GitLab

Detail:
* Make greater use of shared makefiles for export rules
!NoTag

If lazy task swapping is disabled, and appspace is an AMB node, it was
possible to map out the page at &7000 and trigger an abort by attempting
to shrink application space to a negative size, e.g. by using
"*ChangeDyn -RamFSSize" to create a RAM disc larger than the amount of
available RAM.

Fix it by sanity checking the DA/AMBNode size within AMBDAHandler before
passing on the request to the lower-level growpages/shrinkpages calls
(shrinkpages requires the input to be valid and will break if given a
negative size).

Version 6.63. Tagged as 'Kernel-6_63'

Needed for BCM2835 builds, at least. Guess I should have checked that
things built correctly after all the rebasing & cherry-picking that went
into preparing the MR.

Version 6.62. Tagged as 'Kernel-6_62'

Add an implementation of RISCOS Ltd's OS_TaskControl 0. In addition to
the documented Select behaviour of resetting the IRQ and SVC stacks,
under RISC OS 5 it resets ABT+UND, and some other important kernel
variables (IRQsema + CDASemaphore)

Will be useful for HALs that want to use LDREXD/STREXD to workspace
locations

SyncLib use is still disabled by default, but this ensures that when we
do enable it we'll be using the right version of the library.

To match BuildSys 7.76

Version 6.61. Tagged as 'Kernel-6_61'

Deleting a non-existent system variable resulted in the error
message: System variable '%0' not found.

Version 6.60. Tagged as 'Kernel-6_60'

These are the 4 common access privilege values in bits 0-3 of OS_DynamicArea 0
and word 3 of the entries used with OS_Read/SetMemMapEntries. They are
equivalent to the kernel's internal OSAP_* symbols.

Version 6.59. Not tagged

When AP1 memory is being emulated (long descriptor page tables are in
use), the AbortTrap machinery is used to emulate usermode read access.
This provides coverage for all read instructions except those that
AbortTrap handles via MemMap requests - LDREX, LDA, LDAEX, LDF & LFM.

LDREX & LDAEX request both read & write access, so are fine (the MemMap
request will get passed through to the registered AbortTrap handlers).

LDF & LFM are irrelevant, since they only exist on ARM7500FE (on other
machines FPEmulator will translate them to regular LDR/LDM, which are
handled correctly)

LDA however, will generate a plain "memmap with usermode read" request.
When AbortTrap looks at the permissions of emulated AP1 it doesn't take
into account the fact that the usermode read permission is being
emulated, so it thinks that everything is fine and claims the memmap
was successful, causing the abort handler to retry the instruction
without making any changes, resulting in an infinite abort loop.

Deal with this by detecting the above situation and also requesting
usermode execute access. This will avoid the kernel (and hopefully the
registered AbortTrap handlers) from thinking that the emulated AP1 is
acceptable, without adversely affecting the behaviour of other
instructions or access privileges. If no handler is present or the
memmap request is denied, the abort will get passed on to the next stage
of the abort handler (i.e. you'll get a standard data abort from trying
to LDA from arbitrary emulated AP1 memory)

The new test program (Dev/AbortTrap/attest_ap1) will check that this
edge case is dealt with correctly.

Tested on Pi 4, for both long & short page tables

Version 6.59. Tagged as 'Kernel-6_59'

To avoid CallASWI's CPUFeatures implementation getting dangerously out
of sync with the kernel, add extra asserts to both sets of sources to
check try and make sure both sets of sources get updated when new flags
are added.

Pyromaniac doesn't allow low-level control or examination of the memory
map; allocate an OS_PlatformFeatures bit to allow software to directly
detect this limitation instead of having to rely on the affected SWIs
erroring.

https://www.riscosopen.org/forum/forums/3/topics/16609

Version 6.58. Tagged as 'Kernel-6_58'

The long descriptor page table format doesn't support RISC OS access
privilege 1 (user RX, privileged RWX). Previously we were downgrading
this to AP 0 (user RWX, privielged RWX), which obviously weakens the
security of the memory. However now that we have an AbortTrap
implementation, we can map the memory as "user none, privileged RWX" and
provide user read support via AbortTrap's instruction decode & execute
logic.

There's no support for executing usermode code from the memory, but the
compatibility issues caused by that are likely to be minimal.

Also make lazy task swapping aborts to use IFAR where possible, to
ensure any Thumb-2/Jazelle instructions which cross page boundaries are
handled correctly.

