Memory management units (MMUs) are
incorporated in, or available for, a wide range of embedded CPUs. Under
some circumstances their use is mandatory; in other situations they
might represent an unwanted overhead. This article looks at what MMUs do
and how they might be applied. Process and thread models for
multi-tasking are compared and contrasted, and an intermediate option is
considered that might provide a compromise between security and
performance requirements.
Physical and logical addresses
When you first start learning how to program, the concept of an address is unimportant, as high level languages insulate the programmer from such nastiness. It is only when a developer wants to understand or write assembly language or really appreciate what is happening with pointers that addresses become a concern.
Every byte of memory has a unique address. Actually that is not quite true, as some processor architectures utilize multiple address spaces, but ultimately every byte may be specified uniquely in some way. Commonly, a system has a single area of memory with a starting address of zero. This is not a firm rule, as the memory architecture could be set up such that the address space starts at some other value. Other systems have multiple areas of memory that may not be contiguous – maybe the program and data memory are separate, for example.
Such addresses are physical addresses and are the values emitted by the CPU and systems immediately around it, and are decoded by the memory system. For many systems, physical addresses correspond directly to logical addresses, which are the ones used by software. In other systems, there is no such matching. A difference between a logical and physical address may occur for a number of reasons.
If a CPU has a paged memory architecture, the software may work with shorter (logical) addresses than would be needed to access the complete (physical) address space. Adjusting the “page” moves a window of addresses through the physical address space. For example, the original x86 architecture used 16-bit logical addresses (giving a 64K range) and 20-bit physical addresses (accessing up to 1M). Setting up the base register enabled the logical address space to be mapped onto a 64K area within the 1M space (on a 16-byte boundary).
Paged addressing is uncommon nowadays. More typically CPUs use 32-bit addresses to access a flat 4G address space. However, there may still be a non-correspondence between logical and physical addresses because a memory management unit (MMU) processes addresses emitted by the CPU. An MMU gives a lot of flexibility to remap physical memory to convenient logical addresses. It can also render parts of the physical address space inaccessible to software, which is a powerful protection mechanism.
Operating systems and multi-tasking
Most modern embedded systems are built using an operating system of some kind. This may be a simple multi-tasking kernel, or it may be a real-time operating system (RTOS) with a wide range of services, or it could be a “full” operating system like Linux. Broadly speaking, any kind of operating system supports a multi-tasking model, which may be “thread model” or “process model”; these two types are essentially characterized by their use or non-use of an MMU.
Multi-tasking – thread model
Most RTOS products on the market are thread model. This means that all the tasks’ (now called threads) code and data occupy the same address space, along with that of the RTOS itself, as illustrated in Figure 1.
Theoretically, but hopefully not in practice, one thread can access and/or corrupt the code and data of another thread or of the RTOS. Obviously, this possibility is only of passing interest if the code is properly debugged and from a trustworthy source. The big benefit of thread model is that the context switch is fast, as only the CPU registers need to be saved and restored.
Physical and logical addresses
When you first start learning how to program, the concept of an address is unimportant, as high level languages insulate the programmer from such nastiness. It is only when a developer wants to understand or write assembly language or really appreciate what is happening with pointers that addresses become a concern.
Every byte of memory has a unique address. Actually that is not quite true, as some processor architectures utilize multiple address spaces, but ultimately every byte may be specified uniquely in some way. Commonly, a system has a single area of memory with a starting address of zero. This is not a firm rule, as the memory architecture could be set up such that the address space starts at some other value. Other systems have multiple areas of memory that may not be contiguous – maybe the program and data memory are separate, for example.
Such addresses are physical addresses and are the values emitted by the CPU and systems immediately around it, and are decoded by the memory system. For many systems, physical addresses correspond directly to logical addresses, which are the ones used by software. In other systems, there is no such matching. A difference between a logical and physical address may occur for a number of reasons.
If a CPU has a paged memory architecture, the software may work with shorter (logical) addresses than would be needed to access the complete (physical) address space. Adjusting the “page” moves a window of addresses through the physical address space. For example, the original x86 architecture used 16-bit logical addresses (giving a 64K range) and 20-bit physical addresses (accessing up to 1M). Setting up the base register enabled the logical address space to be mapped onto a 64K area within the 1M space (on a 16-byte boundary).
