Skip to content

Commit

Permalink
Merge pull request #116 from steven-bellock/fix-87
Browse files Browse the repository at this point in the history
Use IEC 80000-13 conventions
  • Loading branch information
rsahita authored Dec 19, 2024
2 parents 4cab9cc + c9a994e commit 54f21a3
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 29 deletions.
5 changes: 2 additions & 3 deletions src/refarch.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -486,9 +486,8 @@ TEE and TVM address spaces are identified by supervisor domain identifiers
address translation caches, e.g., Hart TLB lookup may be extended with the
SDID in addition to the ASID, VMID for workloads in the Confidential supervisor
domain. TVM memory isolation must support sparse memory management
models and architectural page-sizes of 4KB, 64KB (with Svnapot), 2MB, 1GB (and
optionally
512GB).
models and architectural page-sizes of 4 KiB, 64 KiB (with Svnapot), 2 MiB, 1 GiB (and
optionally 512 GiB).
The hardware may implement the MTT as specified in the Smmtt
privileged ISA extension, or other approaches may be used such as a flat
table. The memory tracking table may be enforced at the memory controller,
Expand Down
38 changes: 19 additions & 19 deletions src/sbi_cove.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -804,7 +804,7 @@ struct tsm_info {
*/
unsigned long tsm_capabilities;
/*
* The number of 4KB pages which must be donated to the TSM for storing TVM
* The number of 4 KiB pages which must be donated to the TSM for storing TVM
* state in sbi_covh_create_tvm_vcpu(). `0` if the TSM does not support the
* dynamic memory allocation capability.
*/
Expand All @@ -814,7 +814,7 @@ struct tsm_info {
*/
unsigned long tvm_max_vcpus;
/*
* The number of 4KB pages which must be donated to the TSM when creating
* The number of 4 KiB pages which must be donated to the TSM when creating
* a new vCPU. `0` if the TSM does not support the dynamic memory allocation
* capability.
*/
Expand Down Expand Up @@ -893,7 +893,7 @@ Begins the process of converting `num_pages` of non-confidential memory starting
at `base_page_address` to confidential-memory. On success, pages can be assigned
to TVMs only following subsequent calls to `sbi_covh_global_fence()` and
`sbi_covh_local_fence()` that complete the conversion process. The implied
page size is 4KB.
page size is 4 KiB.

The `base_page_address` must be page-aligned.

Expand Down Expand Up @@ -921,7 +921,7 @@ struct sbiret sbi_covh_reclaim_pages(unsigned long base_page_address,
-------
Reclaims `num_pages` of confidential memory starting at `base_page_address`.
The pages must not be currently assigned to an active TVM. The implied page
size is 4KB.
size is 4 KiB.

The possible error codes returned in `sbiret.error` are shown below.

Expand Down Expand Up @@ -1004,8 +1004,8 @@ information about the parameters that should be used to populate
----
struct tvm_create_params {
/*
* The base physical address of the 16KB confidential memory region
* that should be used for the TVM's page directory. Must be 16KB-aligned.
* The base physical address of the 16 KiB confidential memory region
* that should be used for the TVM's page directory. Must be 16 KiB-aligned.
*/
unsigned long tvm_page_directory_addr;
/*
Expand Down Expand Up @@ -1224,7 +1224,7 @@ Marks the range of TVM physical address space starting at `tvm_gpa_addr` as
reserved for the mapping of confidential memory. The memory region length is
specified by `region_len`.

Both `tvm_gpa_addr` and `region_len` must be 4KB-aligned, and the region must
Both `tvm_gpa_addr` and `region_len` must be 4 KiB-aligned, and the region must
not overlap with a previously defined region. This call must not be made after
calling `sbi_covh_finalize_tvm()`.

Expand Down Expand Up @@ -1252,7 +1252,7 @@ struct sbiret sbi_covh_add_tvm_page_table_pages(unsigned long tvm_guest_id,
unsigned long num_pages);
-----
Adds `num_pages` confidential memory starting at `base_page_address` to the
TVM's page-table page-pool. The implied page size is 4KB.
TVM's page-table page-pool. The implied page size is 4 KiB.

Page table pages may be added at any time, and a typical use case is in
response to a TVM page fault.
Expand Down Expand Up @@ -1295,7 +1295,7 @@ This call must not be made after calling `sbi_covh_finalize_tvm()`.

