1%
2% Copyright 2014, General Dynamics C4 Systems
3%
4% This software may be distributed and modified according to the terms of
5% the GNU General Public License version 2. Note that NO WARRANTY is provided.
6% See "LICENSE_GPLv2.txt" for details.
7%
8% @TAG(GD_GPL)
9%
10
11\chapter{\label{ch:ipc}Message Passing (IPC)}
12
13The seL4 microkernel provides a message-passing IPC mechanism for communication
14between threads. The same mechanism is also used for communication with
15kernel-provided services. Messages are sent by invoking a capability to a
16kernel object. Messages sent to \obj{Endpoint}s are destined for other
17threads, while messages sent to other objects are processed by the kernel. This
18chapter describes the common message format, endpoints,
19and how they can be used for communication between applications.
20
21\section{Message Registers}
22\label{sec:messageinfo}
23
24Each message contains a number of message words and optionally a number of
25capabilities.
26The message words are sent to or received from a thread by placing them in its \emph{message registers}.
27The message registers are numbered and the first few message registers are implemented
28using physical CPU registers, while the rest are backed by a fixed region of
29memory called the \emph{IPC buffer}.
30The reason for this design is efficiency:
31very short messages need not use the memory.
32The IPC buffer is assigned to the calling thread (see \autoref{sec:threads} and \autoref{api:tcb_setipcbuffer}).
33%FIXME: seL4_TCB_SetIPCBuffer is only mentioned in the API reference!
34
35Every IPC message also has a tag (structure \texttt{seL4\_MessageInfo\_t}).  The
36tag consists of four fields: the label, message length, number of capabilities
37(the \texttt{extraCaps} field) and the \texttt{capsUnwrapped} field.  The
38message length and number of capabilities determine either the number of
39message registers and capabilities that the sending thread wishes to transfer,
40or the number of message registers and capabilities that were actually
41transferred. The label is not interpreted by the
42kernel and is passed unmodified as the first data payload of the message. The
43label may, for example, be used to specify a requested operation. The
44\texttt{capsUnwrapped} field is used only on the receive side, to indicate the
45manner in which capabilities were received. It is described in
46\autoref{sec:cap-transfer}.
47
48% FIXME: a little too low-level, perhaps?
49
50\newcommand{\ipcparam}[4]{\texttt{#1} \emph{#2}&\texttt{#3}&#4\\ }
51\begin{table}[htb]
52    \begin{center}
53    \begin{tabularx}{\textwidth}{p{0.28\textwidth}p{0.18\textwidth}X}
54      \toprule
55      \textbf{Type} & \textbf{Name} & \textbf{Description} \\
56      \midrule
57        \ipcparam{seL4\_MessageInfo\_t}{}{tag}{Message tag}
58        \ipcparam{seL4\_Word[]}{}{msg}{Message contents}
59        \ipcparam{seL4\_Word}{}{userData}{Base address of the structure, used by
60        supporting user libraries}
61        \ipcparam{seL4\_CPtr[]}{(in)}{caps}{Capabilities to transfer}
62        \ipcparam{seL4\_CapData\_t[]}{(out)}{badges}{Badges for
63        endpoint capabilities received}
64        \ipcparam{seL4\_CPtr}{}{receiveCNode}{CPTR to a CNode from which to
65        find
66        the receive slot}
67        \ipcparam{seL4\_CPtr}{}{receiveIndex}{CPTR to the receive slot
68        relative to \texttt{receiveCNode}}
69        \ipcparam{seL4\_Word}{}{receiveDepth}{Number of bits of
70        \texttt{receiveIndex} to
71        use}
72        \bottomrule
73      \end{tabularx}
74    \caption{\label{tbl:ipcbuffer}Fields of the
75      \texttt{seL4\_IPCBuffer} structure.  Note that
76      \texttt{badges} and \texttt{caps} use the same area of memory in
77      the structure.}
78    \end{center}
79\end{table}
80
81The kernel assumes that the IPC buffer contains a structure of type
82\texttt{seL4\_IPCBuffer} as defined in \autoref{tbl:ipcbuffer}. The
83kernel uses as many physical registers as possible to transfer IPC
84messages. When more arguments are transferred than physical message
85registers are available, the kernel begins using the IPC buffer's
86\texttt{msg} field to transfer arguments. However, it leaves room in
87this array for the physical message registers. For example, if an IPC
88transfer or kernel object invocation required
894 message registers (and there are only 2 physical message registers
90available on this architecture) then arguments 1 and 2 would be
91transferred via message registers and arguments 3 and 4 would be in
92\texttt{msg[2]} and \texttt{msg[3]}.
93This allows the user-level object-invocation stubs to copy the arguments passed in physical registers to
94the space left in the \texttt{msg} array if desired.
95The situation is similar for the tag field.
96There is space for this field in the \texttt{seL4\_IPCBuffer} structure, which the kernel ignores.
97User level stubs
98may wish to copy the message tag from its CPU register to this field, although
99the user level stubs provided with the kernel do not do this.
100
101\section{Endpoints}
102
103\obj{Endpoint}s allow a small amount
104of data and capabilities (namely the IPC buffer) to be transferred between two
105threads. \obj{Endpoint} objects are invoked directly using the seL4 system calls
106described in \autoref{sec:syscalls}. 
