So after sceKernelSetDdrMemoryProtection(...) how is it enforced? In detail :)
What prevents an app from dynamically creating a pointer to kernel memory address and reading from it? Hardware memory protection registers I assume. Could someone explain exactly?
How does Memory Protection work on the PSP?
MIPS CPU doesn't allow user mode code to access supervisor or kernel mode memory, having used sceKernelSetDdrMemoryProtection() or not. That's a hardware memory protection built-in in MIPS.
User mode memory segment has address most significant bit (bit 31) reset, supervisor/kernel memory segment has this one set, namely:
User memory: 0x00000000 - 0x7fffffff
Kernel memory: 0x80000000 - 0xffffffff
2 GB each mode. But not all memory addresses are valid in PSP, of course.
I think that function should do something else.
User mode memory segment has address most significant bit (bit 31) reset, supervisor/kernel memory segment has this one set, namely:
User memory: 0x00000000 - 0x7fffffff
Kernel memory: 0x80000000 - 0xffffffff
2 GB each mode. But not all memory addresses are valid in PSP, of course.
I think that function should do something else.
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
I knew about that, but I didn't think that "user programs and data are stored in the first 2GB for MIPS32" literally meant User Mode of the OS.
If you call that function to disable protection then you CAN jump to kernel memory space code from user mode.
Can you give a detailed explanation how it works, preferably in logical sequence from the boot process, and while running programs.
If you call that function to disable protection then you CAN jump to kernel memory space code from user mode.
Can you give a detailed explanation how it works, preferably in logical sequence from the boot process, and while running programs.
Really? You can call that from user mode directly? Well, then kernel exploits wouldn't have any sense, would they?Torch wrote:If you call that function to disable protection then you CAN jump to kernel memory space code from user mode.
Well, MIPS boots in kernel mode, then kernel runs user mode apps in user mode threads. When a user mode thread needs a kernel mode access, it has to go through syscalls, and kernel takes care of any kernel mode access.Torch wrote:Can you give a detailed explanation how it works
Details just involve thread context switching, and setting some flags in CP0 registers. If you need more details about which registers & flags are used in CP0, let me know. About context switching, that's PSP kernel thread manager specific, and out of my knowledge. But you can disassemble kernel PRXs used at boot to check how it is done. BTW, that would be an interesting investigation ;)
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
No it must be called from kernel mode first, but then after that you can access kernel memory from user mode. Like if you want to hook a user mode function or something from your kernel PRX.m0skit0 wrote: Really? You can call that from user mode directly? Well, then kernel exploits wouldn't have any sense, would they?
I want to know exactly what registers to set and stuff to enable/disable the protection.
And I wonder if sceKernelSetDdrMemoryProtection can enable protection of memory even below 0x80000000. In that case how will a user mode app be prevented from accessing that protected memory if it is protected?
I don't think so, 'cause there's no hardware protection for that. How would the kernel detect a memory access? It can't do that, unless he monitors every memory access, and I don't know how a kernel can do that without hardware assistance.Torch wrote:And I wonder if sceKernelSetDdrMemoryProtection can enable protection of memory even below 0x80000000
I don't know how to disable that protection, as it is MIPS built-in. Maybe the Allegro has some functionality for that, I really don't know. Maybe you can check that function disassembly, I can help you if you wish.Torch wrote:I want to know exactly what registers to set and stuff to enable/disable the protection.
What I can tell you is how the mode's protection works: that's on Status register, KSU, EXL, ERL bit fields.
User mode: KSU = 10b, EXL = 0, ERL = 0
Kernel mode: KSU = 00b, EXL = 1, ERL = 1
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.
The function allows you to specify an address range for protection. So I guess it implies you can protect a specific part of memory above 0x80000000. The hardware will have to be configured for this, as the kernel cannot monitor all memory accesses like you said.
So it must be a custom design for the CPU. Anyone have info on it?
So it must be a custom design for the CPU. Anyone have info on it?
I'm a bit hazy on the details, but I do remember reading a post here about whilst not having a fully fledged MMU, there is some form of hw-based MPU.
There were a couple of registers, and each two bits (or each nibble maybe?) corresponded to permissions on a chunk of memory, and between all the 'chunks' represented in the control registers, the first XXX kb of memory could be protected a little more fine grained than KSEG, etc.
Unfortunately, my search-fu fails me and I cannot find the post explaining all this, and don't recall any of the interesting details :(
Hope this helps at least enough to get started on the rest!
There were a couple of registers, and each two bits (or each nibble maybe?) corresponded to permissions on a chunk of memory, and between all the 'chunks' represented in the control registers, the first XXX kb of memory could be protected a little more fine grained than KSEG, etc.
Unfortunately, my search-fu fails me and I cannot find the post explaining all this, and don't recall any of the interesting details :(
Hope this helps at least enough to get started on the rest!
Damn, I need a decent signature!
Afaik, Allegro has a very limited Memory Management Unit (no Translation Lookaside Table, or at least not configurable), so that function should use another piece of hardware, maybe the DDR I/F.
The Incredible Bill Gates wrote:The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers.