X86 Lightweight Protection Domain Support for Contiki
=====================================================
Introduction
------------
The X86 port of Contiki implements a simple, lightweight form of
protection domains using a pluggable framework. Currently, there are
three plugins available:
- Flat memory model with paging.
- Multi-segment memory model with either hardware- or
software-switched segments. The hardware-switched segments
approach is based on Task-State Segment (TSS) structures.
For an introduction to paging and TSS and possible ways in which they
can be used, refer to the following resources:
- Intel Combined Manual (Intel 64 and IA-32 Architectures Software
Developer's Manual), Vol. 3, Chapter 4
- Programming the 80386, by John H. Crawford and Patrick
P. Gelsinger, Chapter 5
The overall goal of a protection domain implementation within this
framework is to define a set of resources that should be accessible to
each protection domain and to prevent that protection domain from
accessing other resources. The details of each implementation of
protection domains may differ substantially, but they should all be
guided by the principle of least privilege [1]. However, that
idealized principle is balanced against the practical objectives of
limiting the number of relatively time-consuming context switches and
minimizing changes to existing code. In fact, no changes were made to
code outside of the CPU- and platform-specific code directories for
the initial plugins.
Each protection domain can optionally be associated with a metadata
and/or MMIO region. The hardware can support additional regions per
protection domain, but that would increase complexity and is unneeded
for the existing protection domains.
After boot, all code runs in the context of some protection domain.
Two default protection domains are implemented:
- kern: Kernel protection domain that is more privileged than any
other protection domain. As little code as possible should be placed
in this protection domain.
- app: Application protection domain used whenever special privileges
are not required.
Additional protection domains are defined as needed. For example,
each driver may reside in a separate protection domain, although not
all drivers require additional privileges beyond those available in
the relevant scheduling context in the app protection domain. The
Ethernet and UART drivers are assigned separate protection domains.
Non-driver protection domains can also be defined. Other drivers only
require access to programmed IO ports accessible via the IN* and OUT*
instructions, and such drivers do not require separate protection
domains. They run in the Contiki preemptive scheduling context and
the kernel protection domain, both of which are granted access to all
IO ports.
Each protection domain may have associated system calls. A system
call transfers control from a client protection domain to a defined
entrypoint in a server protection domain. As their name suggests,
system calls adhere to a synchronous call-return model (rather than
some alternative such as an asynchronous message-passing model). To
invoke a system call, the client provides two identifiers to the
system call dispatcher. The first identifies the server domain and
the second identifies the system call to be invoked. The protection
domain implementation should associate allowable system calls with
particular server protection domains and reject any system call
requests that are not within that set of allowable system calls. The
system call implementations do not restrict the clients that are
permitted to invoke each system call. No modifications that the
client can make to the server domain and system call identifiers can
open up new entrypoints into the server domain. The entrypoints are
fixed at boot time.
However, if the identifiers were stored in shared memory, it may be
possible for a protection domain to influence the system calls issued
by some other protection domain, which may be undesirable. Thus, the
server domain identifiers are stored in memory that can only be
written by the kernel protection domain and the system call
identifiers are embedded in the code.
The system call dispatcher is responsible for reconfiguring the system
to enforce the appropriate resource access controls for the server
protection domain. It should then transfer control to the approved
entrypoint for the requested system call.
Contiki defines a process concept that is orthogonal to protection
domains [2]. A single Contiki process may run code in multiple
protection domains at various points in time. Contiki processes run
in a cooperative scheduling context. Contiki also defines a
preemptive scheduling context for interrupt handlers and real-time
timers. When protection domain support is enabled, interrupts are
only enabled when the application protection domain is active and is
running code in the cooperative scheduling context. Code running in
the preemptive context may also invoke multiple protection domains.
Contiki can also support preemptive multithreading, but support for
that has not yet been added to the X86 port so we do not discuss it
further.
A single stack is shared by all code that runs in the cooperative
scheduling context in all protection domains, and separate stacks are
defined for short interrupt dispatchers in the preemptive scheduling
context and for exception handlers and software system call
dispatchers. Except for the interrupt dispatchers, code in the
preemptive scheduling context also shares the same stack with the
cooperative scheduling context. All protection domains also share a
main data section, so similar considerations are also relevant to
that.
Introducing multi-core support would complicate things further, since
another core running a protection domain that the first core never
invoked could access data from the protection domain on the first
core. It may be possible to adequately address such concerns by
allocating per-core stacks.
Note that this stack arrangement means that a given protection domain
may read and write data written to the stack by some other protection
domain. For example, a protection domain B may push data onto the
stack and later pop that data off of the stack, but a protection
domain A that invoked protection domain B may still be able to read
the data that was pushed and popped to and from the stack, since
popping the data off of the stack does not automatically erase that
stack memory location. Another possibility is that protection domain
B may modify a stack entry pushed by protection domain A before it
invoked protection domain B, and protection domain A may later use the
modified value. Permitting legitimate accesses to callers' stacks is
in fact the primary motivation for this stack arrangement, in that it
makes it simple for A to pass data to and from B (on the shared stack)
when requesting services from B. A system call invocation is nearly
transparent to the developer, appearing almost identical to an
ordinary function call. However, B can access any data on the stack.
