Convert license tags to SPDX identifiers

This commit also converts our own copyright headers to directly use
SPDX, but leaves all other copyright header intact, only adding the
SPDX ident. As far as possible this commit also merges multiple
Data61 copyright statements/headers into one for consistency.

mcs: tickless driver for x86

Add a tickless timer driver for x86. The driver defaults to using
TSC_DEADLINE mode, but falls back to the apic if that feature is not
available.

style: consistently align pointer with name

Run astyle with align-pointer=name

x86: Introduce IO port control caps

Changes the way IO ports work such that instead of 'minting' IO port caps down into new
IO port caps with smaller ranges new IO port ranges must be allocated centrally from
an IO port control cap. This mechanism acts in a very similar fashion as IRQ handler/control
capabilities and ensures that allocated IO ports do not overlap. Disallowing overlapping
IO ports is necessary to ensure the CDT remains valid as capabilities are deleted.

x64: SKIM window to mitigate Meltdown (CVE-2017-5754) on x86-64

Introduces a kernel option that, when enabled, reduces the kernel window in a user address
space to just be Static Kernel Image and Microstate (SKIM), instead of the full kernel
address space. This isolates the important kernel data from the user preventing a
Meltdown style attack being able to violate secrecy. The kernel text and read only data,
i.e. anything that is static from boot, is not secret and can be allowed in the SKIM window
and potentially read by the user. Additionally to switch to and from the actual kernel
address space a small amount of state needs to also be in the SKIM window.

This is only an implementation for x86-64, although the same design is applicable to ia32

x86: Define per node arch global state

Global state in this context is state/datastructures that need to be available at all times,
both in user and kernel mode, by the hardware for correct operation. The purpose of creating
a separate per-node structure for it is so that there is the option of treating it specially
in the future from other per node state

SELFOUR-1062: Hide all IOMMU related code behind #ifdef guards

The IOMMU implementation is not going to be verified at the moment, and so the code for
it needs to be hidden from verification, which we do by #ifdef'ing it out if the IOMMU
is not enabled. As a result the IOMMU configuration depends on a non verification target

x86: move current active FPU owner to node state

x86: define number of restore since switch as node state

x86: Mechanism for catching GP faults and returning to an error handler

Provides a mechanism where if af GP fault is potentially expected it can be caught
and the calling code returned to. The GP happening can be detected by setting
a specific return to handler and additionally by the return to handler being
cleared if a GP happened.

x86: Handling pending interrupts in kernel mode

This commit allows x86 to completely handle a pending interrupt without switching
out to user mode. To handle an interrupt on x86 the APIC *must* generate an exception,
prior to you being able to acknowledge it. Previously we only allow exceptions (i.e.
interrupts) to be generated outside of kernel mode when we are in user mode.

This change allows us to 'poll' for an interrupt and transition the APIC whilst in kernel
mode by enabling and taking interrupts at carefully defined points. A pending interrupt
will be stored by the exception handler, allowing us to then handle the interrupt and
acknowledge the hardware APIC. Handling is done by waiting until after we have 'left' the
kernel and are about to switch to user mode and then 'entering' the kernel again by jumping
to the interrupt entry point.

Handling interrupts entirely in kernel mode provides two advantages
* It will allow, in the future, the ability to handle kernel interrupts in situations
where we need to handle the interrupt before actually performing the hardware switch
back to user mode. This case happens where the user thread is using vt-x and so
pending interrupts do not generate an interrupt exception, but rather cause an exception
to be generated telling the system that there is a pending interrupt
* Where there are multiple pending interrupts it is more efficient to avoid additional
switches in and out of the user thread

Whilst this change does not enable pre-emption points to handle the interrupt before
returning out of `handleSyscall` it should be easily implementable with what is provided.

x86: Avoid writing the fs/gs base if we don't have to

x86: Switch to NULL FPU state if suspect no one using it

Adds a heuristic to switch to a NULL fpu state if we think the FPU
is not presently in use. A NULL fpu state is more efficient as
we do not have to enable/disable the FPU when switching threads

x86: Initial support for SMP vt-x

Enables vt-x code to compile when CONFIG_MAX_NUM_NODES is set to
greater than 1 and adds code to manage VMCS state on different cores

SELFOUR-287: 32-bit vt-x implementation

This is an implementation of vt-x for x86 kernels running in
ia32 mode.

