CHANGES.md
The following is a high-level description of changes to the seL4 kernel project, grouped by release. It is aimed at engineers who desire a summary of changes in more coarse-grained form than the Git commit history. Each release description indicates whether it is SOURCE-COMPATIBLE, BINARY-COMPATIBLE, or BREAKING relative to the previous release.
LibSel4UseThreadLocals).KernelAllowSMCCalls option can now be used for verification buildsseL4_X86_EPT_VMAttributesseL4_VMEnter()field_ptr keyword for reducing the need for
#ifdef in bitfield definitionsVMX_CONTROL_SECONDARY_PROCESSOR_CONTROLS. Previously only writes were allowed.X86_64_VTX_64BIT_GUESTS to enable guests managing their own mode transition, e.g.
for UEFI firmware.VMX_CONTROL_ENTRY_CONTROLS field, e.g. for enabling long mode and loading of
certain MSRs on VM Entry.CR0.PE and CR0.PG to be cleared if "Unrestricted Guest" mode is supported by the host CPU. This mode allows
guest software to run in unpaged protected mode or in real-address mode.If using domains, replace any custom domain_schedule.c file with initialisation code in user space, or use
corresponding features in user-space frameworks such as Microkit and CAmkES. With MCS, the domain duration is now
configured in timer ticks instead of microseconds.
Fixed a kernel-crashing defect on (unverified) x86 configurations with VT-x enabled where the kernel bookkeeping for VCPU objects was incorrect. The kernel crash can be triggered by retyping multiple VCPU objects from the same Untyped capability or by mixing the right deletion and retyping operations. Thanks to Mathieu Mirmont from Neutrality for reporting and fixing this defect.
invocations_all.json file with syscall invocation numbers.--skip-unchanged option to build process to prevent time stamp update for config output files when these
files did not change.seL4_TCB_SetFlags and new flag seL4_TCBFlag_fpuDisabled.
See RFC-18.[a..b)KernelArmVtimerUpdateVOffset and KernelArmDisableWFIWFETraps from the platform
tqma8xqp1gb, since they are project specific settings, not platform settings. Add
set(KernelArmVtimerUpdateVOffset OFF) and
set(KernelArmDisableWFIWFETraps ON)
to your project settings to get the same configuration as before if you are using tqma8xqp1gb.Support SGIs (software generated interrupts) on platforms with GICv2 or GICv3 in non-SMP configurations. SGIs are
intended for signalling other cores when seL4 is used in a multi-kernel setup. On Arm, this is implemented with a new
capability SGISignal, which can be created from IRQControl capabilities with the new IRQ control invocation
ARMIRQIssueSGISignal for a specific IRQ and target core. The resulting SGISignal capability can be invoked like a
notification capability that supports only signal/send. SGIs can be received by IRQ notification objects on the target
core like other IRQs.
See also RFC-17
Added config option for selecting which thread ID register is used for Kernel TLS syscalls and invocations.
KernelArmTLSReg can be used to select either tpidru or tpidruro as the TLS register used for seL4_TCB_SetTLSBase and seL4_SetTLSBase operations.
This config option's default value is tpidru which is what the register that the kernel currently uses for the TLS register for aarch32 and aarch64 platforms.
Fixed: under some circumstances, writes by a VMM to VCPU timer registers could have been reverted by the kernel to their previous state. This was triggered when:
This was found by Alison Felizzi and independently by Ryan Barry during the integrity proofs for AArch64 hyp mode.
Fixed: under some circumstances, seL4_VCPUReg_CPACR is saved twice to the current VCPU. The value of this
register may change between saves, causing the latter save to unintentionally grant EL0/1 access to the FPU.
seL4_VCPUReg_CPACR is saved to the current VCPU.
1.2. enableFpuEL01 updates the register, enabling FPU access in EL0 and EL1.seL4_VCPUReg_TTBR0 to seL4_VCPUReg_SPSR_EL1 are saved. This range includes
seL4_VCPUReg_CPACR, which overwrites the previously saved value and grants FPU access at EL0 and EL1.Fixed: on aarch32 configurations with hypervisor support, CNTKCTL was not saved and restored alongside other virtual
timer registers. seL4_VCPUReg_CNTKCTL has been introduced to mirror seL4_VCPUReg_CNTKCTL_EL1 from aarch64.
