-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCHANGES
275 lines (237 loc) · 15.5 KB
/
CHANGES
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
# Revision History for seL4
<!--
Document maintainers: Wrap lines in this file at 120 characters.
Kernel engineers: When making changes to code (rather than documentation or comments) in the kernel repository,
include a change item entry here, at the end of the list for the upcoming release, describing the change, and
evaluate whether the compatibility breakage level must be promoted as a consequence. As some rules of thumb:
* If the change affects only the sources of the kernel (`src/`, `/include`), it is a BINARY-COMPATIBLE change.
* If the change adds visible C preprocessor or language symbols in `libsel4/`, it is a BINARY-COMPATIBLE change.
* If the change alters existing symbol definitions, types, or implementations in `libsel4/`, it is a
SOURCE-COMPATIBLE change.
* Otherwise, it is BREAKING.
-->
The following is a high-level description of changes to the seL4 kernel project, grouped by release. It is aimed at
engineers who desire a summary of changes in more coarse-grained form than the Git commit history. Each release
description indicates whether it is SOURCE-COMPATIBLE, BINARY-COMPATIBLE, or BREAKING relative to the previous release.
Further information about [seL4 releases](https://docs.sel4.systems/sel4_release/) is available.
---
Upcoming release: BINARY COMPATIBLE
## Changes
## Upgrade Notes
---
11.0.0 2019-11-19: BREAKING
## Changes
* Add GrantReply access right for endpoint capabilities.
- seL4_Call is permitted on endpoints with either the Grant or the GrantReply access rights.
- Capabilities can only be transferred in a reply message if receiver's endpoint capability has the Grant right.
* `seL4_CapRights_new` now takes 4 parameters
* seL4_CapRightsBits added to libsel4. seL4_CapRightsBits is the number of bits
to encode seL4_CapRights.
* `seL4_UserTop` added
- a new constant in libsel4 that contains the first virtual address unavailable to
user level.
* Add Kernel log buffer to aarch64
* Support added for Aarch64 hypervisor mode (EL2) for Nvidia TX1 and TX2. This is not verified.
* Support for generating ARM machine header files (memory regions and interrupts) based on a device tree.
* Support added for ARM kernel serial driver to be linked in at build time based on the device tree compatibility string.
* Support added for compiling verified configurations of the kernel with Clang 7.
* RISC-V: handle all faults
- Pass all non-VM faults as user exceptions.
* arm-hyp: pass ESR in handleUserLevelFault
* aarch64: return ESR as part of user level fault
* Created new seL4_nbASIDPoolsBits constant to keep track of max nb of ASID pools.
* Support added for Hardkernel ODROID-C2.
* Added extended bootinfo header for device tree (SEL4_BOOTINFO_HEADER_FDT).
* Support added for passing a device tree from the bootloader to the root task on ARM.
* Add seL4_VSpaceBits, the size of the top level page table.
* The root cnode size is now a minimum of 4K.
* Hifive board support and RISC-V external interrupt support via a PLIC driver.
* Update seL4_FaultType size to 4bits.
* Fix seL4_MappingFailedLookupLevel() for EPTs on x86.
- add SEL4_MAPING_LOOKUP_NO_[EPTPDPT, EPTPD, EPTPT] which now correspond to
the value returned by seL4_MappingFailedLookupLevel on X86 EPT mapping calls.
* BeagleBone Black renamed from am335x to am335x-boneblack.
* Supported added for BeagleBone Blue (am335x-boneblue).
* Remove IPC Buffer register in user space on all platforms
* Add managed TLS register for all platforms
* Add configurable system call allowing userspace to set TLS register without capability on all platforms.
* Non-hyp support added for Arm GICv3 interrupt controller.
* Add initial support for i.MX8M boards.
- Support for i.MX8M Quad evk AArch64 EL2 and EL1, AArch32 smode only is accessible via the imx8mq-evk platform.
- Support for i.MX8M Mini evk AArch64 EL2 and EL1, AArch32 smode only is accessible via the imx8mm-evk platform.
* Add FVP platform with fixed configuration. This currently assumes A57 configuration described in tools/dts/fvp.dts.
* Arm SMP invocation IRQControl_GetTriggerCore added
- Used to route a specify which core an IRQ should be delivered on.
* Kernel log buffer: Specify on which core an IRQ was delivered.
* Add new seL4_DebugSendIPI syscall to send arbitrary SGIs on ARM when SMP and DEBUG_BUILD are activated.
* Support for aarch64-hyp configurations with 40-bit physical addresses (PA) added.
- The aarch64 api now refers to VSpaces rather than PageGlobalDirectories,
as depending on the PA the top level translation structure can change.
- all `seL4_ARM_PageGlobalDirectory` invocations are now `seL4_ARM_VSpace` invocations.
- new constants 'seL4_ARM_VSpaceObject` and `seL4_VSpaceIndexBits`.
* Merged MCS kernel feature.
- this is not verified and is under active verification.
- The goals of the MCS kernel is to provide strong temporal isolation and a basis for reasoning about time.