107
108IPC \obj{Endpoints} uses a rendezvous model and as such is
109synchronous and blocking. An \obj{Endpoint} object  may queue
110threads either to send or to receive. If no receiver is ready, threads
111performing the \apifunc{seL4\_Send}{sel4_send} or \apifunc{seL4\_Call}{sel4_call}
112system calls will wait in a queue for the first available receiver. Likewise, if
113no sender is ready, threads performing the \apifunc{seL4\_Recv}{sel4_recv}
114system call or the second half of \apifunc{seL4\_ReplyRecv}{sel4_replyrecv}
115will wait for the first available sender.
116
117\subsection{Endpoint Badges\label{s:ep-badge}}
118\label{sec:ep-badges}
119
120Endpoint capabilities may be \emph{minted} to
121create a new endpoint capability with a \emph{badge} attached to it, a data
122word chosen by the invoker of the \emph{mint} operation. When a message is sent to an endpoint using a badged
123capability, the badge is transferred to the receiving thread's
124\texttt{badge} register.
125
126An endpoint capability with a zero badge is said to be \emph{unbadged}.
127Such a capability can be badged with the \apifunc{seL4\_CNode\_Mutate}{cnode_mutate} or \apifunc{seL4\_CNode\_Mint}{cnode_mint}
128invocations on the \obj{CNode} containing the capability. Endpoint
129capabilities with badges cannot be unbadged, rebadged or used to create
130child capabilities with different badges.
131
132Only the low 28 bits of the badge are available for use. The kernel will
133silently ignore any usage of the high 4 bits.
134
135\subsection{Capability Transfer}
136\label{sec:cap-transfer}
137
138Messages may contain capabilities, which will be transferred to the
139receiver, provided that the endpoint capability
140invoked by the sending thread has Grant rights. An attempt to send
141capabilities using an endpoint capability without the Grant right will
142result in transfer of the raw message, without any capability transfer.
143
144Capabilities to be sent in a message are specified in the sending thread's
145IPC buffer in the \texttt{caps} field. Each entry in that array is interpreted
146as a CPTR in the sending thread's capability space. The number of capabilities
147to send is specified in the \texttt{extraCaps} field of the message tag.
148
149The receiver specifies the slot
150in which it is willing to receive a capability, with three fields within the IPC buffer: \texttt{receiveCNode}, \texttt{receiveIndex} and \texttt{receiveDepth}.
151These fields specify the root CNode, capability address and number of bits to resolve, respectively, to find
152the slot in which to put the capability. Capability
153addressing is described in \autoref{sec:cap_addressing}.
154
155A received capability has the same rights as the original, except if
156the \emph{receiving} endpoint capability lacks the Write right.
157In this case, the rights on the sent capability are \emph{diminished}, by
158stripping the Write right from the received copy of the capability.
159
160Note that receiving threads may specify only one receive slot, whereas a
161sending thread may include multiple capabilities in the message. Messages
162containing more than one capability may be interpreted by kernel objects. They
163may also be sent to receiving threads in the case where some of the extra
164capabilities in the message can be \emph{unwrapped}.
165
166If the n-th capability in the message refers to the endpoint through
167which the message is sent, the capability is \emph{unwrapped}: its badge is placed into
168the n-th
169position of the receiver's badges array, and the kernel sets the n-th bit (counting from the
170least significant) in the \texttt{capsUnwrapped} field of the message
171tag. The capability itself is not transferred, so the receive slot may be used
172for another capability.
173
174If a receiver gets a message whose tag has an \texttt{extraCaps} of 2 and a
175\texttt{capsUnwrapped} of 2, then the first capability in the message was
176transferred to the specified receive slot and the second capability was
177unwrapped, placing its badge in \texttt{badges[1]}. There may have been a
178third capability in the sender's message which could not be unwrapped.
179
180\subsection{Errors}
181
182Errors in capability transfers can occur at two places: in the send
183phase or in the receive phase. In the send phase, all capabilities that
184the caller is attempting to send are looked up to ensure that they exist
185before the send is initiated in the kernel. If the lookup fails for any
186reason, \apifunc{seL4\_Send}{sel4_send} and \apifunc{seL4\_Call}{sel4_call} system calls immediately abort and
187no IPC or capability transfer takes place. The system call will return
188a lookup failure error as described in \autoref{sec:errors}.
189
190In the receive phase, seL4 transfers capabilities in the order that they
191are found in the sending thread's IPC buffer \texttt{caps} array
192and terminates as soon as an error is encountered. Possible error
193conditions are:
194
195\begin{itemize}
196    \item A source capability cannot be looked up. Although the presence
197    of the source capabilities is checked when the sending thread
198    performs the send system call, this error may still occur. The sending
199    thread may have been blocked on the endpoint for some time before it
200    was paired with a receiving thread. During this time, its
201    CSpace may have changed and the source capability pointers may
202    no longer be valid.
203
204    \item The destination slot cannot be looked up. Unlike the send
205    system call, the \apifunc{seL4\_Recv}{sel4_recv} system call does not check that the
206    destination slot exists and is empty before it initiates the receive.
207    Hence, the \apifunc{seL4\_Recv}{sel4_recv} system call will not fail with an error if the
208    destination slot is invalid and will instead transfer badged
209    capabilities until an attempt to save a capability to the
210    destination slot is made.
211
212    \item The capability being transferred cannot be derived. See
213    \autoref{sec:cap_derivation} for details.
214\end{itemize}
215
216An error will not void the entire transfer, it will just end it
217prematurely. The capabilities processed before the failure are still
218transferred and the \texttt{extraCaps} field in the receiver's IPC
219buffer is set to the number of capabilities transferred up to failure.
220No error message will be returned to the receiving thread in any of the
221above cases.
222
223