The purpose of an Operating System is to run user applications. But the OS cannot provide user applications full control due to security reasons. So to do some privileged operations applications should ask OS to do the job on behalf of themselves. The primary interaction mechanism in Linux and similar Operating Systems is System Call. In this article we are going to see the anatomy of Linux System Calls in ARM64 architecture. Most people working with applications doesn't require it. It is only for those who have a printed copy of Hitchhiker's guide to the galaxy. DON'T PANIC!
ARMv8 has four exception levels - EL0 to EL3. EL0 has lowest privilege where user applications run. EL3 has the highest privilege for Secure Monitor firmware (usually proprietary). Hypervisor runs in EL2 for virtualisation platforms. And our beloved Linux kernel runs in EL1. Elevation from one exception level to next exception level are achieved by setting exceptions. These exceptions will be set by one level and the next level will handle it. Explaining all types of exceptions is out of the scope of this article.
The instruction used to set a synchronous exception [used for system call mechanism] to elevate from EL0 to EL1 is svc - supervisor call. Thus an application runs in Linux should issue svc with registers set with appropriate values. To know what are those appropriate values, Lets see how kernel handles svc.
NOTE: All the code references given in this post are from Linux-4.9.57.
As I have mentioned already, there are multiple exceptions can be set by applications [EL0] which will be taken by Kernel [EL1]. The handlers for these exceptions are stored in a vector table. In ARMv8 the register that mentions the base address of that vector table is VBAR_EL1 [Vector Base Address Register for EL1].
{% blockquote ARM infocenter %}
When an exception occurs, the processor must execute handler code which corresponds to the exception. The location in memory where the handler is stored is called the exception vector. In the ARM architecture, exception vectors are stored in a table, called the exception vector table. Each Exception level has its own vector table, that is, there is one for each of EL3, EL2 and EL1. The table contains instructions to be executed, rather than a set of addresses. Vectors for individual exceptions are located at fixed offsets from the beginning of the table. The virtual address of each table base is set by the Vector Based Address Registers VBAR_EL3, VBAR_EL2 and VBAR_EL1.
As explained above the exception-handlers reside in a continuous memory and each vector spans up to 32 instructions long. Based on type of the exception, the execution will start from an instruction in a particular offset from the base address VBAR_EL1. Below is the ARM64 vector table. For example when an synchronous exception is set from EL0 is set, the handler at VBAR_EL1 +0x400 will execute to handle the exception.
| Offset from VBAR_EL1 |
Exception type |
Exception set level |
| +0x000 |
Synchronous |
Current EL with SP0 |
| +0x080 |
IRQ/vIRQ |
" |
| +0x100 |
FIQ/vFIQ |
" |
| +0x180 |
SError/vSError |
" |
| +0x200 |
Synchronous |
Current EL with SPx |
| +0x280 |
IRQ/vIRQ |
" |
| +0x300 |
FIQ/vFIQ |
" |
| +0x380 |
SError/vSError |
" |
| +0x400 |
Synchronous |
Lower EL using ARM64 |
| +0x480 |
IRQ/vIRQ |
" |
| +0x500 |
FIQ/vFIQ |
" |
| +0x580 |
SError/vSError |
" |
| +0x600 |
Synchronous |
Lower EL with ARM32 |
| +0x680 |
IRQ/vIRQ |
" |
| +0x700 |
FIQ/vFIQ |
" |
| +0x780 |
SError/vSError |
" |
Linux defines the vector table at arch/arm64/kernel/entry.S +259. Each ventry is 32 instructions long. As an instruction in ARMv8 is 4 bytes long, next ventry will start at +0x80 of current ventry.