Fixed VGIC and VPPI maintenance handling on MCS, which allowed a thread to simultaneously be blocked and in the release queue.
Added port of debug API to AArch64.
Added implementation of Split EOI mode for GICv3 for improved interrupt performance.
Added aarch64-elf- as valid AArch64 toolchain prefix.
riscv-none-elf- as valid RISC-V toolchain prefixSet seL4_TCBFlag_fpuDisabled (with the seL4_TCB_SetFlags invocation of TCB capabilities) for
tasks not using the FPU to retain the old context switch performance. The -mgeneral-regs-only
option may be needed to stop the compiler from issuing SIMD instructions to speed up integer
operations.
Fixed a kernel-crashing NULL pointer dereference when injecting an IRQ for a non-associated VCPU on SMP configurations. This can be triggered from user-level by any thread that has access to or can create non-associated VCPU objects. While HYP+SMP is not a verified configuration and is not thoroughly tested, it is generally assumed to be working. If you are using this configuration, it is strongly recommended to upgrade.
Fixed a kernel-crashing cache maintenance operation on AArch64 (Armv8). On AArch64, when seL4 runs in EL1 the kernel
would fault with a data abort in seL4_ARM_Page_Invalidate_Data and seL4_ARM_VSpace_Invalidate_Data when the user
requested a dc ivac cache maintenance operation on a page that is not mapped writeable. If you are using seL4 in EL1
on AArch64, it is strongly recommended to upgrade.
Fixed a cache issue on Arm where cleared memory was not flushed to RAM, but only to the point of unification. This means that uncached access was able to still see old memory content.
KernelGlobalsFrame and KernelDangerousCodeInjectionOnUndefInstr. This removes the
constant seL4_GlobalsFrame from libsel4 as well as the IPC buffer in GlobalsFrame caveat from CAVEATS.mdEnabled access to seL4_VCPUReg_VMPIDR and seL4_VCPUReg_VMPIDR_EL2 for all hypervisor configurations. Previously
this register was only accessible for SMP kernel configurations. Non-SMP configurations can still require access when
wanting to control the value of MPIDR that the guest reads. Note that the initial value for new seL4_ARM_VCPUs for
this register is 0 which isn't a legal value for MPIDR_EL1 on AArch64. It may be necessary for the register to be
explicitly initialized by user level before launching a thread associated with the new seL4_ARM_VCPU.
Allow changing the VCPU of active thread: call vcpu_switch in associateVCPUTCB. This guarantees that the correct
VCPU will be activated when the kernel finishes execution. Previously, changing the VCPU of the current thread would
result in no VCPU being active.
benchmarking: use write-through kernel log buffer
arm_hyp: Access SPSR via non-banked instructions
generic_timer: force timer to de-assert IRQ.
No special handling for edge-triggered IRQs.
If unnecessary notifications are unwanted, the pending state should be cleared during seL4_IRQHandler_Ack(), as
that covers a much bigger window. However, edge-triggered interrupts are not expected to happen often. Making all
interrupt handling slightly faster and the code simpler is the better trade-off.
Make write-only mapping message consistent. There is a warning when creating a write-only mapping on AArch32/AArch64. This message is now the same in all variants.
KernelArmExportPTMRUser and KernelArmExportVTMRUser options for Arm generic timer use access on AArch32.lockTLBEntry uses the global tlbLockCount as input without checking bounds. This is fine, because the function
is called at most 2 times per core, but this is only apparent when checking the entire possible calling context.
