Concepts:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Down to the TLP: How PCI express devices talk (Part I)::::::::::::::
:::
1.Foreword:::::::::::
PCI express is not a bus:: The first thing to realize about PCI express (PCIe
henceforth), is that its not PCI-X, or any other PCI version.
The previous PCI versions, PCI-X included, are true
buses: There are parallel rails of copper physically reaching
several slots for peripheral cards. PCIe
is more like a network, with each card connected to a network switch
through a dedicated set of wires.
Exactly like a local Ethernet network, each card has its own physical connection
to the switch fabric. The similarity
goes further: The communication takes the form of packets transmitted over
these dedicated lines, with flow
control, error detection and retransmissions. There are no MAC addresses, but
we have the cards physical
(geographic) position instead to define it, before its allocated with high-level
Gray fields are reserved, which means that the sender has to put zeros there
(and the receiver ignore them).
Some gray fields are marked R which means that the field is always
reserved, and some have a name, meaning that
the field is reserved because of the nature of this specific packet. Green
fields are allowed to have nonzero values,
but they are rarely used by endpoint peripherals (from what Ive seen). The
values of the specific packet are marked in red.
The Fmt field, together with the Type field say this is a Memory Write Request.
The TD bit is zero, indicating that there is no extra CRC on the TLP data (TLP
Digest). This extra CRC has no justification
if we trust our hardware not to corrupt the TLPs, since the Link Layer has
its own CRC to make sure nothing gets wrong on
the way.
The Length field has the value 0x001, indicating that this TLP has one DW (32-
bit word) of data.
The Requester ID field says that the sender of this packet is known by having
ID zero its the Root Complex
(the PCIe port closest to the CPU). While mandatory, this field has no
practical use in a Write Request, except
for reporting back errors.
The Tag is an unused field in this case. The sender can put anything here, and
all other components should ignore it.
We shall get a closer look at it later.
The 1st BE field (1st Double-Word Byte Enable) allows to choose which of the
four bytes in the first data DW are valid,
and should be written. Set as 0xf in our case, it marks that all four bytes
are written to.
The Last BE field must be zero when Length is unity, since the first DW and the
last is the same one.
The Address field is simply the address to which the first data DW is written.
Well, bits 31-2 of this address.
Note that the two LSBs of DW 2 in the TLP are zero, so DW 2 actually reads
the write address itself. Multiply 0x3f6bfc10
by four, and you get 0xfdaff040.
And finally, we have one DW of data. This is a good time to mention that PCIe
runs big Endian, and Intel processors think
little Endian. So if this was a regular PC computer, it was writing
0x78563412 in its software representation.
A Read Request
Now lets see what happens when the CPU wants to read from a peripheral. Read
operations are a bit more tricky, because inevitably there are going to be two
packets involved: One TLP from the CPU to the peripheral, asking the latter to
perform a read operation, and one TLP going back with the data. In PCIe terms we
have a Requester (the CPU in our case) and a Completer (the peripheral).
Well assume that the CPU wants a single a single DW (32-bit word) from address
0xfdaff040 (same as before). As before, its likely that it initiates a read
operation on the bus it shares with its memory controller, which contains the Root
Complex, which in turn generates a TLP to be sent over the PCIe bus. Its a Read
Request TLP, which may look like this:
Example of a Read Request TLP
Its strikingly similar to the Write Request example shown above, so Ill focus on
the differences:
The Fmt/Type fields have changed (actually, only Fmt) to indicate this is a
Read Request.
As before, The Requester ID field says that the sender of this packet has ID
zero. Its the same field as before, but in a Read Request its functionally
crucial, since it tells the Completer where to send its response. Well see more
about this ID below.
The Tag is significant in Read Requests. Its important to realize that it
doesnt mean anything by itself, but that it has the function of a tracking number:
When the Completer responds, it must copy this value to the Completion TLP. This
allows the Requester to match Completion answers with its Request. After all,
multiple requests from a single device on a bus are allowed. This Tag is set by the
Requester for its own needs, and the standard doesnt require a certain enumeration
method, as long as the Tags of all outstanding requests are unique. Despite the 8
bits allocated, only the 5 LSBs are allowed for use, and the rest must be zero by
default. This allows for a maximum of 32 outstanding requests between a pair of bus
entities. For applications that need it, in-standard extensions may allow as many
as 2048.
The Length field indicates that one DW should be read, and the Address field from
which address. The two BE fields retain the same meaning and rules as with a Write
Request, only they pick which bytes to read rather than which bytes to write.
The considerations for applying read requests are discussed on another tutorial.
The Completion
When the peripheral receives a Read Request TLP, it must respond with some sort of
Completion TLP, even if it cant fulfill the action requested. Were going to look
at a successful case: The peripheral read the chunk of data from its internal
resources, and now needs to return the result back to the Requester (the CPU in our
case).