SELFOUR-630:preliminary booting application processors
- update core detection code and Kconfig file
- update kernel stack managment so that BSP does not use boot stack before IPI APs
- move arch dependant data to a single structure
- add cache line size to Kconfig
- add cpu indexing and apic id mapping
- boot APs to halting state
- add guard for kernel stack if there is only one core

Revert "Merge pull request #358 in SEL4/sel4 from ~AZARRABI/sel4:multicore to master"

This reverts commit ce2f666bb811c5e4c779829fcb09d5a189ebcdbb, reversing
changes made to dc183f96b81f2344d7d0d910fc430f924eaae940.

SELFOUR-630:preliminary booting application processors
- update core detection code and Kconfig file
- update kernel stack managment so that BSP does not use boot stack before IPI APs
- move arch dependant data to a single structure
- add cache line size to Kconfig
- add cpu indexing and apic id mapping
- boot APs to halting state
- add guard for kernel stack if there is only one core

Correct separation of printing and debug builds

Fixes some build issues with 541289a32603cee8242b5360b05e8f0c52795433
as well as further allowing debugging (via the capdl interface) to
happen when printing is turned off.

Further separate 'release' and 'verification' builds

Originally building the kernel was largely considered to be done in
one of two ways
1. Release build with no assertions, no debug symbols and no printing.
This was generally considered to be a 'verified' build
2. Debug build with assertions, debug symbols and printing

Since then various options were added, such as the 'code injection'
option, which we wanted on builds that did not have assertions or
other options that affected performance. As such it did not depend
upon a debug build and had large warning signs saying that enabling
this in a release build would not give you a verified or trusted
kernel.

Most recently the ability to print from the kernel in release mode
was added. For the same reason that tying the ability to print with
the performance reduction of various debugging was not always desireable.

This change attempts to unify the current state and have a single top
level option to enable a 'verification friendly' build. All other
options (assertions, printing, code injection) then depend upon
this configuration not being set.

x86: More portable user mode IO port restriction

For x86-64, to disable IO instructions in user mode requires a
IO permission map being set up properly in TSS. Setting the
IO map base field of TSS larger than the TSS works for 32-bit, but
not 64-bit. This commit sets up a IO permission map usable for both
32-bit and 64-bit kernel and changes the TSS to use the mapping.
The IO permission bitmap is appened to the bitfield generated tss_t,
resulting the tss_io_t structure.

x86: Rename ia32->x86

This is a stylistic commit to make names of variables/constants and
functions in the kernel more consistent. That is, things that are
not IA32 specific, but are generic x86, get renamed to having an
x86 name

x86: IOAPIC/MSI syscalls

Restructure the x86 interrupt handling to allow for a more flexible
method of using IOAPIC and MSI interrupts. The essence of this change
is to allow for the user to pick, for both IOAPIC and MSIs, which
CPU vector to use. Additionally there is future support, in the API,
for seL4 to eventually protect MSI interrupts with the vt-d interrupt
routing tables.

API behaviour for legacy systems using the PIC is preserved

Part of SELFOUR-281

x86: Use an unsigned value for IO domain state

Verification prefers not to deal with signed numbers, and there is
no reason for these to be signed

x86: Rename ia32KScurInterrupt -> x86KScurInterrupt

x86: Extract 32-bit specific vspace functions in mode/vspace.c

x86: Create 32-bit specific statedata

x86: Port some of the IOMMU changes on the experimental branch

This changes the IOMMU from using passthrough devices and instead
directly mapping in the reserved regions that are needed for each
device.

x86: With multi-kernel support removed make the kernel PDs etc global instead of passing them around

x86: Do not conditionally compile IOMMU code, use build/run time checks

Guarding code with #ifdef's makes even cursor testing of 'does this code compile'
difficult due to code being hidden by the pre-processor. Using config_set in
regular C if statements is performant as the compiler can trivially detect
dead code at compile time, and at -O1 and above will not even link in symbols
referenced by dead code in these blocks, so this will not bloat image size

xIntroduce RELEASE_PRINTF, which allows a renamed printf (release_printf) to be used in a release build of the kernel - userful for debugging tests that only fail on a release build of the kernel

x86: Make x86 the name of the architecture instead of IA32

IA32 is 32bit version of the x86 architecture. Whilst only IA32
is supported, much of the code is generic x86. Using a generic
x86 architecture will aid in future 64bit support