Make this bound obvious locally by doing nothing if the function is called with values of tlbLockCount of 2 or
greater. This is safe, because TLB lockdown is a performance change only. Also add an assert for debug mode, because
we want to know if calling context ever changes. This potential issue was reported by The UK's National Cyber
Security Centre (NCSC).AARCH64_verified.cmake config for functional correctness on AArch64AARCH64_VSPACE_S2_START_L1 to CONFIG_AARCH64_VSPACE_S2_START_L1 to be namespace
compliant.smc_cap) and SMC forwarding for AArch64 platforms. See
RFC-9.seL4_ARM_PageDirectory and seL4_ARM_PageUpperDirectory. See also the
corresponding RFC. The functionality
previously provided by these types will be provided by the existing seL4_ARM_PageTable object type. This allows for
a simpler API and enables a smaller kernel implementation that will be easier to verify. libsel4 provides a source
compatibility translation that maps the old libsel4 names and constants the new ones in
<sel4/sel4_arch/deprecated.h>. There are some exceptional cases where kernel behavior has changed:
KernelSignalFastpath config option.KernelExceptionFastpath config option.KernelAArch64UserCacheEnable for user cache maintenance.
Enables user level access to DC CVAU, DC CIVAC, DC CVAC, and IC IVAU which are cache maintenance operations
for the data caches and instruction caches underlying Normal memory and also access to the read-only cache-type
register CTR_EL0 that provides cache type information. The ArmV8-A architecture allows access from EL0 as fast
cache maintenance operations improves DMA performance in user-level device drivers.
These instructions are a subset of the available cache maintenance instructions as they can only address lines by virtual address (VA). They also require that the VA provided refers to a valid mapping with at least read permissions. This corresponds to lines that the EL0 could already affect via regular operation and so it's not expected to break any cache-partitioning scheme.
The config option allows this policy to be selected for a particular kernel configuration, but it is default enabled as this has been the existing behavior for current aarch64,hyp configurations and have not been explicitly disabled in non-hyp configurations.
ARMFrameInvocation to stay consistent with the other architectures.KernelArmDisableWFIWFETraps is disabled (trapping of WFI/WFE is
enabled), the kernel traps WFx instructions from both native and vCPU threads. This change brings the code in line
with the config description.KernelRiscvUseClintMtime for faster access of hardware timestamp on RISC-V platforms.
The configuration option is not enabled by default as it requires access to the CLINT which depends on the platform
and whether the M-mode firmware allows S-mode to access the CLINT. For example, newer versions of OpenSBI (1.0 and above)
do not allow direct access of the CLINT.include/interfaces/sel4.xml, arch_include/*/interfaces/sel4arch.xml, and
sel4_arch_include/*/interfaces/sel4arch.xml to include/interfaces/object-api.xml,
arch_include/*/interfaces/object-api-arch.xml, and sel4_arch_include/*/interfaces/object-api-sel4-arch.xml,
respectively.getMaxUsToTicks function tor return time instead of ticks.EPTWriteBack.CONFIG_X86_64_VTX_64BIT_GUESTS for 64-bit VM supportseL4_TimeoutMsg to seL4_Timeout_Msg to make it consistent with the naming of other messages.seL4_MinSchedContextBits.SchedControl_ConfigureFlagsRecv/Wait, which is done by maybeReturnSchedContext().TIMER_OVERHEAD_TICKS. For ARM currently TIMER_PRECISION exists, but that is in microseconds and
not fine-grained enough. TIMER_OVERHEAD_TICKS is needed to make periodic tasks synchronous with the system clock. If
this value is non-zero every period will be extended with the overhead of taking an interrupt and reading the system
clock. To avoid this drift, the configured value should be set to at least the average overhead.ksCurTime assuming they are in sync (which they are not), instead use
NODE_STATE(ksCurTime).seL4_BootInfoFrameSize and seL4_BootInfoFrameBits for user land so there is no longer a need to
hard-code a 4 KiByte assumption. Remove BI_FRAME_SIZE_BITS.PageGetAddress, ASIDControlInvocation, ARMCBInvocation,
A32PageDirectoryGetStatusBits, X86PortIn, WriteVMCS, ReadVMCS, ConfigureSingleStepping, and GetBreakpoint.libsel4: Make bootinfo consistent. Some slot positions in the rootnode would depend on configuration. However that
