Memory System: Difference between revisions
(Initial draft) |
m (→Bus Error handling: Fix incorrect intr_code for BusErrorSecure) |
||
Line 57: | Line 57: | ||
== Bus Error handling == | == Bus Error handling == | ||
When a bus error occurs, an interrupt is delivered to ARM Secure (intr_code | When a bus error occurs, an interrupt is delivered to ARM Secure (intr_code 0x21/33) or Non-Secure (intr_code 0x20/32). The OS considers all bus errors to be fatal and installs interrupt handlers that stop the system. | ||
This requires more testing, but it seems that device-initiated bus errors (e.g. DMAC) are routed to Non-Secure interrupt; but there may be other rules to consider. | This requires more testing, but it seems that device-initiated bus errors (e.g. DMAC) are routed to Non-Secure interrupt; but there may be other rules to consider. |
Revision as of 20:20, 1 May 2023
Kermit memory system internals
This is all based on assumptions and may be completely wrong.
Terminology
- Agent
A device connected to the memory system.
- Access
An interface between an Agent and the memory
- TA
Short for Target Access?
- IA
Short for Initiator Access?
- Transaction
A data exchange performed via the memory bus system. Transactions transfer data between an IA and a TA. A transaction from X (an IA) to Y (a TA) is initiated by X and targets Y.
- Bus
Short for time-shared bus. A link between agents on which a single transaction may be in progress at a time.
- XBar
Short for Crossbar. A link between agents on which multiple transactions may be in progress at a time (as long as they do not target the same TA).
- Arbiter
This could be a single physical device of the memory system that allocates access to the bus/XBar to IAs (most plausible hypothesis). However, the PS Vita may instead be using a decentralized bus arbitration system in which there is no single arbiter.
- Bus Master
When a transaction is occurring on a bus, the agent that started the transaction is referred to as the Bus Master.
There are three revisions of the memory system layout: One for Kermit1.0 ES1, one for Kermit1.0 ES2 (not documented but close to ES3) and one for Kermit1.0 ES3, ES4, and Kermit1.5 ES1.
In the following sections, you may see register names such as BEBT
and SBEBT
mentioned.
Unless otherwise specified, a register prefixed with S
is merely the ARM Secure variant of the register (e.g. SBEBT
is BEBT
for ARM Secure).
Everything that applies to a register should apply to its Secure variant, except that the register is updated by Secure bus transactions, instead of Non-Secure bus transactions.
Control registers
There are several MMIO registers available to alter the behavior of the memory system, or query information about the memory system's state.
IA/TA registers
A common register group associated to every IA or TA of the memory system. The register group is 0x1000 bytes sized (but maybe not all room is used).
(List of physical address for all these interfaces can be found on Physical Memory page - names start with SSX_
- will be migrated here at some point)
Name | Offset in group | Size | Usage/Notes |
---|---|---|---|
STATUS | 0x28 | 0x8 | Bit 0x0100_0000 indicates an error |
ERROR_LOG | 0x58 | 0x8 | |
ADDR | 0x60 | 0x8 |
Bus Error handling
When a bus error occurs, an interrupt is delivered to ARM Secure (intr_code 0x21/33) or Non-Secure (intr_code 0x20/32). The OS considers all bus errors to be fatal and installs interrupt handlers that stop the system.
This requires more testing, but it seems that device-initiated bus errors (e.g. DMAC) are routed to Non-Secure interrupt; but there may be other rules to consider.
It is unknown whether or not CMeP can receive bus error interrupts or how CMeP fits in the memory system.
Clear TA error
In old firmwares (e.g. 0.920 - pre-ES3, so this may no longer be valid), there exists a function named BusErrorClearTA
which works the following way.
First, choose a bus/XBar that will serve as start point (MainXBar for ES2).
Second, recursively build a list of all TAs connected to this start point. Repeat the process for all TAs that are busses or XBars.
Third, walk the obtained tree. Check the STATUS
of all TAs. If an error is present, repeat the procedure recursively (if bus/XBar) then clear the error.
To clear the error, simply write 0x0000_0000_01000_0000ull
to STATUS
NOTE: old firmwares do not have informations about IAs, only TAs. This could explain the routine's name, but also means this procedure may also work/be needed on IA side.
Misc
The memory system is able to distinguish if a transaction is originating from ARM Secure state or Non-Secure state because ARM Cortex-A9 processors with Security Extensions have an additional bit indicating whether the access is Secure or Non-Secure added to all memory system transactions.
?All devices on the Kermit bus diagram that have an IA are treated as ARM NS.? (attempting to perform a DMAC memcpy() from Secure to Non-Secure LPDDR0 region results in a NS bus error)
On ES1 hardware, the bus registers are prefixed with SMX
instead of SSX
. The meaning of both these acronyms is unknown.