ENTRY(vectors)
ventry el1_sync_invalid // Synchronous EL1t
ventry el1_irq_invalid // IRQ EL1t
ventry el1_fiq_invalid // FIQ EL1t
ventry el1_error_invalid // Error EL1t
ventry el1_sync // Synchronous EL1h
ventry el1_irq // IRQ EL1h
ventry el1_fiq_invalid // FIQ EL1h
ventry el1_error_invalid // Error EL1h
ventry el0_sync // Synchronous 64-bit EL0
ventry el0_irq // IRQ 64-bit EL0
ventry el0_fiq_invalid // FIQ 64-bit EL0
ventry el0_error_invalid // Error 64-bit EL0
#ifdef CONFIG_COMPAT
ventry el0_sync_compat // Synchronous 32-bit EL0
ventry el0_irq_compat // IRQ 32-bit EL0
ventry el0_fiq_invalid_compat // FIQ 32-bit EL0
ventry el0_error_invalid_compat // Error 32-bit EL0
#else
ventry el0_sync_invalid // Synchronous 32-bit EL0
ventry el0_irq_invalid // IRQ 32-bit EL0
ventry el0_fiq_invalid // FIQ 32-bit EL0
ventry el0_error_invalid // Error 32-bit EL0
#endif
END(vectors)
And loads the vector table into
VBAR_EL1 at
arch/arm64/kernel/head.S +433.
adr_l x8, vectors // load VBAR_EL1 with virtual
msr vbar_el1, x8 // vector table address
isb
VBAR_EL1 is an system register. So it cannot be accessed directly. Special system instructions
msr and
mrs should be used manipulate system registers.
| Instruction |
Description |
adr_l x8, vector |
loads the address of vector table into general purpose register X8 |
msr vbar_el1, x8 |
moves value in X8 to system register VBAR_EL1 |
isb |
instruction sync barrier |
Now lets see what happens when an application issues the instruction svc. From the table, we can see for AArch64 synchronous exception from lower level, the offset is +0x400. In the Linux vector definition VBAR_EL1+0x400 is el0_sync. Lets go to the el0_sync definition at arch/arm64/kernel/entry.S +458
el0_sync:
kernel_entry 0
mrs x25, esr_el1 // read the syndrome register
lsr x24, x25, #ESR_ELx_EC_SHIFT // exception class
cmp x24, #ESR_ELx_EC_SVC64 // SVC in 64-bit state
b.eq el0_svc
cmp x24, #ESR_ELx_EC_DABT_LOW // data abort in EL0
b.eq el0_da
cmp x24, #ESR_ELx_EC_IABT_LOW // instruction abort in EL0
b.eq el0_ia
cmp x24, #ESR_ELx_EC_FP_ASIMD // FP/ASIMD access
b.eq el0_fpsimd_acc
cmp x24, #ESR_ELx_EC_FP_EXC64 // FP/ASIMD exception
b.eq el0_fpsimd_exc
cmp x24, #ESR_ELx_EC_SYS64 // configurable trap
b.eq el0_sys
cmp x24, #ESR_ELx_EC_SP_ALIGN // stack alignment exception
b.eq el0_sp_pc
cmp x24, #ESR_ELx_EC_PC_ALIGN // pc alignment exception
b.eq el0_sp_pc
cmp x24, #ESR_ELx_EC_UNKNOWN // unknown exception in EL0
b.eq el0_undef
cmp x24, #ESR_ELx_EC_BREAKPT_LOW // debug exception in EL0
b.ge el0_dbg
b el0_inv
The subroutine is nothing but a bunch of
if conditions. The synchronous exception can have multiple reasons which will be stored in the syndrome register
esr_el1. Compare the value in syndrome register with predefined macros and branch to the corresponding subroutine.
| Instruction |
Description |
kernel_entry 0 |
It is a macro defined at
arch/arm64/kernel/entry.S +71. It stores
all the general purpose registers into
CPU stack as the sys_* function
expects its arguments from
CPU stack only |
mrs x25, esr_el1 |
Move system register esr_el1 to general
purpose register X25. esr_el1 is the exception
syndrome register. It will have the syndrome code
that caused the exception. |
lsr x24, x25, #ESR_ELx_EC_SHIFT |
Left shift X25 by ESR_ELx_EC_SHIFT bits
and store the result in X24 |
cmp x24, #ESR_ELx_EC_SVC64 |
Compare the value in X24 with ESR_ELx_EC_SVC64.
