Multiple Address Spaces
Two Stage Translations
ARMv8-A virtualization introduces a second stage of translation. When a hypervisor is present in the system, there can be one or more guest operating systems present. These use TTBRn_EL1 as previously described and MMU operation appears unchanged.
In a two-stage process, the hypervisor must perform some extra translation steps to share the physical memory system between the different guest operating systems. In the first stage, the VA is translated to an Intermediate Physical Address (IPA). This is usually under OS control. A second stage, which is controlled by the hypervisor, translates the IPA to the final physical address (PA).
The following figure summarizes this two stage translation process.
The hypervisor and Secure monitor also have their set of stage 1 translation tables for their own code and data, which perform mapping directly from VA to PA.
Stage 2 translations, which convert an intermediate physical address into a physical address, use an extra set of tables under control of the hypervisor. For Non-secure EL1/0 accesses, these must be explicitly enabled by writing to the Hypervisor Configuration Register HCR_EL2.
The base address of the Stage 2 translation table is specified in the Virtualization Translation Table Base Register (VTTBR0_EL2). It specifies a single contiguous address space at the bottom of memory. The size of the supported address space is specified in the T0SZ[5:0] field of the Virtualization Translation Control Register, VTCR_EL2.
The TG0 field of TCR_EL2 specifies the granule size while the SL0 field controls the first-level of table lookup. Any access outside the defined address range causes a translation fault.
EL2 and EL3 Address Spaces
The hypervisor EL2 and Secure monitor EL3 have their own level 1 tables, which map directly from virtual to physical address space. The table base address is specified in TTBR0_EL2 and TTBR0_EL3 respectively, enabling a single contiguous address space of variable size at the bottom of memory. The TG field specifies the granule size and the SL0 field controls the first level of table lookup. Any access outside the defined address range causes a translation fault.
The Secure monitor EL3 also has its own dedicated translation tables. The table base address is specified in TTBR0_EL3 and configured via TCR_EL3. Translation tables are capable of accessing both Secure and Non-secure physical addresses. TTBR0_EL3 is used only in Secure monitor EL3 mode, not by the trusted kernel itself.
When the transition to Secure world has completed, the trusted kernel uses the EL1 translations, that is, the translation tables pointed to by TTBR0_EL1 and TTBR1_EL1. As these registers are not banked in AArch64, Secure monitor code must configure new tables for the Secure world and save and restore copies of TTBR0_EL1 or TTBR1_EL1.
The EL1 translation regime behaves differently in Secure state, compared to its normal operation in Non-secure state. The second stage of translation is disabled and the EL1 translation regime now points to both Secure and Non-secure physical addresses. There is no virtualization in the Secure world, so the IPA is always the same as the final PA.
Entries in the TLB are tagged as Secure or Non-secure, so that no TLB maintenance is ever required when moving between Secure and Normal worlds.