PCR 16764 - SAS: PowerPC Book-E Processor May Perform Instruction Prefetches From Uncached and Write-through cached addresses, e.g, platform resources.
Summary: SAS: PowerPC Book-E Processor May Perform Instruction Prefetches From Uncache...
Status: ASSIGNED
Alias: None
Product: Kernel
Classification: Deos
Component: Kernel (show other PCRs)
Version: 7.10.6
Hardware: PPC Deos
: By Cert
: Limitation
Target Milestone: 7.10.6
Assignee: .Kernel
URL:
Whiteboard:
Depends on: 16759
Blocks:
  Show dependency treegraph
 
Reported: 2025-09-19 13:20 MST by rroffelsen
Modified: 2025-12-22 12:40 MST (History)
3 users (show)

See Also:
Impact Assessment: Light
Organization: DDC-I, Inc.
rroffelsen: Requirements-
rroffelsen: Code-
rroffelsen: TestCases-
rroffelsen: TestProcedures-
rroffelsen: Other? (rroffelsen)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this PCR.
Description rroffelsen 2025-09-19 13:20:32 MST 
+++ This PCR was initially created as a clone of PCR #16759 +++

Description:

On PowerPC processors the kernel maps all addresses that are uncached or
write-through as "Guarded" to prevent processor speculative accesses.  One way
such addresses arise is from calling attachPlatformResource() on platform
resources that are "Cache Disabled" or "Write-Through Cached".  Such platform
resources are typically used for Memory Mapped Devices.  Note: "Guarded" refers
to the G in the PowerPC WIMG virtual address attributes.

On PowerPC processors with Book-E based cores the guarded attribute prevents
speculative data accesses, but does not prevent speculative instruction fetches.
Preventing speculative instruction fetches from a page requires that the page is
mapped as "no-execute", which the kernel does not do.

For addresses mapped as executable, the PowerPC Book-E specification does not
constrain when instruction prefetches may occur or from what addresses.  Since
the kernel maps all virtual addresses as executable, theoretically the processor
may perform an instruction prefetch from any memory mapped address.  Speculative
instruction fetches are naturally aligned 32-bit word reads.

A read from an address that has a side effect, e.g., clearing a device status,
or causing an exception could, theoretically, occur at any time in a process
with such virtual addresses mapped.

Note: As of the writing of this PCR, this limitation has not been reported
in any fielded systems.  It was discovered by analysis based on processor
specifications.

Some examples of the effects of a read:
 1. read completes normally with no side-effect, 
 2. read completes normally but cause a device state change, e.g. reading from
    a serial device’s receive register,
 3. read does not complete normally and causes an exception, e.g., machine
    check.

Memory can be mapped uncached or write-through cached by:

    - At hyperstart image creation time using the -memoryRegionswitch with the attribute set to writethrough or cacheOff.
    - During kernel cold start by a PAL or PRL calling mapPhysicalAddress[64]() with caching set to  cachingWriteThrough or cachingOff.
    - At runtime by application software calling attachPlatformResource[AtAddress](), readFromPlatformResource(), mapViewOfPlatformResource(), or computeCrc32PlatformResource() with resourceName set to the name of a memoryMappedResource configured in the registry with cacheMode set to writeThru or off.

Workaround:

None.

This limitation affects The following verified Kernel versions: 7.6.1, 7.6.2, 7.10.6, 8.3.2, 8.4.2, 10.8.0
 
Note: 
- 7.6.1 is the first kernel SAS that supports a book-e processor
- 9.2.3 SAS only lists arm
Comment 1 rroffelsen 2025-09-30 15:05:22 MST 
Committed SVNRevision 100535.

Update the SAS and SCI for Limitation 16759.
Comment 2 deosbugs.ccb 2025-12-19 11:14:45 MST 
CCB visited this PCR on 2025-12-19-65317
Comment 3 kleonard 2025-12-21 13:30:39 MST 
Review feedback on SAS: The new limitation 7.1.12 added to the SAS incorrectly references PCR 16764.  The correct PCR that documents the limitation is 16759.
Note: the open PCR list includes the correct PCR (16759).
Comment 4 rroffelsen 2025-12-22 12:40:36 MST 
Committed SVNRevision 101792.

Updates per review feedback in comment #3.