User Mode Drivers
I have a regular discussion about user-mode drivers and Linux. It starts with a customer who maintains a DOS system realizing that at some point--usually sooner than later--he must upgrade his application to run under another OS. Of course I suggest Linux.
In these discussions, the customer will proceed to explain that he or she doesn't know how to write a device driver and doesn't want to spend the time to learn how to do so. The customer's code on the DOS system is console-based and uses simple (x86) I/O ports to read the adaptor card. Typically, he or she also will vent a bit about how operating systems have hardware protection. It only takes me a minute to mention that Linux supports methods of directly accessing the device with a user application. Then there's the customer's problem with the absence of ISA slots in modern PCs; the old adaptor card won't work in a new system. PCI-based cards can replace the ISA-based device, but for his or her code there's a clincher: how do you know the settings of the PCI device?
This is a short article on writing user-mode device drivers to penetrate the abstraction layer from a user application and to determine where a PCI card is located. This information is useful for those concerned with replacing their DOS machines and porting code to Linux. There are many reasons in favor of a user-mode driver. The user-mode method is very useful for validating new hardware. It's also convenient for informal accessing of the device on a register level. But, there are many simple hardware devices that don't implement interrupts, and their operation is hardly worth writing a device driver for.
Historically, x86 peripherals were I/O mapped. The x86 architecture has two memory maps: one for the memory and the other for peripherals. This separate map has unique instructions for accessing it. In Port and Out Port were used to read and write bytes, words or longs (in those days) to the hardware.
The Linux system calls ioperm(2) and iopl(2) (with a level argument of 3) are the silver-bullet commands for penetrating the abstraction layer. These functions are reserved for the root user (UID == 0), and each is slightly different. ioperm() opens up a block of the I/O space to the user application. This function requires the starting I/O base address and the block size (length) of consecutive addresses. ioperm() is useful for accessing ports located from 0x0000 through 0x03ff. On the other hand, iopl() opens up the entire I/O space for accessing. PCI devices that are I/O mapped typically are located above the space ioperm() permits, so iopl() must be used.
Once the abstraction layer is opened, there are six primary system calls for reading and writing to the I/O map. Three are for reading, and three are for writing to the I/O map. The reading triplet is inb(), inw() and inl() (for byte, word and long, respectively). The writing triplet is outb(), outw() and outl() (for byte, word and long, respectively). The header file is <sys/io.h>.
First the application needs only to call the appropriate function (ioperm or iopl), then inspect the error code returned by the system call, if any. Both ioperm and iopl return zero on success. Now you can start reading and writing--it's that simple.
Many devices are memory mapped for two reasons. First, for x86 architectures, the memory map is more expansive than the I/O map. Most other architectures only have a memory-mapped architecture (in other words, you don't get a choice); only the x86 architecture has the second address space for peripherals. Again, there are methods to penetrate the memory protection mechanism to access the hardware. The other reason is that arguably, more powerful addressing modes allow faster and more flexible methods of accessing the memory. The x86 port commands are extremely limited in features.
To access your memory-mapped hardware, the device /dev/mem is the silver bullet, and mmap() is the method to select the memory physical base address and the block size to access. To open the peripheral memory, open /dev/mem. Use the opened file descriptor in mmap(), with the appropriate address and the block size (in bytes) to open. mmap() returns an address that is mapped to the physical base address; cast it to the appropriate data type and use it like any other pointer, array, structure pointer or your favorite method.
Many hardware devices are hard-coded. Usually a good reference will describe where the device is located. For example, my employer manufactures many ISA-based products where the device address is set using jumpers. A device's address is found by comparing its jumpers and a table in a user's guide. That's easy...almost.
- Bruce Nikkel's Practical Forensic Imaging (No Starch Press)
- Transitioning to Python 3
- Progress on Privacy
- Stepping into Science
- Linux Journal December 2016
- Radio Free Linux
- The Tiny Internet Project, Part II
- CORSAIR's Carbide Air 740
- FutureVault Inc.'s FutureVault
- A Better Raspberry Pi Streaming Solution