1#!/usr/bin/env python3
2#
3# Copyright (c) 2017 Intel Corporation
4#
5# SPDX-License-Identifier: Apache-2.0
6
7"""Generate a Global Descriptor Table (GDT) for x86 CPUs.
8
9For additional detail on GDT and x86 memory management, please
10consult the IA Architecture SW Developer Manual, vol. 3.
11
12This script accepts as input the zephyr_prebuilt.elf binary,
13which is a link of the Zephyr kernel without various build-time
14generated data structures (such as the GDT) inserted into it.
15This kernel image has been properly padded such that inserting
16these data structures will not disturb the memory addresses of
17other symbols.
18
19The input kernel ELF binary is used to obtain the following
20information:
21
22- Memory addresses of the Main and Double Fault TSS structures
23  so GDT descriptors can be created for them
24- Memory addresses of where the GDT lives in memory, so that this
25  address can be populated in the GDT pseudo descriptor
26- whether userspace or HW stack protection are enabled in Kconfig
27
28The output is a GDT whose contents depend on the kernel
29configuration. With no memory protection features enabled,
30we generate flat 32-bit code and data segments. If hardware-
31based stack overflow protection or userspace is enabled,
32we additionally create descriptors for the main and double-
33fault IA tasks, needed for userspace privilege elevation and
34double-fault handling. If userspace is enabled, we also create
35flat code/data segments for ring 3 execution.
36"""
37
38import argparse
39import sys
40import struct
41import os
42
43from packaging import version
44
45import elftools
46from elftools.elf.elffile import ELFFile
47from elftools.elf.sections import SymbolTableSection
48
49
50if version.parse(elftools.__version__) < version.parse('0.24'):
51    sys.exit("pyelftools is out of date, need version 0.24 or later")
52
53
54def debug(text):
55    """Display debug message if --verbose"""
56    if args.verbose:
57        sys.stdout.write(os.path.basename(sys.argv[0]) + ": " + text + "\n")
58
59
60def error(text):
61    """Exit program with an error message"""
62    sys.exit(os.path.basename(sys.argv[0]) + ": " + text)
63
64
65GDT_PD_FMT = "<HIH"
66
67FLAGS_GRAN = 1 << 7  # page granularity
68ACCESS_EX = 1 << 3  # executable
69ACCESS_DC = 1 << 2  # direction/conforming
70ACCESS_RW = 1 << 1  # read or write permission
71
72# 6 byte pseudo descriptor, but we're going to actually use this as the
73# zero descriptor and return 8 bytes
74
75
76def create_gdt_pseudo_desc(addr, size):
77    """Create pseudo GDT descriptor"""
78    debug("create pseudo descriptor: %x %x" % (addr, size))
79    # ...and take back one byte for the Intel god whose Ark this is...
80    size = size - 1
81    return struct.pack(GDT_PD_FMT, size, addr, 0)
82
83
84def chop_base_limit(base, limit):
85    """Limit argument always in bytes"""
86    base_lo = base & 0xFFFF
87    base_mid = (base >> 16) & 0xFF
88    base_hi = (base >> 24) & 0xFF
89
90    limit_lo = limit & 0xFFFF
91    limit_hi = (limit >> 16) & 0xF
92
93    return (base_lo, base_mid, base_hi, limit_lo, limit_hi)
94
95
96GDT_ENT_FMT = "<HHBBBB"
97
98
99def create_code_data_entry(base, limit, dpl, flags, access):
100    """Create GDT entry for code or data"""
101    debug("create code or data entry: %x %x %x %x %x" %
102          (base, limit, dpl, flags, access))
103
104    base_lo, base_mid, base_hi, limit_lo, limit_hi = chop_base_limit(base,
105                                                                     limit)
106
107    # This is a valid descriptor
108    present = 1
109
110    # 32-bit protected mode
111    size = 1
112
113    # 1 = code or data, 0 = system type
114    desc_type = 1
115
116    # Just set accessed to 1 already so the CPU doesn't need it update it,
117    # prevents freakouts if the GDT is in ROM, we don't care about this
118    # bit in the OS
119    accessed = 1
120
121    access = access | (present << 7) | (dpl << 5) | (desc_type << 4) | accessed
122    flags = flags | (size << 6) | limit_hi
123
124    return struct.pack(GDT_ENT_FMT, limit_lo, base_lo, base_mid,
125                       access, flags, base_hi)
126
127
128def create_tss_entry(base, limit, dpl):
129    """Create GDT TSS entry"""
130    debug("create TSS entry: %x %x %x" % (base, limit, dpl))
131    present = 1
132
