arm64 虚拟地址物理地址转换

linux5.15

armv8-a arm文档 VMSA章节  D5.2.4 Memory translation granule size

A VMSA provides a Memory Management Unit (MMU) that controls address translation, access permissions, and memory attribute determination and checking, for memory accesses made by the PE. The process of address translation maps the virtual addresses (VAs) used by the PE onto the physical addresses (PAs) of the physical memory system. The mapping of a VA to a PA requires either a single stage of translation, or two sequential stages of translation. 

以aarch64 state non-secure el0&el1的环境，即最常见的arm64 linux最常见的场景

地址转换重要寄存器

armv8 system register有 ttbr0_el1 和ttbr1_el1  tcr_el1寄存器设定mmu的转换过程

ttbr0_el1  进程的用户空间页表位置

ttbr1_el1  内核页表位置

 

  

tcr_el1  控制转换过程bit位简要如下

其中AS bit 控制asid的位数

T0/1SZ 指定了TTBR0/1转换的地址范围，根据T0/1SZ的大小和转换粒度开始进行stage1(VA-->IPA)的地址转换

对于linux的情况地址空间为两部分如下图，T0SZ为16，va_region1_bits=64-T0SZ，T1SZ为16，va_region2_bits=64-T1SZ

如果为single address va_bits = 64-T0SZ ,并且地址空间取64位lower bits

 

TG0/1 bit控制着TTBR0_EL0/1 的转换粒度

地址转换过程

address sapce与granule size

首先armv8的最大地址空间为48bit也可扩展至52bit，以48bit为例userspace地址空间为0x0000 0000 0000 0000 --> 0x0000 ffff ffff ffff ，kernel space 地址空间为0xffff 0000 0000 0000 --> 0xffff ffff ffff ffff 。

 translation granule（粒度）支持4k，16k，64k。

granule size 决定了page size和单个translation table size

每个translation table descripter 有64bit，所以每个translation table 有pagesize bits - 3个descripter如下图所示，12bit的page size，level 1/2/3 的resolve bits 为9bit

translation table walk

虚拟地址到物理地址的转换过程称为Translation table walks

A translation table walk comprises one or more translation table lookups. The translation table walk is the set of lookups that are required to translate the VA to the PA. For the EL1&0, when EL2 is enabled, translation regime, this set includes lookups for both the stage 1 translation and the stage 2 translation, but translation table walk can also be used to refer to either:

The set of lookups required for the stage 1 translation, that translates the VA to the IPA. This is the stage 1 translation table walk.

The set of lookups required for the stage 2 translation, that translates the IPA to the PA. This is the stage 2 translation table walk

The translation table walk starts with a read of the translation table for the initial lookup. The TTBR_ELx for the stage of translation holds the base address of this table. Each translation table lookup returns a descriptor that indicates one of the following:

The entry is the final entry of the walk. In this case, the entry contains the OA, and the permissions and attributes for the access.

An additional level of lookup is required. In this case, the entry contains the translation table base address for that lookup

The descriptor is invalid. In this case, the memory access generates a Translation fault.

 ttbr0/1_el1取页表基址，获取基址后查找到的L-1_table[52:48]entry 的内容为L0_table基址和L-1的IPA，以此类推查到L0/1/2/3的IPA最后直到查到PA，此为一次成功的page table walk

理解initial lookup level

理论上initial lookup level 可以是level -1~2的任一level。如下图4k granule size，TnSZ的值和granule size同时决定了initial lookup level 是哪一个lookup level。其中TnSZ的值可以为Tmin至Tmax之间的任意值，只是linux常用48和52。

 ARM develop上有一段解释如下链接ARMv8 mmu problem - Architectures and Processors forum - Support forums - Arm Community

page与block的区别

看一段来自ARM develop的解释

ARMv8 mmu problem - Architectures and Processors forum - Support forums - Arm Community

block entry直接map了一段物理地址而不是指定了下一level 的lookup table，page table walk的lookup 遇到block_entry也是完成了一次完整的lookup。

以4k granule size为例