* Moved aarch64 kernel window
- aarch64 kernel window is now placed at 0, meaning the kernel can access memory
below where the kernel image is mapped.
* aarch64: Moved TPIDRRO_EL0 (EL0 Read-Only Thread ID register) to TCB register context from VCPU registers. This means
changes to this register from user level have to go via seL4_TCB_Write Registers instead of seL4_ARM_VCPU_WriteRegs.
* Merge ARCH_Page_Remap functionality into ARCH_Page_Map. Remap was used for updating the mapping attributes of a page
without changing its virtual address. Now ARCH_Page_Map can be performed on an existing mapping to achieve the same
result. The ARCH_Page_Remap invocation has been removed from all configurations.
* riscv64: Experimental SMP support for RISCV64 on HiFive.
* Support added for QEMU ARM virt platform, with 3 CPUs: cortex-a15, cortex-a53 and cortex-a57
- PLATFORM=qemu-arm-virt
- ARM_CPU={cortex-a15, cortex-a53, cortex-a57}
- QEMU_MEMORY=1024 (default)
* Support added for rockpro64.
* RISCV: Add support for Ariane SoC
* Unify device untyped initialisation across x86, Arm and RISC-V
- Access to the entire physical address range is made available via untypes.
- The kernel reserves regions that user level is not able to access and doesn't hand out untypeds for it.
- Ram memory is part of this reservation and is instead handed out as regular Untypeds.
- Memory reserved for use by the kernel or other reserved regions are not accessible via any untypeds.
- Devices used by the kernel are also not accessible via any untypeds.
## Upgrade Notes
* Usages of Endpoints can now use seL4_Call without providing Grant rights by downgrading the Grant to GrantReply
* The kernel no longer reserves a register for holding the address of a thread's IPC buffer. It is now expected that the
location of the IPC buffer is stored in a __thread local variable and a thread register is used to refer to each
thread's thread local variables. The sel4runtime is an seL4 runtime that provides program entry points that setup
the IPC buffer address and serves as a reference for how the IPC buffer is expected to be accessed.
* All `seL4_ARM_PageGlobalDirectory` invocations need to be replaced with `seL4_ARM_VSpace`.
* Usages of ARCH_Page_Remap can be replaced with ARCH_Page_Map and require the original mapping address to be provided.
* Device untypeds are provided to user level in different sizes which may require more initial processing to break them
down for each device they refer to.
---
10.1.1 2018-11-12: BINARY COMPATIBLE
## Changes
* Remove theoretical uninitialised variable use in infer_cpu_gic_id for binary translation validation
## Upgrade Notes
* 10.1.0 has a known broken test in the proofs. 10.1.1 fixes this test.
---
10.1.0 2018-11-07: SOURCE COMPATIBLE
## Changes
* structures in the boot info are not declared 'packed'
- these were previously packed (in the GCC attribute sense)
- some field lengths are tweaked to avoid padding
- this is a source-compatible change
* ARM platforms can now set the trigger of an IRQ Handler capability
- seL4_IRQControl_GetTrigger allows users to obtain an IRQ Handler capability
and set the trigger (edge or level) in the interrupt controller.
* Initial support for NVIDIA Jetson TX2 (ARMv8a, Cortex A57)
* AARCH64 support added for raspberry pi 3 platform.
* Code generation now use jinja2 instead of tempita.
* AARCH32 HYP support added for running multiple ARM VMs
* AARCH32 HYP VCPU registers updated.
* A new invocation for setting TLSBase on all platforms.
- seL4_TCB_SetTLSBase
* Kbuild/Kconfig/Makefile build system removed.
---
10.0.0 2018-05-28: BREAKING
- Final version of the kernel which supports integration with Kbuild based projects
- Future versions, including this one, provide a CMake based build system
For more information see https://docs.sel4.systems/Developing/Building.
## Changes
* x86 IO ports now have an explicit IOPortControl capability to gate their creation. IOPort capabilities may now only
be created through the IOPortControl capability that is passed to the rootserver. Additionally IOPort capabilities
may not be derived to have smaller ranges and the IOPortControl will not issue overlapping IOPorts
* 32-bit support added for the initial prototype RISC-V architecture port
## Upgrade Notes
* A rootserver must now create IOPort capabilities from the provided IOPortControl capability. As IOPorts can not
have their ranges further restricted after creation it must create capabilities with the final desired granularity,
remembering that since ranges cannot overlap you cannot issue a larger and smaller range that have any IO ports
in common.
---
9.0.1 2018-04-18: BINARY COMPATIBLE
## Changes
* On 64-bit architectures, the `label` field of `seL4_MessageInfo` is now 52 bits wide. User-level programs
which use any of the following functions may break, if the program relies on these functions to mask the
`label` field to the previous width of 20 bits.
- `seL4_MessageInfo_new`
- `seL4_MessageInfo_get_label`
- `seL4_MessageInfo_set_label`
* Initial prototype RISC-V architecture port. This port currently only supports running in 64-bit mode without FPU or
or multicore support on the Spike simulation platform. There is *no verification* for this platform.
