pdp11_psr: handle pm protection like cm

2026-04-09 23:27:58 +00:00 · 2022-08-29 11:09:43 +02:00
parent 84d3f181bd
commit f09814e847
5 changed files with 72 additions and 7 deletions
--- a/doc/CHANGELOG.md
+++ b/doc/CHANGELOG.md
@@ -71,6 +71,8 @@ The full set of tests is only run for tagged releases.
  - removed designs (drop Atlys)
    - rtl/sys_gen/tst_rlink_cuff/atlys/sys_tst_rlink_cuff_atlys
    - rtl/sys_gen/tst_snhumanio/atlys/sys_tst_snhumanio_atlys
+  - rtl/w11a/pdp11_psr: handle pm protection like cm, for details see
+      [ECO-031](ECO-031-PSW_protection.md)
 - general changes
  - segment -< page rename
    - DEC used in early documents 'segment', later on 'page' for the MMU object
--- a/doc/ECO-027-trap_mmu.md
+++ b/doc/ECO-027-trap_mmu.md
@@ -41,7 +41,7 @@ The later happens due to the logic of state `s_opg_gen_rmw_w`:
 `pdp11_sequencer` was modified to ensure that `R_STATUS.trap_mmu` is only set 
 in `do_memcheck`. Same for `trap_ysv` (which had the same potential bug)

-### Provisos
+### Hindsight
 The issue was found by systematic testing of mmu fault and trap behavior.
 Because known OS don't use mmu traps the issue should not have any impact
 on practical usage with OS like rsx or 211bsd.
--- a/doc/ECO-030-EI_ACK-misroute.md
+++ b/doc/ECO-030-EI_ACK-misroute.md
@@ -52,6 +52,6 @@ clock cycle.
   `EI_REQ` line from last cycle, and use this value to route `EI_ACKM` to the
   `EI_ACK` lines.

-### Provisos
+### Hindsight
 That 12 year old code worked with no apparent problems doesn't prove that
 it is free of fundamental bugs.
--- a/doc/ECO-031-PSW_protection.md
+++ b/doc/ECO-031-PSW_protection.md
@@ -0,0 +1,63 @@
+# ECO-031:  `PSW` privilege escalation protection overzealous (2022-08-27)
+
+### Scope
+- Was in w11a from the very beginning (2007)
+- Affects: all w11a systems
+
+### Symptom summary
+No Symptoms. Was discovered in a code review.
+
+### Background
+The privilege escalation protection for RTT/RTI ensures that a lower
+privileged code can't increase the mode. In non-kernel mode, this is done
+by or'ing' the new pm,cm,rset values to the existing value. With
+```
+  kernel 00
+  super  01
+  user   11
+```
+this fulfills the objective.
+
+### Analysis
+A code review showed a discrepancy between SimH and w11a handling
+In SimH this is done in in pdp11_cpu.c in put_PSW()
+```
+  if (prot) {                                       /* protected? */
+      cm = cm | ((val >> PSW_V_CM) & 03);           /* or to cm,pm,rs */
+      pm = pm | ((val >> PSW_V_PM) & 03);           /* can't change ipl */
+      rs = rs | ((val >> PSW_V_RS) & 01);
+      }
+  else {
+      cm = (val >> PSW_V_CM) & 03;                  /* write cm,pm,rs,ipl */
+      pm = (val >> PSW_V_PM) & 03;
+      rs = (val >> PSW_V_RS) & 01;
+      ipl = (val >> PSW_V_IPL) & 07;
+      }
+```
+In w11a in pdp11_psr.vhd the handling was
+```
+      R_PSW.cmode <= R_PSW.cmode or DIN(psw_ibf_cmode);
+      R_PSW.pmode <= R_PSW.pmode or DIN(psw_ibf_pmode) or
+                     R_PSW.cmode or DIN(psw_ibf_cmode);
+      R_PSW.rset  <= R_PSW.rset or DIN(psw_ibf_rset);
+```
+Unclear why for `pmode` the `cmode` bits where or'ed in too.
+Further analysis
+- a scan through documentation did not find a hint
+- EK-KB11C-TM-001_1170procMan.pdf page 132 states
+  _prev mode protected like curr mode_
+- MP0KB11-C0_1170engDrw_Nov75.pdf
+  - PSW logic in drawing PDRD on page 59.
+  - pm has the logic to set it from cm in vector pushes
+  - but in the RTT/RTI update case, pm is handled like cm and reset
+
+### Fixes
+Simply remove the extra term, now
+```
+      R_PSW.pmode <= R_PSW.pmode or DIN(psw_ibf_pmode);
+```
+
+### Hindsight
+Unclear why it was implemented with this extra term. It is the responsibility
+of the software to ensure previous mode is not more privileged than the
+current mode when a process is started.
--- a/rtl/w11a/pdp11_psr.vhd
+++ b/rtl/w11a/pdp11_psr.vhd
@@ -1,6 +1,6 @@
-- $Id: pdp11_psr.vhd 1181 2019-07-08 17:00:50Z mueller $
+-- $Id: pdp11_psr.vhd 1287 2022-08-27 09:40:43Z mueller $
 -- SPDX-License-Identifier: GPL-3.0-or-later
-- Copyright 2006-2011 by Walter F.J. Mueller <W.F.J.Mueller@gsi.de>
+-- Copyright 2006-2022 by Walter F.J. Mueller <W.F.J.Mueller@gsi.de>
 --
 ------------------------------------------------------------------------------
 -- Module Name:    pdp11_psr - syn
@@ -9,10 +9,11 @@
 -- Dependencies:   ib_sel
 -- Test bench:     tb/tb_pdp11_core (implicit)
 -- Target Devices: generic
-- Tool versions:  ise 8.2-14.7; viv 2014.4; ghdl 0.18-0.31
+-- Tool versions:  ise 8.2-14.7; viv 2022.1; ghdl 0.18-2.0.0
 --
 -- Revision History: 
 -- Date         Rev Version  Comment
+-- 2022-08-27  1287   1.2.3  handle pm protection like cm, remove or'ing cm
 -- 2011-11-18   427   1.2.2  now numeric_std clean
 -- 2010-10-23   335   1.2.1  use ib_sel
 -- 2010-10-17   333   1.2    use ibus V2 interface
@@ -121,8 +122,7 @@ begin
            
            when c_psr_func_wrti =>       -- wrti (rti/rtt in non-kernel mode)
              R_PSW.cmode <= R_PSW.cmode or DIN(psw_ibf_cmode);
-              R_PSW.pmode <= R_PSW.pmode or DIN(psw_ibf_pmode) or
-                             R_PSW.cmode or DIN(psw_ibf_cmode); 
+              R_PSW.pmode <= R_PSW.pmode or DIN(psw_ibf_pmode); 
              R_PSW.rset  <= R_PSW.rset or DIN(psw_ibf_rset);
              R_PSW.tflag <= DIN(psw_ibf_tflag);
              R_PSW.cc    <= DIN(psw_ibf_cc);