makes it difficult to add new root caps, especially if multiple caps only exist based on configuration. Make all caps
always there, but null if not configured.libsel4: Eliminate unnamed enumsbitfield_gen: allow non-contiguous tag fields. A tagged union can now optionally use multiple fields to indicate the
tag. These are called "sliced" tags in the code. The tag fields have to be at the same position and width in each
block of the tagged unions, and all tag fields have to be within the same word. See the manual for details.CONFIG_PRINTING and CONFIG_DEBUG_BUILD usable independently from each otherENABLE_SMP_SUPPORT to CONFIG_ENABLE_SMP_SUPPORT to be namespace compliant.HAVE_AUTOCONFseL4_ReplyRecv path, because it too often incorrectly warns about legitimate operationscmake --install <dir> for final build and config artefactscmake: support supplying custom device trees overridescmake: provide gen_config.json with kernel config settingsplatform_gen.json in addition to platform_gen.yamlbinutils >= 2.38cmake: detect x86 cross-compiler for Arm host (e.g. on Apple M1)/usr/bin/env for bash/sh invocationsseL4_MinSchedContextBits can lead to failure where code previously created
scheduling contexts with size seL4_MinSchedContextBits and expected more than the 2 minimum
refills to be available for that size. Either use a larger size (the previous value 8 of
seL4_MinSchedContextBits) in retyping, or request fewer refills.#pragma once to the autoconf headers.HAVE_AUTOCONF guards in sel4/config.h.HAVE_AUTOCONF header guards in libsel4.macros.h #include in libsel4.macros.h in libsel4._Static_assert() in libsel4 if it is available.simple_types.h in libsel4.printf format specifier PRI_sel4_word for printing word types.printf formatting for seL4_Word.BOOT_BSS instead of BOOT_DATA to save space in the ELF file.capDL() function with a generic debug_capDL function that is intended to be implemented by all
architectures.printfs stack usage.ksnprintf() corner case handling.printf output wrapper handling.printf output channel.PRIu64 and SEL4_PRIu_word in the kernel.printf conversion specifiers to use SEL4_PRIx_word specifiers.seL4_SchedControl_Configure which allows the option to create a sporadic
scheduling context.KernelStaticMaxBudgetUs to KernelStaticMaxPeriodUs.ksDomainTime in updateTimestamp.updateTimestamp in a preemption point.seL4_X86DangerousRDMSR in ia32.#define for the i.MX6 Nitrogen6_SoloX.extra_caps_t by value for binary verification purposes.slot_range_t for binary verification purposes.DONT_TRANSLATE tag on 'read_sip' for binary verification purposes.traps.S so that syscalls and fastpath checks were done after interrupts and exceptions checks to avoid
exceptions being interpreted as null-syscalls.riscv64-elf- toolchain.PRIx and SEL4_PRIx printf conversion specifiers that can now be used inside the kernel.RetypeMaxObjects in <sel4/types.h>. This ensures that the definition stays consistent
with what the kernel is configured with.KERNEL_TIMER_IRQ definition. Previously, MCS preemption point handling would check the wrong interrupt on
x86 platforms.replyGrant for fault handlers. The MCS kernel so far insisted on full grant rights for fault handler caps,
but replyGrant is sufficient and consistent with the default kernel config.vcpu_t. This register tracks timer delegation to EL0 from EL1 and
needs to be switched for different VCPUs.apic_init.c_nested_interrupt. This fixes an issue where ia32 kernels
would crash if receiving a nested interrupt.seL4_CapRights_new now takes 4 parametersseL4_UserTop added
seL4_ARM_PageGlobalDirectory invocations are now seL4_ARM_VSpace invocations.andseL4_VSpaceIndexBits`.seL4_ARM_PageGlobalDirectory invocations need to be replaced with seL4_ARM_VSpace.For more information see https://docs.sel4.systems/Developing/Building.
label field of seL4_MessageInfo is now 52 bits wide. User-level programs
which use any of the following functions may break, if the program relies on these functions to mask the
label field to the previous width of 20 bits.
seL4_MessageInfo_newseL4_MessageInfo_get_labelseL4_MessageInfo_set_labelarchInfo is no longer a member of the bootinfo struct. Its only use was for TSC frequency on x86, which
can now be retrieved through the extended bootinfoauthauth capability.x instead of
seL4_CapData_Badge_new(x) and guards should be seL4_CNode_CapData_new(x, y) instead of
seL4_CapData_Guard_new(x, y)For previous releases see https://docs.sel4.systems/releases/seL4.html