ARM CPUs are used in smaller applications than x86 CPUs, although the line is blurring. Due to the number of different ARM architectures, details of which can differ significantly, this page is aimed at ARMv7-A and ARMv8. ARMv7-M does not have the same concept of virtual memory - it does not have an MMU. The author understands that paging on ARMv5 and ARMv6 is similar to ARMv7, but ARMv4 is somewhat different.
ARMv7-A supports two different paging modes. These are the short descriptor format and long descriptor format described in B3.5 and B3.6 respectively of the ARMv7 reference manual. The long descriptor format is an ARM equivalent of the X86 PAE system. However, even the short descriptor format allows access to a 1TB physical address space, but only with a 16MB granularity. As is described in the ARM:
Detecting paging support is done by consulting the "coprocessor" registers. It is represented in ID_MMFR0
mcr p15, 0, <Rt>, c0, c1, 4
The structure of the register is as follows:
|Innermost Shareability||FCSE Support||Auxillary Registers||TCM Support||Shareability levels||Outermost Shareability||PMSA Support||VMSA Support|
- VMSA support - the gold.
- 0b0000 - not supported (no paging)
- 0b0001 - implementation defined. Weird MMU somewhere
- 0b0010 - VMSAv6, with cache and TLB type registers. ARMv6 paging.
- 0b0011 - VMSAv7, with support for remapping and access flag. ARMv7-A, as described in the following section.
- 0b0100 - VMSAv7 with PXN bit supported.
- 0b0101 - VMSAv7, PXN and long format descriptors. EPAE is supported.
- Up to two levels of address lookup
- 32 bit input addresses
- Output addresses up to 40 bits
- Supports >32 bit Physical Addresses with supersections
- Support for No access, Client and Manager domains
- 32 bit table entries
- Up to three levels of address lookup
- Input addresses of up to 40 bits, when used for stage 2 translations
- Output addresses of up to 40 bits
- 4KB assignment granularity across the entire PA range
- No support for domains, all memory regions are treated as in a Client domain
- 64-bit table entries
- Fixed 4KB table size, unless truncated by the size of the input address space
Note that the Large Physicsl Address Extension is an optional feature. Furthermore, if an implementation supports LPAE, it also supports the ARM multiprocessing extensions. The paging mode is controlled with the TTBCR (Translation Table Base Control Register).
- EAE - Extended Address Enable. SBZP if LPAE is not supported
Following fields are SBZP if EAE=0
- IDF - Implementation Defined
- SH1 - Shareability attribute for memory associated with translation table walks using TTBR1.
|non-shareable||unpredictable||outer shareable||inner shareable|
- ORGN1 - Outer cacheability using TTBR1
|outer non-cacheable||outer write-back write-allocate cacheable||outer write-through cacheable||outer write-back no write-allocate cacheable|
- IRGN1 - Inner cacheablility using TTBR1
|inner non-cacheable||inner write-back write-allocate cacheable||inner write-through cacheable||inner write-back no write-allocate cacheable|
- EPD1 - Disable Page walks with TTBR1. If 0, table walks are performed. Otherwise, a translation fault is generated.
- A1 - defines whether TTBR0 or TTBR1 defines the ASID, for 0 and 1 respectively. The ASID is the Address Space Identifier.
- SBZP - Should Be Zero or Preserved. This is more commonly called RES0.
- T1SZ - The size of the memory region addressed by TTBR1. 2^(32-T1SZ) is the size.
- SH0 - like SH1, but for TTBR0.
- ORGN0 - ""
- IRGN0 - ""
- EPD0 - ""
The following fields only apply when EAE is 0
- PD1 - like EPD1.
- PD0 - like EPD0.
This field can take different meanings
- T0SZ - like T1SZ. If EAE=0, this is field N.
- N - Indicated the width of the base address in TTBR0. The base address is bits [31:14-N]. If N=0, the format is compatible with ARMv5 and ARMv6. This field also determines whether TTBR0 or TTBR1 is used for the page walk.
Accessing the TTBCR
To access TTBCR, software reads or writes the CP15 registers with <opc1> set to 0, <CRn> set to c2, <CRm> set to c0, and <opc2> set to 2. For example:
MRC p15, 0, <Rt>, c2, c0, 2 ; Read TTBCR into Rt MCR p15, 0, <Rt>, c2, c0, 2 ; Write RT to TTBCR
(ARMv7-A ARM, Section B4.1, page 1728)
Here RT denotes a register of your choice.
- TTB0A - Bits [31:x] of the TTB0 table base address. Must be 2^x aligned, as determined in the TTBCR.
- IRGN - SBZP if Multiprocessor extensions are not present. Otherwise, bit zero of IRGN
- NOS - Not Outer Shareable. If 1, region is only inner shareable. Ignored when TTBR0.S == 0, SBZP if no distinction between outer or inner shareable.
- RGN - region bits. Outer cacheability attributes, see TTBCR.ORGN0.
- IMP - Implementation Defined
- S - Shareable. 0 - non-shareable, 1 - shareable.
- C - Cacheable. 0 - inner non-cacheable, 1 - inner cacheable. If Multiprocessor extensions are present, this is bit 1 of IRGN
- IRGN - inner region attributes. See TTBCR.IRGN0
EAE = 1
- ASID - Address Space Identifier
- BADDR - Bits [39:x] of base address of table. Must be 2^x aligned.
See #TTBR0, except x is fixed to 14 when EAE=0.