This operation is used to extend the initial measurement for a TVM for added
page contents. The operation performs a SHA384 hash extend to the measurement
register managed by the TSM on a 4KB page. The page must be added to a valid GPA
register managed by the TSM on a 4 KiB page. The page must be added to a valid GPA
mapping. The GPA of the page mapped is part of the measurement operation.

The measurement process is a state machine that must be faithfully reproduced
Expand Down Expand Up @@ -2033,7 +2033,7 @@ Marks the specified range of TVM physical address space starting at
`tvm_gpa_addr` as used for emulated MMIO. Upon return, all accesses by the TVM
within the range are trapped and may be emulated by the host.

Both `tvm_gpa_addr` and `region_len` must be 4KB-aligned, and the region must
Both `tvm_gpa_addr` and `region_len` must be 4 KiB-aligned, and the region must
not overlap with a previously defined region. This call will result in an exit
to the host on success.

Expand All @@ -2060,7 +2060,7 @@ Removes the specified range of TVM physical address space starting at
`tvm_gpa_addr` from the emulated MMIO regions. Upon return, all accesses by the
TVM within the range will result in a page fault.

Both `tvm_gpa_addr` and `region_len` must be 4KB-aligned. The TSM must remove
Both `tvm_gpa_addr` and `region_len` must be 4 KiB-aligned. The TSM must remove
every MMIO region that overlaps with the requested range. This call will result
in an exit to the host on success.

Expand Down Expand Up @@ -2105,10 +2105,10 @@ non-confidential pages to the TVM's address space.
In systems with fragmented memory and lack of dynamic page conversion,
the OS/VMM may fail allocating a single large physical memory region that
spans over contiguous non-confidential pages. The TVM should then retry and
request share of multiple smaller memory regions, for example, at the 4KB page
request share of multiple smaller memory regions, for example, at the 4 KiB page
size granularity.

Both `tvm_gpa_addr` and `region_len` must be 4KB-aligned.
Both `tvm_gpa_addr` and `region_len` must be 4 KiB-aligned.

The possible error codes returned in sbiret.error are:

Expand Down Expand Up @@ -2150,7 +2150,7 @@ with `sbi_covh_run_tvm_vcpu()` will fail. Any guest page faults taken by other
TVM vCPUs in the
invalidated pages continue to be reported to the host.

Both `tvm_gpa_addr` and `region_len` must be 4KB-aligned.
Both `tvm_gpa_addr` and `region_len` must be 4 KiB-aligned.

[#table_sbi_covg_unshare_memory_region_errors]
.COVE Guest Unshare Memory Region
Expand Down Expand Up @@ -2438,10 +2438,10 @@ creation via `sbi_covh_promote_to_tvm()`. Only the TVMs that were correctly
authenticated and authorized during local attestation can receive the secret
embedded in TAP.

`buf_addr` is the 4KB-aligned address in the TVM address space to which the
`buf_addr` is the 4 KiB-aligned address in the TVM address space to which the
TSM will write the secret.
`buf_size` is the length of the buffer. The buffer cannot be larger than the
4KB page size.
4 KiB page size.

This ABI will become part of the `Sealing Interface` planned for the CoVE in
version 2.0.
Expand All @@ -2456,7 +2456,7 @@ The possible error codes are shown below.
| Error code | Description
| SBI_SUCCESS | The operation completed successfully.
| SBI_ERR_INVALID_ADDRESS | `buf_addr_out` is not a valid guest physical address or is not correctly aligned.
| SBI_ERR_INVALID_PARAM | The buffer's size is too small to store the secret or larger than the 4KB page.
| SBI_ERR_INVALID_PARAM | The buffer's size is too small to store the secret or larger than the 4 KiB page.
| SBI_ERR_AUTH | Local attestation failed.
|===

Expand Down Expand Up @@ -2510,7 +2510,7 @@ allocate per TVM, Size of memory to allocate per TVM Virtual Hart and so on.
| <<sbi_covh_convert_pages, sbi_covh_convert_pages>> | Begins the process
of converting memory
to be used as confidential memory. The region consists of one or more contiguous
4KB memory naturally aligned regions.
4 KiB memory naturally aligned regions.