OS_ReadSysInfo 7 is meant to record the details of the last data or
prefetch abort that was passed to the environment handlers. This was
implemented in Ursula, but the code for recording the prefetch abort
details got lost somewhere during the 32 bit conversion process. Restore
it.

This implementation should be compatible with RISCOS Ltd's
implementation.

Sadly we need one file per combination of action files, but by adding
these pre-generated cache files to git we can speed up building the
kernel from clean by a significant amount.

This supports all the load/store instructions, including FPA & VFP/NEON.
Most instructions are handled directly via the base version of the
AbortTrap API that was first implemented in RISC OS Select. However, to
properly cope with LDREX/STREX, and future support for prefetch aborts,
the API has been extended to allow the kernel to request that a block of
memory is mapped in with certain permissions. For LDREX/STREX the kernel
will then rewind the PC so that the instruction can be retried directly.

Test code in Dev/AbortTrap exists in order to allow checking of all
major functionality, along with code for building the code in a
softloadable module for easier/quicker testing.

Report whether:
* DFAR & DFSR are writable
* IFAR, IFSR, AIFSR, ADFSR are implemented

More data & prefetch abort registers

If lazy task swapping is active, but it isn't a lazy task swapping
abort, AMB_LazyFixUp will force all of application space to be mapped
in, in order to protect the data/prefetech abort environment handlers
from triggering unexpected recursive aborts (which could easily happen
if the handlers make use of application space in any way). Recursive
aborts generally aren't tolerated by these handlers because they're
entered in ABT32 mode and may rely on the DFSR/DFAR registers being
correct.

To allow for more stages to be added to the abort handler inbetween lazy
task swapping fixup & invoking the abort environment handler,
AMB_LazyFixUp has now been split in two so that the code which maps in
all of application space can be excuted at a more suitable time.

Add kalloc (malloc with an error pointer), free, _kernel_irqs_disabled,
_kernel_irqs_off, _kernel_irqs_on, and a simple memcpy implementation.

Export the symbols so they're actually usable from other object files.

Needed to resolve some literal pool range issues when long descriptor
page table support is enabled

There was some redundant code needlessly pushing & popping various
registers to the stack, left behind from when we removed the code that
dealt with 26-bit processor vector reads on StrongARM & processed the
proto-OS_AbortTrap "abort indirection nodes".

* Instruct the linker to place any RW/ZI data sections in the last ~16MB
of the memory map, starting from &ff000000 (with the current toolchain,
giving it a fixed base address is much easier than giving it a variable
base address)
* The RW/ZI section is mapped as completely inaccessible to user mode
* The initial content of the RW section is copied over shortly after MMU
startup (in Continue_after_HALInit)
* Since link's -bin option produces a file containing a copy of the
(zero-initialised) ZI section, the kernel binary is now produced from a
"binary with AIF header" AIF with the help of the new 'kstrip' tool.
kstrip extracts just the RO and RW sections, ensuring the ROM doesn't
contain a redundant block of zeros for the ZI section.

This should make it easier to use C code & arbitrary libraries within
the kernel, providing they're compiled with suitable settings (e.g.
non-module, no FP, no stack checking, like HALs typically use)

* Add KernelBaseA absolute symbol.
* Use KernelBase - KernelBaseA to convert some expressions
  to/from AREA relative form.
* Link to correct address.
* Remove ORG directive
* Move EndOfKernel to separate AREA

When PhysRamTable was updated to store addresses in page units instead
of byte units (commit df4efb68), the code which allocates the ROM
decompression workspace didn't get updated, causing it to break. Add a
few extra shifts to the code in order to account for the changes.

Fixes issue reported on forums with (compressed) OMAP3 ROM failing to
boot: https://www.riscosopen.org/forum/forums/5/topics/16446

Version 6.57. Tagged as 'Kernel-6_57'

* RISCOS_LogToPhys upgraded to allow it to cope with all page types
(added support for 64KB "large" pages and lazily-mapped pages)

* Added OS_Memory 65, which calls through to RISCOS_LogToPhys, to allow
regular software to do logical-to-physical conversions for all page
types (other calls, like OS_Memory 0/64, typically only work with 4KB
pages)

* LoadAndDecodeL2Entry updated to always return a page/entry size, like
LoadAndDecodeL1Entry

Version 6.56. Tagged as 'Kernel-6_56'