If both are equal Z bit will be set in NZCV
special purpose register. |
b.eq el0_svc |
If Z flag is set in NZCV, branch to el0_svc.
It is just b not bl. So the control will not come
back to caller. The condition check will happen until
it finds the appropriate reason. If all are wrong el0_inv
will be called. |
In a system call case, control will be branched to el0_svc. It is defined at arm64/kernel/entry.S +742 as follows
/*
* SVC handler.
*/
.align 6
el0_svc:
adrp stbl, sys_call_table // load syscall table pointer
uxtw scno, w8 // syscall number in w8
mov sc_nr, #__NR_syscalls
el0_svc_naked: // compat entry point
stp x0, scno, [sp, #S_ORIG_X0] // save the original x0 and syscall number enable_dbg_and_irq
ct_user_exit 1
ldr x16, [tsk, #TI_FLAGS] // check for syscall hooks
tst x16, #_TIF_SYSCALL_WORK
b.ne __sys_trace
cmp scno, sc_nr // check upper syscall limit
b.hs ni_sys
ldr x16, [stbl, scno, lsl #3] // address in the syscall table
blr x16 // call sys_* routine
b ret_fast_syscall
ni_sys:
mov x0, sp
bl do_ni_syscall
b ret_fast_syscall
ENDPROC(el0_svc)
Before going through the code, let me introduce the aliases
arch/arm64/kernel/entry.S +229
/*
* These are the registers used in the syscall handler, and allow us to
* have in theory up to 7 arguments to a function - x0 to x6.
*
* x7 is reserved for the system call number in 32-bit mode.
*/
sc_nr .req x25 // number of system calls
scno .req x26 // syscall number
stbl .req x27 // syscall table pointer
tsk .req x28 // current thread_info
Now lets walk through function
el0_svc,
| Instruction |
Description |
adrp stbl, sys_call_table |
I'll come to the sys_call_table in next section.
It is the table indexed with syscall number and
corresponding function. It has to be in a
4K aligned memory. Thus this instruction adds the top
22-bits of sys_call_table address with top 52-bit of
PC (program counter) and stores the value at stbl.
Actually it forms the PC-relative address to 4KB page. |
uxtw scno, w8 |
unsigned extract from 32-bit word.
Read 32-bit form of General purpose register X8
and store it in scno |
mov sc_nr, #__NR_syscalls |
Load sc_nr with number of system calls |
stp x0, scno, [sp, #S_ORIG_X0] |
Store a pair of registers X0 and scno
at the memory location stack-pointer + S_ORIG_X0.
Value of S_ORIG_X0 is not really important.
As long as stack-pointer is not modified,
we can access the stored values anytime. |
enable_dbg_and_irq |
it is a macro defined at
arch/arm64/include/asm/assembler.h +88.
It actually enables IRQ and
debugging by setting appropriate
value at special purpose register DAIF. |
ct_user_exit 1 |
another macro not much important
unless you bother about CONFIG_CONTEXT_TRACKING |
ldr x16, [tsk, #TI_FLAGS]
tst x16, #_TIF_SYSCALL_WORK
b.ne __sys_trace |
These instructions are related to syscall hooks.
If syscall hooks are set, call __sys_trace.
For those who got confused about b.ne like me,
.ne only check whether Z flag is non zero.
tst instruction does an bitwise AND of both
operands. If both are equal, Z flag will be non zero. |
cmp scno, sc_nr
b.hs ni_sys |
Just an error check. If the
syscall number is greater than
sc_nr go to ni_sys |
ldr x16, [stbl, scno, lsl #3] |
Load the address of corresponding
sys_* function into X16.
Will explain detail in next section |
blr x16 |
subroutine call to the actual sys_*
function |
b ret_fast_syscall |
Maybe a house-keeping function.