The third case is that A can read data placed on the stack by B after
B returns, unless B wipes that data from the stack before returning.
A related sub-case is that if an interrupt handler is invoked, it
pushes the current contents of the general-purpose registers onto the
stack, which may then be revealed to other protection domains besides
the one that was interrupted. However, interrupts are only actually
enabled in the application protection domain.
Similarly, register contents may be accessed and modified across
protection domain boundaries in some protection domain
implementations. The TSS task switching mechanism automatically saves
and restores many registers to and from TSS data structures when
switching tasks, but the other protection domain implementations do
not perform analogous operations.
For the reasons
没有合适的资源?快使用搜索试试~ 我知道了~
Cooja 提供一个仿真环境,使开发人员能够看到他们的应用程序运行在大型网络,使得开发和调试变得更简单。
共2000个文件
c:1563个
h:1264个
java:563个
需积分: 17 2 下载量 142 浏览量
2022-06-16
10:57:51
上传
评论
收藏 28.51MB ZIP 举报
温馨提示
Cooja 是 Contiki 操作系统中的网络模拟器,Contiki 设备经常组成大型无线网络,Cooja 提供一个仿真环境,使开发人员能够看到他们的应用程序运行在大型网络,使得开发和调试变得更简单。 Contiki是一个小型、开源、极易移植的多任务电脑操作系统。它专门设计以适用于一系列的内存受限的网络系统,包括从8位电脑到微型控制器的嵌入系统。Contiki只需几千字节的代码和几百字节的内存就能提供多任务环境和内建TCP/IP支持。
资源详情
资源评论
资源推荐
收起资源包目录
Cooja 提供一个仿真环境,使开发人员能够看到他们的应用程序运行在大型网络,使得开发和调试变得更简单。
(2000个子文件)
cc936.c 697KB
cc949.c 546KB
cc950.c 434KB
econotag-ecc-test.c 244KB
cc932.c 240KB
ff.c 197KB
uip6.c 76KB
rf230bb.c 68KB
cc1200.c 65KB
radioeng.c 64KB
sicslowpan.c 62KB
uip.c 59KB
httpd-cgi.c 57KB
collect.c 56KB
ctk.c 50KB
httpd-simple.c 50KB
rpl-dag.c 50KB
mqtt.c 50KB
radio.c 50KB
ieee-mode.c 49KB
roll-tm.c 47KB
sp-vfprintf.c 47KB
sp-vfprintf.c 47KB
resolv.c 43KB
rpl-icmp6.c 42KB
tsch-slot-operation.c 41KB
httpd-fsdata.c 41KB
lanc111.c 40KB
uip-nd6.c 39KB
er-coap.c 39KB
httpd-fsdata.c 39KB
hal_lcd.c 38KB
cfs-coffee.c 38KB
lwm2m-engine.c 37KB
tsch.c 35KB
httpd-fsdata.c 35KB
small-mprec.c 34KB
maca.c 34KB
contikimac.c 34KB
prop-mode.c 34KB
micromac-radio.c 34KB
segger-rtt.c 33KB
wpcapslip6.c 33KB
sicslow_ethernet.c 33KB
cc2538-rf.c 33KB
ecc.c 32KB
cc26xx-web-demo.c 32KB
small-vfsscanf.c 32KB
cbc-test.c 32KB
usb-arch.c 32KB
usb-arch.c 31KB
relation.c 31KB
sleep.c 30KB
galileo-gen2-pinmux.c 30KB
cc2420.c 30KB
ecb-test.c 30KB
bignum-driver.c 30KB
ip64.c 29KB
mqtt-client.c 29KB
www.c 29KB
sicslow_ethernet.c 28KB
usb-arch.c 28KB
gcm-test.c 28KB
elfloader-msp430x.c 28KB
ccm-test.c 28KB
cxmac.c 28KB
rtcc.c 27KB
httpd-fsdata.c 27KB
halbb.c 27KB
rndis.c 26KB
wpcap.c 26KB
tunslip.c 26KB
small-dtoa.c 25KB
mrf24j40.c 25KB
sicslow_ethernet.c 25KB
tunslip6.c 25KB
ccsbcs.c 24KB
stm32w-radio.c 24KB
ctrl_access.c 24KB
lcd.c 24KB
websocket.c 24KB
mqtt-demo.c 24KB
mqtt-demo.c 23KB
hal.c 23KB
tcpip.c 23KB
cdc_task.c 23KB
rpl-ext-header.c 23KB
cc2520.c 23KB
elfloader-otf.c 23KB
wpcapslip.c 23KB
spirit1.c 22KB
scsi_decoder.c 22KB
uip-ds6.c 22KB
uip-ds6-route.c 22KB
htmlparser.c 22KB
cbc-mac-test.c 22KB
httpd-cgi.c 22KB
usb-arch.c 22KB
shell-netperf.c 21KB
contiki-raven-main.c 21KB
共 2000 条
- 1
- 2
- 3
- 4
- 5
- 6
- 20
Lntano*
- 粉丝: 324
- 资源: 36
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0