| <<sbi_covh_reclaim_pages, sbi_covh_reclaim_pages>> | VMM may unassign
memory for TVMs by destroying them. All confidential-unassigned memory may be
Expand Down Expand Up @@ -2606,7 +2606,7 @@ allows the VMM to assign TEE pages for a virtual hart context structure (VHCS)
for a
specific TVM. This routine also initializes the hart-specific fields of
this structure. Note that a virtual hart context structure may consist of
more than one 4KB page. The number of pages are enumerated via the tsm_info
more than one 4 KiB page. The number of pages are enumerated via the tsm_info
call.

| <<sbi_covh_run_tvm_vcpu, sbi_covh_run_tvm_vcpu>> | Enter or resume a TVM
Expand Down
14 changes: 7 additions & 7 deletions src/swlifecycle.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -187,7 +187,7 @@ HFENCE.GVMA for the TVM VMID. This sequence is described in more detail in
=== TVM memory management

The untrusted OS/VMM may assign memory to the TVM at any architecture-supported
page size, i.e., 4KB, 2MB, 1GB and 512GB, according to RISC-V architecture.
page size, i.e., 4 KiB, 2 MiB, 1 GiB and 512 GiB, according to RISC-V architecture.
This assignment is supervised by the TSM-driver and the TSM and enforced using
a specific hardware memory isolation component. Specifically, memory
access-control is enforced at two levels:
Expand Down Expand Up @@ -247,12 +247,12 @@ For implementations that utilize MTT, the Extended Memory Tracking Table (EMTT)
information managed by the TSM
is used to track additional fields of metadata associated with physical
addresses.
The page size is implicit in the MTT and EMTT lookup - 4KB, 2MB, 1GB, 512GB.
The page size is implicit in the MTT and EMTT lookup - 4 KiB, 2 MiB, 1 GiB, 512 GiB.
Actual page sizes supported are implementation-specified.

|===
h| Memory Type h| Confidential or Non-confidential (enforced via MTT)
| Page-Type
| Page-Type
a| Reserved - page that may not be assigned to any TEE entity.

If the Memory Type is Confidential, the following page types may be used:
Expand All @@ -261,7 +261,7 @@ If the Memory Type is Confidential, the following page types may be used:
* TVM - page assigned to a TVM (mapped via G-stage page table)
* TSM - page used by the TSM (for MTT and other control structures)
| Page Owner | If the Memory Type is Confidential and Page-Type is TVM,
this value holds the identifier (e.g., PPN) for the TVM control page (4KB TEE-
this value holds the identifier (e.g., PPN) for the TVM control page (4 KiB TEE-
TSM-TVM page); else it is 0.
| Page sub-type a| Following types apply if Memory Type is Confidential and
Page-Type is TVM:
Expand Down Expand Up @@ -463,7 +463,7 @@ This section refers to CoVE implementations supporting OS/VMM-initiated page
assignment to a TVM.

VMM uses the sbi_covh_add_tvm_zero/measured_pages interfaces to add a
4KB/2MB/1GB page to the TVM. The page assigned to the TVM is identified by its
4 KiB/2 MiB/1 GiB page to the TVM. The page assigned to the TVM is identified by its
PA. A source page (also PA) may be provided to initialize the page contents. In
this case, the TVM initialization must not have been committed by the VMM, and
the contents of the page and the GPA selected by the VMM are measured into the
Expand Down Expand Up @@ -550,11 +550,11 @@ The AIA supports two mechanisms for tracking of interrupts at VS-level:
IMSIC guest interrupt files, of which there are a fixed number per physical
hart.
These allow delivery of external interrupts directly to VS-level as a Virtual
Supervisor External Interrupt. Guest interrupt files occupy a single 4KB page
Supervisor External Interrupt. Guest interrupt files occupy a single 4 KiB page
of physical address space.

Memory-resident interrupt files (MRIFs), which track pending and enabled
interrupts in a 4KB page of DRAM. While the RISC-V IOMMU supports automatically
interrupts in a 4 KiB page of DRAM. While the RISC-V IOMMU supports automatically
updating an MRIF's pending bits and delivering a notice interrupt to the host
when an MSI is targeted at an MRIF, the hypervisor is still responsible for
injection of the VSIE to the guest. IPI emulation must be provided by the
Expand Down

0 comments on commit 54f21a3

Please sign in to comment.