Control will not flow further down. |
It is nothing but an array of function pointer indexed with the system call number. It has to be placed in an 4K aligned memory. For ARM64 sys_call_table is defined at arch/arm64/kernel/sys.c +55.
#undef __SYSCALL
#define __SYSCALL(nr, sym) [nr] = sym,
/*
* The sys_call_table array must be 4K aligned to be accessible from
* kernel/entry.S.
*/
void * const sys_call_table[__NR_syscalls] __aligned(4096) = {
[0 ... __NR_syscalls - 1] = sys_ni_syscall,
#include <asm/unistd.h>
};
*
__NR_syscalls defines the number of system call. This varies from architecture to architecture.
* Initially all the system call numbers were set
sys_ni_syscall - not implemented system call. If a system call is removed, its system call number will not be reused. Instead it will be assigned with
sys_ni_syscall function.
* And the include goes like this
arch/arm64/include/asm/unistd.h ->
arch/arm64/include/uapi/asm/unistd.h ->
include/asm-generic/unistd.h ->
include/uapi/asm-generic/unistd.h. The last file has the definition of all system calls. For example the
write system call is defined here as
#define __NR_write 64
__SYSCALL(__NR_write, sys_write)
* The
sys_call_table is an array of function pointers. As in ARM64 a function pointer is 8 bytes long, to calculate the address of actual system call, system call number
scno is left shifted by 3 and added with system call table address
stbl in the
el0_svc subroutine -
ldr x16, [stbl, scno, lsl #3]
Each system call is defined with a macro SYSCALL_DEFINEn macro. n is corresponding to the number of arguments the system call accepts. For example the write is implemented at fs/read_write.c +599
SYSCALL_DEFINE3(write, unsigned int, fd, const char __user *, buf,
size_t, count)
{
struct fd f = fdget_pos(fd);
ssize_t ret = -EBADF;
if (f.file) {
loff_t pos = file_pos_read(f.file);
ret = vfs_write(f.file, buf, count, &pos);
if (ret >= 0)
file_pos_write(f.file, pos);
fdput_pos(f);
}
return ret;
}
This macro will expand into
sys_write function definition and other aliases functions as mentioned in this
LWN article. The expanded function will have the compiler directive
asmlinkage set. It instructs the compiler to look for arguments in CPU stack instead of registers. This is to implement system calls architecture independent. That's why
kernel_entry macro in
el0_sync pushed all general purpose registers into stack. In ARM64 case registers
X0 to
X7 will have the arguments.
An user application should do following steps to make a system call
* Set the lower 32-bit of general purpose register X8 with appropriate system call number - el0_svc loads the system call number from W0
* And then issue the svc instruction
* Now kernel implemented sys_* function will run on behalf of the application
Normally all the heavy lifting will be done by the glibc library. Dependency on glibc also makes the application portable across platforms having glibc support. Each platform will have different system call number and glibc takes care of that while compiling.
In this section we'll see how glibc implements the printf system call. Going deep into all glibc macro expansion is out of scope of this post. End of the day printf has to be a write towards the stdout file. Lets see that.
Wrote a simple hello world program.
kaba@kaba-Vostro-1550:~/Desktop/workbench/code
$ cat syscall.c
#include <stdio.h>
int main()
{
printf("Hello world!\n");
return 0;
}
kaba@kaba-Vostro-1550:~/Desktop/workbench/code
$
Compile it with symbols and export it to an ARM64 target [Raspberry Pi 3 in my case]. Run it in the target with
gdbserver and connect remote GDB as mentioned in previous
post.
The last function in glibc that issues svc is __GI___libc_write. I got this with the help of GDB. If you really want to go through glibc code to trace this function all the way from printf, prepare yourself. Here is the GDB backtrace output.
