1% 2% Copyright 2014, General Dynamics C4 Systems 3% 4% This software may be distributed and modified according to the terms of 5% the GNU General Public License version 2. Note that NO WARRANTY is provided. 6% See "LICENSE_GPLv2.txt" for details. 7% 8% @TAG(GD_GPL) 9% 10 11\chapter{\label{ch:ipc}Message Passing (IPC)} 12 13The seL4 microkernel provides a message-passing IPC mechanism for communication 14between threads. The same mechanism is also used for communication with 15kernel-provided services. Messages are sent by invoking a capability to a 16kernel object. Messages sent to \obj{Endpoint}s are destined for other 17threads, while messages sent to other objects are processed by the kernel. This 18chapter describes the common message format, endpoints, 19and how they can be used for communication between applications. 20 21\section{Message Registers} 22\label{sec:messageinfo} 23 24Each message contains a number of message words and optionally a number of 25capabilities. 26The message words are sent to or received from a thread by placing them in its \emph{message registers}. 27The message registers are numbered and the first few message registers are implemented 28using physical CPU registers, while the rest are backed by a fixed region of 29memory called the \emph{IPC buffer}. 30The reason for this design is efficiency: 31very short messages need not use the memory. 32The IPC buffer is assigned to the calling thread (see \autoref{sec:threads} and \autoref{api:tcb_setipcbuffer}). 33%FIXME: seL4_TCB_SetIPCBuffer is only mentioned in the API reference! 34 35Every IPC message also has a tag (structure \texttt{seL4\_MessageInfo\_t}). The 36tag consists of four fields: the label, message length, number of capabilities 37(the \texttt{extraCaps} field) and the \texttt{capsUnwrapped} field. The 38message length and number of capabilities determine either the number of 39message registers and capabilities that the sending thread wishes to transfer, 40or the number of message registers and capabilities that were actually 41transferred. The label is not interpreted by the 42kernel and is passed unmodified as the first data payload of the message. The 43label may, for example, be used to specify a requested operation. The 44\texttt{capsUnwrapped} field is used only on the receive side, to indicate the 45manner in which capabilities were received. It is described in 46\autoref{sec:cap-transfer}. 47 48% FIXME: a little too low-level, perhaps? 49 50\newcommand{\ipcparam}[4]{\texttt{#1} \emph{#2}&\texttt{#3}\\ } 51\begin{table}[htb] 52 \begin{center} 53 \begin{tabularx}{\textwidth}{p{0.28\textwidth}p{0.18\textwidth}X} 54 \toprule 55 \textbf{Type} & \textbf{Name} & \textbf{Description} \\ 56 \midrule 57 \ipcparam{seL4\_MessageInfo\_t}{}{tag}{Message tag} 58 \ipcparam{seL4\_Word[]}{}{msg}{Message contents} 59 \ipcparam{seL4\_Word}{}{userData}{Base address of the structure, used by 60 supporting user libraries} 61 \ipcparam{seL4\_CPtr[]}{(in)}{caps}{Capabilities to transfer} 62 \ipcparam{seL4\_CapData\_t[]}{(out)}{badges}{Badges for 63 endpoint capabilities received} 64 \ipcparam{seL4\_CPtr}{}{receiveCNode}{CPTR to a CNode from which to 65 find 66 the receive slot} 67 \ipcparam{seL4\_CPtr}{}{receiveIndex}{CPTR to the receive slot 68 relative to \texttt{receiveCNode}} 69 \ipcparam{seL4\_Word}{}{receiveDepth}{Number of bits of 70 \texttt{receiveIndex} to 71 use} 72 \bottomrule 73 \end{tabularx} 74 \caption{\label{tbl:ipcbuffer}Fields of the 75 \texttt{seL4\_IPCBuffer} structure. Note that 76 \texttt{badges} and \texttt{caps} use the same area of memory in 77 the structure.} 78 \end{center} 79\end{table} 80 81The kernel assumes that the IPC buffer contains a structure of type 82\texttt{seL4\_IPCBuffer} as defined in \autoref{tbl:ipcbuffer}. The 83kernel uses as many physical registers as possible to transfer IPC 84messages. When more arguments are transferred than physical message 85registers are available, the kernel begins using the IPC buffer's 86\texttt{msg} field to transfer arguments. However, it leaves room in 87this array for the physical message registers. For example, if an IPC 88transfer or kernel object invocation required 894 message registers (and there are only 2 physical message registers 90available on this architecture) then arguments 1 and 2 would be 91transferred via message registers and arguments 3 and 4 would be in 92\texttt{msg[2]} and \texttt{msg[3]}. 93This allows the user-level object-invocation stubs to copy the arguments passed in physical registers to 94the space left in the \texttt{msg} array if desired. 95The situation is similar for the tag field. 96There is space for this field in the \texttt{seL4\_IPCBuffer} structure, which the kernel ignores. 97User level stubs 98may wish to copy the message tag from its CPU register to this field, although 99the user level stubs provided with the kernel do not do this. 100 101\section{Endpoints} 102 103\obj{Endpoint}s allow a small amount 104of data and capabilities (namely the IPC buffer) to be transferred between two 105threads. \obj{Endpoint} objects are invoked directly using the seL4 system calls 106described in \autoref{sec:syscalls}. 107 108IPC \obj{Endpoints} uses a rendezvous model and as such is 109synchronous and blocking. An \obj{Endpoint} object may queue 110threads either to send or to receive. If no receiver is ready, threads 111performing the \apifunc{seL4\_Send}{sel4_send} or \apifunc{seL4\_Call}{sel4_call} 112system calls will wait in a queue for the first available receiver. Likewise, if 113no sender is ready, threads performing the \apifunc{seL4\_Recv}{sel4_recv} 114system call or the second half of \apifunc{seL4\_ReplyRecv}{sel4_replyrecv} 115will wait for the first available sender. 