, the API decisions need to be there. |
This was in the earliest iteration of the design, but was taken out in favor of having 0 arguments to the call so that the capability could be interchanged with a regular Notification capability with send rights.
In principle, the capabilities of the hardware should be exposed, so I agree that higher order affinities and IRM could be configured at cap creation time, and equivalent for GICv2 (which doesn't support affinity routing but does support broadcast). There's also potentially a future need to select a different interrupt group or security state, which is encoded by which SGIR is used. There's enough spare bits in the capability to encode all of these options, but we don't have an easy setup to test the different combinations.
I'm not sure what |
| @@ -102,6 +102,22 @@ block vcpu_cap { | |||
| } | |||
| #endif | |||
|
|
|||
| #if CONFIG_MAX_NUM_NODES == 1 | |||
There was a problem hiding this comment.
Why don't we check CONFIG_SMP_ENABLED here and in the other places? Or add a dedicated feature define for this, so using CONFIG_MAX_NUM_NODES directly is avoided. On RISC-V I have been running into some use cases now where having certain multi core feature available even with just one seL4 core comes handy and the checks for CONFIG_MAX_NUM_NODES are a pain then.
I'm happy to move the discussion to the RFC.
It enables range selector, in case max 256 cores at The only future proof way is to store the full 64 bits, then the API doesn't need to change if ARM uses one of the reserved bits in the future. 32-bit ARM should be stable enough by now. |
Ah, I've only been working off of the gicv3.0 manual because we don't have any plans for platforms with the higher revisions at this stage. |
This is work by @kent-mcleod, with an additional commit on top from myself with verification tweaks for this new API.
For design rationale and background on the API in this PR see RFC-17.
Edit: this also fixes a bug in the evaluation of XML condition expressions for the manual, which gets triggered by this PR.