(gdb) bt
#0 __GI___libc_write (fd=1, buf=0x412260, nbytes=13) at /usr/src/debug/glibc/2.26-r0/git/sysdeps/unix/sysv/linux/write.c:26
#1 0x0000007fb7eeddcc in _IO_new_file_write (f=0x7fb7fcd540 <_IO_2_1_stdout_>, data=0x412260, n=13) at /usr/src/debug/glibc/2.26-r0/git/libio/fileops.c:1255
#2 0x0000007fb7eed160 in new_do_write (fp=0x7fb7fcd540 <_IO_2_1_stdout_>, data=0x412260 "Hello world!\n", to_do=to_do@entry=13) at /usr/src/debug/glibc/2.26-r0/git/libio/fileops.c:510
#3 0x0000007fb7eeefc4 in _IO_new_do_write (fp=fp@entry=0x7fb7fcd540 <_IO_2_1_stdout_>, data=<optimized out>, to_do=13) at /usr/src/debug/glibc/2.26-r0/git/libio/fileops.c:486
#4 0x0000007fb7eef3f0 in _IO_new_file_overflow (f=0x7fb7fcd540 <_IO_2_1_stdout_>, ch=10) at /usr/src/debug/glibc/2.26-r0/git/libio/fileops.c:851
#5 0x0000007fb7ee3d78 in _IO_puts (str=0x400638 "Hello world!") at /usr/src/debug/glibc/2.26-r0/git/libio/ioputs.c:41
#6 0x0000000000400578 in main () at syscall.c:5
Lets us see the assembly instructions of
__GI_libc_write function in GDB TUI.
|0x7fb7f407a8 <__GI___libc_write> stp x29, x30, [sp, #-48]!
>│0x7fb7f407ac <__GI___libc_write+4> adrp x3, 0x7fb7fd1000 <__libc_pthread_functions+184>
│0x7fb7f407b0 <__GI___libc_write+8> mov x29, sp
│0x7fb7f407b4 <__GI___libc_write+12> str x19, [sp, #16]
│0x7fb7f407b8 <__GI___libc_write+16> sxtw x19, w0
│0x7fb7f407bc <__GI___libc_write+20> ldr w0, [x3, #264]
│0x7fb7f407c0 <__GI___libc_write+24> cbnz w0, 0x7fb7f407f0 <__GI___libc_write+72>
│0x7fb7f407c4 <__GI___libc_write+28> mov x0, x19
│0x7fb7f407c8 <__GI___libc_write+32> mov x8, #0x40 // #64
│0x7fb7f407cc <__GI___libc_write+36> svc #0x0
.
.
.
| Instruction |
Description |
| stp x29, x30, [sp, #-48]! |
Increment stack pointer and back-up
frame-pointer and link-register |
| adrp x3, 0x7fb7fd1000 |
Load the PC related address
of SINGLE_THREAD_P |
| mov x29, sp |
Move current stack-pointer
into frame-pointer |
| str x19, [sp, #16] |
Backup X19 in stack |
| sxtw x19, w0 |
Backup W0 into X19
the first parameter
This function has 3 parameters
So they will be in X0, X1
andX2. Thus they have to be
backed-up before using |
| ldr w0, [x3, #264] |
Load the global into W0
This global tells whether
it is a multi-threaded
program |
| cbnz w0, 0x7fb7f407f0 |
Conditional branch if W0
is non zero
Actually a jump in case of
multi-threaded program.
Our case is single threaded.
So fall through |
| mov x0, x19 |
Restore X19 into X0.
The first argument.
Here the fd |
| mov x8, #0x40 |
Load X8 with the value 0x40.
Kernel will look
for the system call number
at X8. So we load it with 64
which is the system call
number of write |
| svc #0x0 |
All set. Now
supervisor call |
From this point the almighty Linux kernel takes control. Pretty long article ahh!. At last the improbable drive comes to equilibrium as you complete this.
- http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch09s01s01.html
- http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/CHDEEDDC.html
- https://lwn.net/Articles/604287/
- https://courses.cs.washington.edu/courses/cse469/18wi/Materials/arm64.pdf
- http://www.osteras.info/personal/2013/10/11/hello-world-analysis.html
- And the Linux kernel source. Thanks to https://elixir.bootlin.com