116 117\subsection{Endpoint Badges\label{s:ep-badge}} 118\label{sec:ep-badges} 119 120Endpoint capabilities may be \emph{minted} to 121create a new endpoint capability with a \emph{badge} attached to it, a data 122word chosen by the invoker of the \emph{mint} operation. When a message is sent to an endpoint using a badged 123capability, the badge is transferred to the receiving thread's 124\texttt{badge} register. 125 126An endpoint capability with a zero badge is said to be \emph{unbadged}. 127Such a capability can be badged with the \apifunc{seL4\_CNode\_Mutate}{cnode_mutate} or \apifunc{seL4\_CNode\_Mint}{cnode_mint} 128invocations on the \obj{CNode} containing the capability. Endpoint 129capabilities with badges cannot be unbadged, rebadged or used to create 130child capabilities with different badges. 131 132Only the low 28 bits of the badge are available for use. The kernel will 133silently ignore any usage of the high 4 bits. 134 135\subsection{Capability Transfer} 136\label{sec:cap-transfer} 137 138Messages may contain capabilities, which will be transferred to the 139receiver, provided that the endpoint capability 140invoked by the sending thread has Grant rights. An attempt to send 141capabilities using an endpoint capability without the Grant right will 142result in transfer of the raw message, without any capability transfer. 143 144Capabilities to be sent in a message are specified in the sending thread's 145IPC buffer in the \texttt{caps} field. Each entry in that array is interpreted 146as a CPTR in the sending thread's capability space. The number of capabilities 147to send is specified in the \texttt{extraCaps} field of the message tag. 148 149The receiver specifies the slot 150in which it is willing to receive a capability, with three fields within the IPC buffer: \texttt{receiveCNode}, \texttt{receiveIndex} and \texttt{receiveDepth}. 151These fields specify the root CNode, capability address and number of bits to resolve, respectively, to find 152the slot in which to put the capability. Capability 153addressing is described in \autoref{sec:cap_addressing}. 154 155A received capability has the same rights as the original, except if 156the \emph{receiving} endpoint capability lacks the Write right. 157In this case, the rights on the sent capability are \emph{diminished}, by 158stripping the Write right from the received copy of the capability. 159 160Note that receiving threads may specify only one receive slot, whereas a 161sending thread may include multiple capabilities in the message. Messages 162containing more than one capability may be interpreted by kernel objects. They 163may also be sent to receiving threads in the case where some of the extra 164capabilities in the message can be \emph{unwrapped}. 165 166If the n-th capability in the message refers to the endpoint through 167which the message is sent, the capability is \emph{unwrapped}: its badge is placed into 168the n-th 169position of the receiver's badges array, and the kernel sets the n-th bit (counting from the 170least significant) in the \texttt{capsUnwrapped} field of the message 171tag. The capability itself is not transferred, so the receive slot may be used 172for another capability. 173 174If a receiver gets a message whose tag has an \texttt{extraCaps} of 2 and a 175\texttt{capsUnwrapped} of 2, then the first capability in the message was 176transferred to the specified receive slot and the second capability was 177unwrapped, placing its badge in \texttt{badges[1]}. There may have been a 178third capability in the sender's message which could not be unwrapped. 179 180\subsection{Errors} 181 182Errors in capability transfers can occur at two places: in the send 183phase or in the receive phase. In the send phase, all capabilities that 184the caller is attempting to send are looked up to ensure that they exist 185before the send is initiated in the kernel. If the lookup fails for any 186reason, \apifunc{seL4\_Send}{sel4_send} and \apifunc{seL4\_Call}{sel4_call} system calls immediately abort and 187no IPC or capability transfer takes place. The system call will return 188a lookup failure error as described in \autoref{sec:errors}. 189 190In the receive phase, seL4 transfers capabilities in the order that they 191are found in the sending thread's IPC buffer \texttt{caps} array 192and terminates as soon as an error is encountered. Possible error 193conditions are: 194 195\begin{itemize} 196 \item A source capability cannot be looked up. Although the presence 197 of the source capabilities is checked when the sending thread 198 performs the send system call, this error may still occur. The sending 199 thread may have been blocked on the endpoint for some time before it 200 was paired with a receiving thread. During this time, its 201 CSpace may have changed and the source capability pointers may 202 no longer be valid. 203 204 \item The destination slot cannot be looked up. Unlike the send 205 system call, the \apifunc{seL4\_Recv}{sel4_recv} system call does not check that the 206 destination slot exists and is empty before it initiates the receive. 207 Hence, the \apifunc{seL4\_Recv}{sel4_recv} system call will not fail with an error if the 208 destination slot is invalid and will instead transfer badged 209 capabilities until an attempt to save a capability to the 210 destination slot is made. 211 212 \item The capability being transferred cannot be derived. See 213 \autoref{sec:cap_derivation} for details. 214\end{itemize} 215 216An error will not void the entire transfer, it will just end it 217prematurely. The capabilities processed before the failure are still 218transferred and the \texttt{extraCaps} field in the receiver's IPC 219buffer is set to the number of capabilities transferred up to failure. 220No error message will be returned to the receiving thread in any of the 221above cases. 222 223