Paged addressing is uncommon nowadays. More typically CPUs use 32-bit addresses to access a flat 4G address space. However, there may still be a non-correspondence between logical and physical addresses because a memory management unit (MMU) processes addresses emitted by the CPU. An MMU gives a lot of flexibility to remap physical memory to convenient logical addresses. It can also render parts of the physical address space inaccessible to software, which is a powerful protection mechanism.
Operating systems and multi-tasking
Most modern embedded systems are built using an operating system of some kind. This may be a simple multi-tasking kernel, or it may be a real-time operating system (RTOS) with a wide range of services, or it could be a “full” operating system like Linux. Broadly speaking, any kind of operating system supports a multi-tasking model, which may be “thread model” or “process model”; these two types are essentially characterized by their use or non-use of an MMU.
Multi-tasking – thread model
Most RTOS products on the market are thread model. This means that all the tasks’ (now called threads) code and data occupy the same address space, along with that of the RTOS itself, as illustrated in Figure 1.
Theoretically, but hopefully not in practice, one thread can access and/or corrupt the code and data of another thread or of the RTOS. Obviously, this possibility is only of passing interest if the code is properly debugged and from a trustworthy source. The big benefit of thread model is that the context switch is fast, as only the CPU registers need to be saved and restored.
Multi-tasking – process model
Higher end operating systems like Linux and Windows, along with a few RTOS products, use process model. By using the MMU, each task (now called a process) occupies its own private address space, starting at address 0, as illustrated in Figure 2. In effect, a process is given the impression that it has exclusive access to the entire machine.
This model has the great benefit that each process has no access to, or even awareness of, other processes’ memory or that of the OS itself. This permits the construction of more secure systems, where a badly behaved or seriously buggy process should have no effect on the rest of the system. The downside is that a context switch is significantly slower than with thread model, as apart from the save and restore of the CPU registers, the memory needs to be remapped using the MMU.
Thread protected mode
Some RTOS products offer an interesting compromise by making limited use of an MMU, while still using thread mode. This is commonly called “thread protected mode”. This facility is implemented such that, on a context switch, only memory which the current thread has authorization to access (i.e. its own along with any shared or specific RTOS memory areas) is rendered visible. This slightly increases the context switch time, as the MMU needs to be set up, but this is a lower overhead than a full remapping required for process model. Figure 3 shows a system where Task 2 is in control while Figure 4 illustrates the result of adjusting the MMU when Task 4 gains control.
Figure 3: Memory management using a thread protected mode with Task 2 in control
Figure 4: Memory management using a thread protected mode with Task 4 gaining control
Summary
Modern embedded CPUs commonly incorporate an MMU, or one may be available as an option. To use high-end operating systems like Linux, an MMU is essential. For most RTOS products, an MMU is not required, but in many cases it may be used to provide some additional security.
Higher end operating systems like Linux and Windows, along with a few RTOS products, use process model. By using the MMU, each task (now called a process) occupies its own private address space, starting at address 0, as illustrated in Figure 2. In effect, a process is given the impression that it has exclusive access to the entire machine.
Figure 2: Multitasking using a process model
This model has the great benefit that each process has no access to, or even awareness of, other processes’ memory or that of the OS itself. This permits the construction of more secure systems, where a badly behaved or seriously buggy process should have no effect on the rest of the system. The downside is that a context switch is significantly slower than with thread model, as apart from the save and restore of the CPU registers, the memory needs to be remapped using the MMU.
Thread protected mode
Some RTOS products offer an interesting compromise by making limited use of an MMU, while still using thread mode. This is commonly called “thread protected mode”. This facility is implemented such that, on a context switch, only memory which the current thread has authorization to access (i.e. its own along with any shared or specific RTOS memory areas) is rendered visible. This slightly increases the context switch time, as the MMU needs to be set up, but this is a lower overhead than a full remapping required for process model. Figure 3 shows a system where Task 2 is in control while Figure 4 illustrates the result of adjusting the MMU when Task 4 gains control.
Figure 3: Memory management using a thread protected mode with Task 2 in control
Figure 4: Memory management using a thread protected mode with Task 4 gaining control
Summary
Modern embedded CPUs commonly incorporate an MMU, or one may be available as an option. To use high-end operating systems like Linux, an MMU is essential. For most RTOS products, an MMU is not required, but in many cases it may be used to provide some additional security.
No comments:
Post a Comment