## Upgrade Notes
---
9.0.0 2018-04-11: BREAKING
= Changes =
* Debugging option on x86 for syscall interface to read/write MSRs (this is an, equally dangerous, alternative to
dangerous code injection)
* Mitigation for Meltdown (https://meltdownattack.com) on x86-64 implemented. Mitigation is via a form of kernel
page table isolation through the use of a Static Kernel Image with Microstate (SKIM) window that is used for
trapping to and from the kernel address space. This can be enabled/disabled through the build configuration
depending on whether you are running on vulnerable hardware or not.
* Mitigation for Spectre (https://spectreattack.com) on x86 against the kernel implemented. Default is software
mitigation and is the best performing so users need to do nothing. This does *not* prevent user processes from
exploiting each other.
* x86 configuration option for performing branch prediction barrier on context switch to prevent Spectre style
attacks between user processes using the indirect branch predictor
* x86 configuration option for flushing the RSB on context switch to prevent Spectre style attacks between user
processes using the RSB
* Define extended bootinfo header for the x86 TSC frequency
* x86 TSC frequency exported in extended bootinfo header
* `archInfo` is no longer a member of the bootinfo struct. Its only use was for TSC frequency on x86, which
can now be retrieved through the extended bootinfo
* Invocations to set thread priority and maximum control priority (MCP) have changed.
- For both invocations, users must now provide a TCB capability `auth`
- The requested MCP/priority is checked against the MCP of the `auth` capability.
- Previous behavior checked against the invoked TCB, which could be subject to the confused deputy
problem.
* seL4_TCB_Configure no longer takes prio, mcp as an argument. Instead these fields must be set separately
with seL4_TCB_SetPriority and seL4_TCB_SetMCPriority.
* seL4_TCB_SetPriority and seL4_TCB_SetMCPriority now take seL4_Word instead of seL4_Uint8.
- seL4_MaxPrio remains at 255.
* seL4_TCB_SetSchedParams is a new method where MCP and priority can be set in the same sytsem call.
* Size of the TCB object is increased for some build configurations
= Upgrade notes =
* seL4_TCB_Configure calls that set priority should be changed to explicitly call seL4_TCB_SetSchedParams
or SetPriority
* seL4_TCB_Configure calls that set MCP should be changed to explicitly call seL4_TCB_SetSchedParams
or seL4_TCB_SetMCPriority
---
8.0.0 2018-01-17
= Changes =
* Support for additional zynq platform Zynq UltraScale+ MPSoC (Xilinx ZCU102, ARMv8a, Cortex A53)
* Support for multiboot2 bootloaders on x86 (contributed change from Genode Labs)
* Deprecate seL4_CapData_t type and functions related to it
* A fastpath improvement means that when there are two runnable threads and the target thread is the highest priority
in the scheduler, the fastpath will be hit. Previously the fastpath would not be used on IPC from a high priority
thread to a low priority thread.
* As a consequence of the above change, scheduling behaviour has changed in the case where a non-blocking IPC is sent
between two same priority threads: the sender will be scheduled, rather than the destination.
* Benchmarking support for armv8/aarch64 is now available.
* Additional x86 extra bootinfo type for retrieving frame buffer information from multiboot 2
* Debugging option to export x86 Performance-Monitoring Counters to user level
= Upgrade notes =
* seL4_CapData_t should be replaced with just seL4_Word. Construction of badges should just be `x` instead of
`seL4_CapData_Badge_new(x)` and guards should be `seL4_CNode_CapData_new(x, y)` instead of
`seL4_CapData_Guard_new(x, y)`
* Code that relied on non-blocking IPC to switch between threads of the same priority may break.
---
7.0.0 2017-09-05
= Changes =
* Support for building standalone ia32 kernel added
* ia32: Set sensible defaults for FS and GS selectors
* aarch64: Use tpidrro_el0 for IPC buffer instead of tpidr_el0
* More seL4 manual documentation added for aarch64 object invocations
* Default NUM_DOMAINS set to 16 for x86-64 standalone builds
* libsel4: Return seL4_Error in invocation stubs in 8fb06eecff9 ''' This is a source code level breaking change '''
* Add a CMake based build system
* x86: Increase TCB size for debug builds
* libsel4: x86: Remove nested struct declarations ''' This is a source code level breaking change '''
* Bugfix: x86: Unmap pages when delete non final frame caps
= Upgrade notes =
* This release is not source compatible with previous releases.
* seL4 invocations that previously returned long now return seL4_Error which is an enum. Our libraries have already
been updated to reflect this change, but in other places where seL4 invocations are used directly, the return types
will need to be updated to reflect this change.
* On x86 some structs in the Bootinfo have been rearranged. This only affects seL4_VBEModeInfoBlock_t which is used if
VESA BIOS Extensions (VBE) information is being used.
= Known issues =
* One of our tests is non-deterministicly becoming unresponsive on the SMP release build on the Sabre IMX.6 platform,
which is a non verified configuration of the kernel. We are working on fixing this problem, and will likely do a
point release once it is fixed.
---
For previous releases see https://docs.sel4.systems/sel4_release/