| title | author | institute | urlcolor | colortheme | date | theme | aspectratio | lang | marp |
|---|---|---|---|---|---|---|---|---|---|
Arm ETM/PMU |
Yiming Zhang, Yuxin Hu, Haonan Li, Wenxuan Shi, Xueying Zhang |
COMPASS |
blue |
beaver |
Jun 8, 2021 |
Heverlee |
43 |
en-US |
true |
- Prepare for baccalaureate defense (Jun. 3)
- Try to Conduct a demo for auto code generation... (GuGuGu)
- Learning something about library fuzzing (...)
x86 processors provide a hardware performance counter that can be configured to compute the number of branches that have executed since the last interrupt [Int01] \newline
\footnotesize [Int01] \textit{The IA-32 Intel Architecture Software Developer’s Manual, Volume 3: System Programming Guide. Technical report, Intel Corporation, 2001.}
Challenge:
- Impractical to neglect the library, due to the tremendous size of ETM result
- Preloading every functions is ugly (but might be acceptable for specific functions)
- Need to distinguish deterministic functions (e.g.,
sqrt100M times needs less than 1s) - Some Challenges in watchpoints...
- A function can write a memory region for many times...
- How to handle
void***** - But the watchpoint still din't run successfully
Some other thoughts:
- Need further study on librarys
- Multi-layer structure: complicated optimization only for most common cases
- I was assigned to RISCV-TEE Group
- I am a person focused in Arm, why suddenly appointed to RISCV?
- But Zhenyu told me: the boss has studied and decided
- Schedule for next period:
- Work with Mingde, depoly their work on our new board
- Migrate berkeley boot loader to openBSI + uboot
Due to our meeting, I have two main targets:
- using PMI to help collect ETM log periodicly.
- Implement a Replay Machine for online tracing stage.
Much easier than register a interrupt handler in ATF.
unsigned long irq_flags = IRQF_PERCPU
| IRQF_NOBALANCING
| IRQF_NO_THREAD
| IRQF_SHARED;
request_irq(irq_id, pmu_irq_handler,
irq_flags, "pmi_handler",
(void*)pmu_irq_handler);- Interrupt ID in kernel (logic interrupt ID) is different from the hardware interrupt ID.
- Logic interrupt ID is not always adding a simple offset.
- Linux kernel remains logic interrupt ID 36, 37, 38, 39, 40, 41 for PMU in Juno board r2.
- Normally an interrupt can only have one handler.
- Unless that irq_flag contains
IRQF_SHARED.
After everything is set up, our kernel module successfully handles PMI.
- Interrupt Controller => IRQ Chip => Multi-level Interrupt Controller
- multi IRQ Domain (where IRQ handler takes effect)
- Linear Mapping.
irq_domain_add_linear(), map similar interrupts together. (e.g. our Arm PMI) - Radix Tree Mapping.
irq_domain_add_tree(), use hardware id as lookup key in the radix tree. (e.g. MIPS hardware)
Since we got a ridiculous score from the professor ...
Replay a simple binary with no non-deterministic factors.
This is the control flow we reconstructed before.
- disassemble
- use ETM output to locate code blocks
- collect "waterfall" control flow
We consider the "waterfall" control flow unacceptably large. We are going to construct a block dynamically.
::: columns
:::: column
::::
:::: column
. . .
Segmentation fault.
- The initial state of registers are different.
- Store and restore registers (user space context switch).
- Origin data, bss memory section are not copied.
- Copy static memory sections like data and bss.
::::
:::
- Store and restore registers
- Final Exam :(
Replay machine
take final exams.
Replay machine