Hello
Recently we made an attempt to get Genode-on-OKL4 (v2.1.1.patch9) running on ARM11 (core ARM1136jf-s). The outcome was that the system stalled during initialization, because core waited endlessly for init getting started. OKL4's KDB showed that init's code section was set to read-only but not read-execute with the outrcome that the OKL4 scheduler refused to pass control to init.
Interestingly this was not observed on an ARM9 platform, and we think that this just happened by chance, because the main reason of the problem seems to be how the class Dataspace_component maintains properties.
In the OKL4 environment the protection domains are packed into the ELF file as modules, being itself ELF objects which are unpacked by function _setup_elf() of file base/src/base/process/process.cc. The function receives from core the capability of the ELF object (init is the first one) and parses the included segments to setup the pager. It checks whether any segment has the writable flag set. For such segments RAM is allocated and initialized, and the associated Dataspace_component gets the boolean attribute _writable set. For all other segments a Dataspace_component with the boolean attribute _writable unset is created, making no distinction between read-only and read-execute segments.
The first attempt to start init leads to a page fault, and the methode Rm_client::pager() in file base/src/core/rm_session_component.cc is invoked. The method retrieves the Dataspace_component from the page fault parameters. With that a Mapping object is created to setup the response for the Ipc_pager. The constructor Mapping::Mapping() in file base-okl4/src/base/ipc/pager.cc receives the attribute _writable from the Dataspace_component. If it is set, the page attribute is set to L4_FullyAccessible, otherwise to L4_Readable. The outcome is that the code section is mapped with the X flag unset, and it is not executed while the DATA and BSS sections get the X flag set although this makes little sense.
We could solve the problem by setting the page attribute to L4_Readable | L4_eXexcutable, but we still keep wondering why the problem only appears on ARM11 but neither on ARM9 or IA32, although the constructor code is always the same. Finally we think that the implementation of Dataspace_component is a bit short-handed regarding the handling of page attributes: there should be a distinction between read-only and read-execute (and DATA/BSS sections should not have the execute attribute set). At least both the ELF format and OKL4's MapControl interface maintain the full set of RWX flags.
Regards
Frank Kaiser
OpenSynergy GmbH
Rotherstr. 9
10245 Berlin
Tel.: +49 (30) 20 18 18 35 28
Fax: +49 (30) 20 18 18 35 02
Email: Frank.Kaiser@...24... mailto:andre.hergenhan@...24...
www.opensynergy.com http://www.open-synergy.com
Handelsregister: Amtsgericht Charlottenburg, HRB 108616B
Geschäftsführer: Frank-Peter Böhm, Dr. Stefaan Sonck Thiebaut, Rolf Morich
Hi Frank,
good to hear that you are further experimenting with Genode.
Your observation is not surprising because both ARM9 and IA32 (w/o PAE) lack the No-Execute (NX) bit in the page table. By default, data on these platforms is always executable. On ARM1139 however, the execute permission must be explicitely granted. When extending the support for newer ARM platforms, we will revisit the page-table attributes of dataspaces. We haven't done so yet because we have not settled on a API-level design for managing those bits (things like the a feature for downgrading permissions of dataspaces come in mind). Until we support the NX bit, your suggestion comes as a useful interim solution.
Best regards Norman
-
Frank Kaiser -
Norman Feske