ARMv8 MMU Translation Fault with 4KiB Granules in TTBR0_EL1
The ARMv8 architecture provides a sophisticated Memory Management Unit (MMU) that supports multiple translation table formats, including 4KiB, 16KiB, and 64KiB granule sizes. However, when configuring the MMU for user-space mappings using TTBR0_EL1, a common issue arises when attempting to use 4KiB blocks, resulting in a "translation fault, level 3" error. This fault occurs despite successful mappings using 2MiB blocks in TTBR1_EL1. The root cause of this issue lies in the subtle differences in descriptor encoding and alignment requirements between block and page mappings, as well as potential misconfigurations in the Translation Control Register (TCR_EL1) and Memory Attribute Indirection Register (MAIR_EL1).
Descriptor Encoding and Alignment Mismatch in TTBR0_EL1
The ARMv8 MMU relies on translation tables to map virtual addresses to physical addresses. These tables consist of descriptors that define the properties of the mapped memory regions, including their size, permissions, and attributes. When using 4KiB granules, the descriptors at level 3 of the translation table must adhere to specific encoding rules. Specifically, the two least significant bits (LSBs) of a level-3 page descriptor must be set to 0b11 to indicate a valid page entry. This differs from level-2 block descriptors, which use the same bits to indicate a 2MiB block mapping.
In the provided scenario, the descriptor 0x000000010000e701 is incorrectly encoded for a level-3 page entry. The LSBs are set to 0b01, which is invalid for a 4KiB page descriptor. This misconfiguration causes the MMU to generate a translation fault when attempting to access memory mapped with 4KiB granules. Additionally, the physical address in the descriptor must be aligned to the granule size. For 4KiB mappings, the physical address must be aligned to a 4KiB boundary. Failure to meet this requirement can also result in translation faults.
The issue is further complicated by the fact that TTBR1_EL1 is configured to use 2MiB blocks, which have different alignment and encoding requirements. While the MMU may tolerate misaligned addresses for 2MiB blocks (as observed on the BCM2711), this behavior is not guaranteed and can lead to inconsistencies when switching between TTBR0_EL1 and TTBR1_EL1.
Misconfigured TCR_EL1 and MAIR_EL1 Settings
The Translation Control Register (TCR_EL1) and Memory Attribute Indirection Register (MAIR_EL1) play critical roles in defining the behavior of the MMU. In the provided configuration, several settings in TCR_EL1 and MAIR_EL1 may contribute to the translation fault issue.
The TCR_EL1 configuration includes the following key fields:
TCR_EL1.TG0andTCR_EL1.TG1: These fields define the granule size for TTBR0_EL1 and TTBR1_EL1, respectively. In the provided setup,TCR_EL1.TG0is set to0b00, which corresponds to a 4KiB granule size for TTBR0_EL1. However, theTCR_EL1.TG1setting for TTBR1_EL1 is not explicitly defined, potentially leading to mismatched granule sizes between the two translation tables.TCR_EL1.IPS: This field defines the physical address size. In this case, it is set to 44 bits, which matches the value reported by theID_AA64MMFR0_EL1register. However, if the physical address size is not correctly aligned with the granule size, it can cause translation faults.TCR_EL1.SH0andTCR_EL1.SH1: These fields define the shareability attributes for TTBR0_EL1 and TTBR1_EL1. The provided configuration sets both to inner-shareable, which is generally correct but should be verified against the system’s cache coherency requirements.
The MAIR_EL1 configuration defines memory attributes such as cacheability and shareability. The provided setup uses the following attributes:
MAIR_EL1.Attr0andMAIR_EL1.Attr1: These fields define the memory attributes for normal memory. The configuration sets both to0b00001111, which corresponds to Write-Back, Read-Allocate, Write-Allocate (WBRAWA) cacheability. While this is a common setting, it must align with the system’s memory architecture.
Correcting Descriptor Encoding and Aligning Physical Addresses
To resolve the translation fault issue, the following steps should be taken:
-
Verify Descriptor Encoding: Ensure that level-3 page descriptors have the correct encoding. For 4KiB granules, the two LSBs must be set to
0b11. For example, the descriptor0x000000010000e701should be corrected to0x000000010000e703. -
Align Physical Addresses: Ensure that the physical addresses in the descriptors are aligned to the granule size. For 4KiB mappings, the physical address must be aligned to a 4KiB boundary. This can be achieved by masking the lower 12 bits of the physical address before writing it to the descriptor.
-
Update TCR_EL1 Configuration: Verify that the
TCR_EL1.TG0andTCR_EL1.TG1fields are correctly configured for the desired granule sizes. For 4KiB granules in TTBR0_EL1,TCR_EL1.TG0should be set to0b00. Ensure thatTCR_EL1.IPSmatches the physical address size reported by theID_AA64MMFR0_EL1register. -
Validate MAIR_EL1 Settings: Confirm that the memory attributes defined in MAIR_EL1 align with the system’s memory architecture. For normal memory, the attributes should be set to
0b00001111(WBRAWA) unless specific requirements dictate otherwise. -
Test with a Minimal Setup: Implement a minimal translation table setup in a controlled environment, such as QEMU, to verify the correctness of the descriptors and configurations. This approach allows for iterative testing and debugging without affecting the entire system.
By addressing these issues, the MMU should be able to successfully map user-space memory using 4KiB granules in TTBR0_EL1, eliminating the translation fault and ensuring reliable operation of the ARMv8-based system.