Accessing the TTBRx register
To access TTBR0 in an implementation that does not include the Large Physical Address Extension, or bits[31:0] of TTBR0 in an implementation that includes the Large Physical Address Extension, software reads or writes the CP15 registers with <opc1> set to 0, <CRn> set to c2, <CRm> set to c0, and <opc2> set to 0. For example:
MRC p15, 0, <Rt>, c2, c0, 0 ; Read 32-bit TTBR0 into Rt MCR p15, 0, <Rt>, c2, c0, 0 ; Write Rt to 32-bit TTBR0
In an implementation that includes the Large Physical Address Extension, to access all 64 bits of TTBR0, software performs a 64-bit read or write of the CP15 registers with <CRm> set to c2 and <opc1> set to 0. For example:
MRRC p15, 0, <Rt>, <Rt2>, c2 ; Read 64-bit TTBR0 into Rt (low word) and Rt2 (high word) MCRR p15, 0, <Rt>, <Rt2>, c2 ; Write Rt (low word) and Rt2 (high word) to 64-bit TTBR0
In these MRRC and MCRR instructions, Rt holds the least-significant word of TTBR0, and Rt2 holds the most-significant word.
To access TTBR1 in an implementation that does not include the Large Physical Address Extension, or bits[31:0] of TTBR1 in an implementation that includes the Large Physical Address Extension, software reads or writes the CP15 registers with <opc1> set to 0, <CRn> set to c2, <CRm> set to c0, and <opc2> set to 1. For example:
MRC p15, 0, <Rt>, c2, c0, 1 ; Read 32-bit TTBR1 into Rt MCR p15, 0, <Rt>, c2, c0, 1 ; Write Rt to 32-bit TTBR1
In an implementation that includes the Large Physical Address Extension, to access all 64 bits of TTBR1, software performs a 64-bit read or write of the CP15 registers with <CRm> set to c2 and <opc1> set to 1. For example:
MRRC p15, 1, <Rt>, <Rt2>, c2 ; Read 64-bit TTBR1 into Rt (low word) and Rt2 (high word) MCRR p15, 1, <Rt>, <Rt2>, c2 ; Write Rt (low word) and Rt2 (high word) to 64-bit TTBR1
In these MRRC and MCRR instructions, Rt holds the least-significant word of TTBR1, and Rt2 holds the most-significant word.
OK, so now we know how to set up the control registers, we need to know the in-memory structures. ARM is more flexible than x86 in terms of page size. While x86 supports 4KB and 4MB pages, ARM supports 4KB, 64KB and 1MB pages. It can also support 16MB pages, but this is optional (guaranteed The first level translation table is 16KB in size when N = 0. Generally, it is 2^(14-N).
Short Descriptor: Level 1
- BADDR - Page table base address, bits [31:10]. Must be 1KB aligned.
- IMP - Implementation defined
- Domain - used as a memory protection mechanism. 16 possible domains.
- SBZ - Should be Zero
- NS - Non-secure bit. This is used by the security extensions
- PXN - Privileged Execute Never - SBZ if PXN is not supported
- BADDR - Section Base Address [31:20]. Must be 1MB aligned.
- XN - Execute never. Stops execution of page.
- nG - not global. Determines how this is marked in the TLB.
- BADDR - Supersection Base address [31:24]. 16MB aligned.
- BADDRM - Supersection base address [35:32], if supported.
- BADDRH - Supersection base address [39:36], if supported.
Short Descriptor: Level 2
- BADDR - Large Page Base Address [31:16]
- BADDR - Small Page Base Address [31:12]
Long Descriptor: Level 1/2
- UBAT - Upper Block Attributes
- ADDR - Output Address [39:n]
- LBAT - Lower Block Attributes
- n - 30 for first level, 21 for 2nd level.
Stage 1 attributes, SBZP at stage 2:
- NST - NSTable. For secure memory accesses, determines type of next level. Otherwise ignored.
- APT - APTable. Access permissions limit for next level lookup.
- XNT - XNTable. XN limit for subsequent lookups.
- PXNT - PXNTable. PXN limit for subsequent levels. SBZ for non-secure PL2 (hypervisor) level 1 translation tables.
- ADDR - Next level table address [39:12].
Long Descriptor: Level 3
- UPAT - Upper Page Attributes
- ADDR - Output Address [39:12]
- LPAT - Lower Page Attributes
Stage 1 Attributes
- CONT - Contiguous. 16 adjacent entries point to contiguous memory regions.
- AttrIndex - memory attributes index field
Stage 2 Attributes
|Ignored (system MMU)||Ignored (software)||XN||0||CONT|
- HAP - Stage 2 Access Permissions
- MemAttr - Stage 2 memory attributes
Choice Between TTBR0 and TTBR1
|TTBCR.N||First address translated with TTBR1||Size||Index range|
|0b000||TTBR1 not used||16KB||VA[31:20]|
|TTBCR||Input address range|
|0b000||0b000||All addresses||Not used|
|M||0b000||0 to 2^(32-M)-1||2^(32-M) to maximum address|
|0b000||N||0 to (2^32-2^(32-N)-1)||(2^32-2^(32-N)) to maximum|
|M||N||0 to (2^(32-M)-1)||2^32-2^(32-N) to maximum|
Recursive Table Mapping
If you wish to use a recursive mapping trick, such as is done on x86, use the long format. The short format might be doable with much hastle. The long format has been designed with recursive mapping in mind, supports the full physical address space, and does not suffer from mismatching of the page size to table like the short format does. However, the basic structure is similar to PAE, so if you did this naively, 1GB of the address space would be wasted. Instead, use the support for eliminating the first stage by concatenating the 2nd stage. Then point the last few entries to the appropriate points in the table. This reaps all the benefits of the long format, while eliminating bloat of the recursive mapping.