By the way, the Completer may return the data sliced up into several packets. The
last packet in the completion can then be detected by checking for
So much for these two examples. Now some more general speaking.
Posted and non-Posted operations
If we compare the life cycle of a bus write operation with the one of a read,
theres an evident difference: A write TLP operation is fire-and-forget. Once the
packet has been formed and handed over to the Data Link Layer, theres no need to
worry about it anymore. A read operation, on the other hand, requires the Requester
to wait for a Completion. Until the Completion packet arrives, the Requester must
retain information about what the Request was, and sometimes even hold the CPUs
bus: If the CPUs bus started a read cycle, it must be held in wait states until
the value of the desired read operation is available at the bus data lines. This
can be a horrible slowdown of the bus, which is rightfully avoided in recent
systems.
As mentioned above, the address given in read and write requests can be either 32
or 64 bits wide, making the header either 3 or 4 DWs long. However section 2.2.4.1
in the PCIe spec states that the 4 DW header format must be used only when
necessary:
For Addresses below 4 GB, Requesters must use the 32-bit format. The behavior
of the receiver is not specified if a 64-bit format request addressing below 4 GB
(i.e., with the upper 32 bits of address all 0) is received.
In reality, it's extremely rare that any peripheral's register is mapped over the 4
GB range, and quite rare that DMA buffers are mapped over the lower 1 GB. As a
result, read and write TLPs with 64 bit addressing are practically unused.
Almost all real-life root complexes accept TLPs with 64 bit addressing even if it
points below 4 GB. This allows testing outgoing 64-bit addressing packets when
designing a peripheral. As for testing ingoing packets of the same sort, there's
probably no simple way.
I/O Requests
The PCIe bus supports I/O operations only for the sake of backward compatibility,
and strongly recommends not to use I/O TLPs in new designs. One of the reasons is
that both read and write requests in I/O space are non-Posted, so the Requester is
forced to wait for a completion on write operations as well. Another issue is that
I/O operations only take 32-bit addresses, while the PCIe spec endorses 64-bit
support in general.
Identification and routing
Since PCIe is essentially a packet network, with the possibility of switches on the
way, these switches need to know where to send each TLP. There are three routing
methods: By address, by ID and implicit. By address routing is applied for Memory
and I/O Requests (read and write). Implicit routing is used only for certain
message TLPs, such as broadcasts from Root Complex and messages that always go to
the Root Complex. All other TLPs are routed by ID.
The ID is a 16-bit word formed in terms of the well known triplet: Bus number,
Device number and Function number. Their meaning is exactly like in legacy PCI
buses. The ID is formed as follows:
Formation of PCIe ID
Formation of PCIe ID
If youre running Linux, I suggest trying the lspci utility with its numerous flags
to get friends with the bus structure.
Bus Mastering (DMA)
This issue used to be a bit spooky until PCIe. After all, theres something
intrusive about telling the CPU to step aside from the bus, now Im running the
show.
On PCIe, its significantly less exotic. It boils down to the simple notion, that
anyone on the bus can send read and write TLPs on the bus, exactly like the Root
Complex. This allows the peripheral to access the CPUs memory directly (DMA) or
exchange TLPs with peer peripherals (to the extent that the switching entities
support that).
Well, there are two things that need to happen first, as with any PCI device: The
peripheral needs to be granted bus mastering by setting the Bus Master Enable bit
in one of the standard configuration registers. The second thing is that the driver
software needs to inform the peripheral about the relevant buffers physical
address, most probably by writing to a BAR-mapped register.
Interrupts
INTx interrupts are supported for the sake of compatibility with legacy software,
and also in order to allow bridging between classic PCI buses and PCIe. Since INTx
interrupts are level triggered (i.e. the interrupt request is active as long as the
physical INTx wire is at low voltage), theres a TLP packet for saying that the
line has been asserted, and another that it has been deasserted. Not only is this a
quirky in itself, but the old problems with INTx interrupts retain, such as
interrupt sharing and the need for each interrupt handling routine to check who the
interrupt is really for.
It was because of these issues, that a new form of interrupt, MSI, was introduced
in (conventional) PCI 2.2. The idea was, that since virtually all PCI peripherals
have bus master capabilities, why not let the peripheral signal an interrupt by
writing to a certain address?
PCIe does exactly the same to generate an MSI: Signaling an interrupt merely
consists of sending a TLP over the bus, which is simply a posted Write Request,
with a special address, which the host has written into the peripherals
configuration space during initialization. Any modern operating system (Linux
included, of course) can then call the correct interrupt routine, without the need
to guess who generated the interrupt. Neither is it really necessary to clear the
interrupt, if the peripheral doesnt need the acknowledgment.