133    base_lo, base_mid, base_hi, limit_lo, limit_hi, = chop_base_limit(base,
134                                                                      limit)
135
136    type_code = 0x9  # non-busy 32-bit TSS descriptor
137    gran = 0
138
139    flags = (gran << 7) | limit_hi
140    type_byte = (present << 7) | (dpl << 5) | type_code
141
142    return struct.pack(GDT_ENT_FMT, limit_lo, base_lo, base_mid,
143                       type_byte, flags, base_hi)
144
145
146def get_symbols(obj):
147    """Extract all symbols from ELF file object"""
148    for section in obj.iter_sections():
149        if isinstance(section, SymbolTableSection):
150            return {sym.name: sym.entry.st_value
151                    for sym in section.iter_symbols()}
152
153    raise LookupError("Could not find symbol table")
154
155
156def parse_args():
157    """Parse command line arguments"""
158    global args
159    parser = argparse.ArgumentParser(
160        description=__doc__,
161        formatter_class=argparse.RawDescriptionHelpFormatter, allow_abbrev=False)
162
163    parser.add_argument("-k", "--kernel", required=True,
164                        help="Zephyr kernel image")
165    parser.add_argument("-v", "--verbose", action="store_true",
166                        help="Print extra debugging information")
167    parser.add_argument("-o", "--output-gdt", required=True,
168                        help="output GDT binary")
169    args = parser.parse_args()
170    if "VERBOSE" in os.environ:
171        args.verbose = 1
172
173
174def main():
175    """Main Program"""
176    parse_args()
177
178    with open(args.kernel, "rb") as elf_fp:
179        kernel = ELFFile(elf_fp)
180        syms = get_symbols(kernel)
181
182    # NOTE: use-cases are extremely limited; we always have a basic flat
183    # code/data segments. If we are doing stack protection, we are going to
184    # have two TSS to manage the main task and the special task for double
185    # fault exception handling
186    if "CONFIG_USERSPACE" in syms:
187        num_entries = 7
188    elif "CONFIG_X86_STACK_PROTECTION" in syms:
189        num_entries = 5
190    else:
191        num_entries = 3
192
193    use_tls = False
194    if ("CONFIG_THREAD_LOCAL_STORAGE" in syms) and ("CONFIG_X86_64" not in syms):
195        use_tls = True
196
197        # x86_64 does not use descriptor for thread local storage
198        num_entries += 1
199
200    gdt_base = syms["_gdt"]
201
202    with open(args.output_gdt, "wb") as output_fp:
203        # The pseudo descriptor is stuffed into the NULL descriptor
204        # since the CPU never looks at it
205        output_fp.write(create_gdt_pseudo_desc(gdt_base, num_entries * 8))
206
207        # Selector 0x08: code descriptor
208        output_fp.write(create_code_data_entry(0, 0xFFFFF, 0,
209                                        FLAGS_GRAN, ACCESS_EX | ACCESS_RW))
210
211        # Selector 0x10: data descriptor
212        output_fp.write(create_code_data_entry(0, 0xFFFFF, 0,
213                                        FLAGS_GRAN, ACCESS_RW))
214
215        if num_entries >= 5:
216            main_tss = syms["_main_tss"]
217            df_tss = syms["_df_tss"]
218
219            # Selector 0x18: main TSS
220            output_fp.write(create_tss_entry(main_tss, 0x67, 0))
221
222            # Selector 0x20: double-fault TSS
223            output_fp.write(create_tss_entry(df_tss, 0x67, 0))
224
225        if num_entries >= 7:
226            # Selector 0x28: code descriptor, dpl = 3
227            output_fp.write(create_code_data_entry(0, 0xFFFFF, 3,
228                                            FLAGS_GRAN, ACCESS_EX | ACCESS_RW))
229
230            # Selector 0x30: data descriptor, dpl = 3
231            output_fp.write(create_code_data_entry(0, 0xFFFFF, 3,
232                                            FLAGS_GRAN, ACCESS_RW))
233
234        if use_tls:
235            # Selector 0x18, 0x28 or 0x38 (depending on entries above):
236            # data descriptor, dpl = 3
237            #
238            # for use with thread local storage while this will be
239            # modified at runtime.
240            output_fp.write(create_code_data_entry(0, 0xFFFFF, 3,
241                                            FLAGS_GRAN, ACCESS_RW))
242
243
244if __name__ == "__main__":
245    main()
246