1 /*- 2 *********************************************************************** 3 * * 4 * Copyright (c) David L. Mills 1993-2001 * 5 * * 6 * Permission to use, copy, modify, and distribute this software and * 7 * its documentation for any purpose and without fee is hereby * 8 * granted, provided that the above copyright notice appears in all * 9 * copies and that both the copyright notice and this permission * 10 * notice appear in supporting documentation, and that the name * 11 * University of Delaware not be used in advertising or publicity * 12 * pertaining to distribution of the software without specific, * 13 * written prior permission. The University of Delaware makes no * 14 * representations about the suitability this software for any * 15 * purpose. It is provided "as is" without express or implied * 16 * warranty. * 17 * * 18 **********************************************************************/ 19 20 /* 21 * Adapted from the original sources for FreeBSD and timecounters by: 22 * Poul-Henning Kamp <phk@FreeBSD.org>. 23 * 24 * The 32bit version of the "LP" macros seems a bit past its "sell by" 25 * date so I have retained only the 64bit version and included it directly 26 * in this file. 27 * 28 * Only minor changes done to interface with the timecounters over in 29 * sys/kern/kern_clock.c. Some of the comments below may be (even more) 30 * confusing and/or plain wrong in that context. 31 */ 32 33 #include <sys/cdefs.h> 34 __FBSDID("$FreeBSD$"); 35 36 #include "opt_ntp.h" 37 38 #include <sys/param.h> 39 #include <sys/systm.h> 40 #include <sys/sysproto.h> 41 #include <sys/eventhandler.h> 42 #include <sys/kernel.h> 43 #include <sys/priv.h> 44 #include <sys/proc.h> 45 #include <sys/lock.h> 46 #include <sys/mutex.h> 47 #include <sys/time.h> 48 #include <sys/timex.h> 49 #include <sys/timetc.h> 50 #include <sys/timepps.h> 51 #include <sys/syscallsubr.h> 52 #include <sys/sysctl.h> 53 54 #ifdef PPS_SYNC 55 FEATURE(pps_sync, "Support usage of external PPS signal by kernel PLL"); 56 #endif 57 58 /* 59 * Single-precision macros for 64-bit machines 60 */ 61 typedef int64_t l_fp; 62 #define L_ADD(v, u) ((v) += (u)) 63 #define L_SUB(v, u) ((v) -= (u)) 64 #define L_ADDHI(v, a) ((v) += (int64_t)(a) << 32) 65 #define L_NEG(v) ((v) = -(v)) 66 #define L_RSHIFT(v, n) \ 67 do { \ 68 if ((v) < 0) \ 69 (v) = -(-(v) >> (n)); \ 70 else \ 71 (v) = (v) >> (n); \ 72 } while (0) 73 #define L_MPY(v, a) ((v) *= (a)) 74 #define L_CLR(v) ((v) = 0) 75 #define L_ISNEG(v) ((v) < 0) 76 #define L_LINT(v, a) \ 77 do { \ 78 if ((a) < 0) \ 79 ((v) = -((int64_t)(-(a)) << 32)); \ 80 else \ 81 ((v) = (int64_t)(a) << 32); \ 82 } while (0) 83 #define L_GINT(v) ((v) < 0 ? -(-(v) >> 32) : (v) >> 32) 84 85 /* 86 * Generic NTP kernel interface 87 * 88 * These routines constitute the Network Time Protocol (NTP) interfaces 89 * for user and daemon application programs. The ntp_gettime() routine 90 * provides the time, maximum error (synch distance) and estimated error 91 * (dispersion) to client user application programs. The ntp_adjtime() 92 * routine is used by the NTP daemon to adjust the system clock to an 93 * externally derived time. The time offset and related variables set by 94 * this routine are used by other routines in this module to adjust the 95 * phase and frequency of the clock discipline loop which controls the 96 * system clock. 97 * 98 * When the kernel time is reckoned directly in nanoseconds (NTP_NANO 99 * defined), the time at each tick interrupt is derived directly from 100 * the kernel time variable. When the kernel time is reckoned in 101 * microseconds, (NTP_NANO undefined), the time is derived from the 102 * kernel time variable together with a variable representing the 103 * leftover nanoseconds at the last tick interrupt. In either case, the 104 * current nanosecond time is reckoned from these values plus an 105 * interpolated value derived by the clock routines in another 106 * architecture-specific module. The interpolation can use either a 107 * dedicated counter or a processor cycle counter (PCC) implemented in 108 * some architectures. 109 * 110 * Note that all routines must run at priority splclock or higher. 111 */ 112 /* 113 * Phase/frequency-lock loop (PLL/FLL) definitions 114 * 115 * The nanosecond clock discipline uses two variable types, time 116 * variables and frequency variables. Both types are represented as 64- 117 * bit fixed-point quantities with the decimal point between two 32-bit 118 * halves. On a 32-bit machine, each half is represented as a single 119 * word and mathematical operations are done using multiple-precision 120 * arithmetic. On a 64-bit machine, ordinary computer arithmetic is 121 * used. 122 * 123 * A time variable is a signed 64-bit fixed-point number in ns and 124 * fraction. It represents the remaining time offset to be amortized 125 * over succeeding tick interrupts. The maximum time offset is about 126 * 0.5 s and the resolution is about 2.3e-10 ns. 127 * 128 * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 129 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 130 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 131 * |s s s| ns | 132 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 133 * | fraction | 134 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 135 * 136 * A frequency variable is a signed 64-bit fixed-point number in ns/s 137 * and fraction. It represents the ns and fraction to be added to the 138 * kernel time variable at each second. The maximum frequency offset is 139 * about +-500000 ns/s and the resolution is about 2.3e-10 ns/s. 140 * 141 * 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 142 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 143 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 144 * |s s s s s s s s s s s s s| ns/s | 145 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 146 * | fraction | 147 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 148 */ 149 /* 150 * The following variables establish the state of the PLL/FLL and the 151 * residual time and frequency offset of the local clock. 152 */ 153 #define SHIFT_PLL 4 /* PLL loop gain (shift) */ 154 #define SHIFT_FLL 2 /* FLL loop gain (shift) */ 155 156 static int time_state = TIME_OK; /* clock state */ 157 int time_status = STA_UNSYNC; /* clock status bits */ 158 static long time_tai; /* TAI offset (s) */ 159 static long time_monitor; /* last time offset scaled (ns) */ 160 static long time_constant; /* poll interval (shift) (s) */ 161 static long time_precision = 1; /* clock precision (ns) */ 162 static long time_maxerror = MAXPHASE / 1000; /* maximum error (us) */ 163 long time_esterror = MAXPHASE / 1000; /* estimated error (us) */ 164 static long time_reftime; /* uptime at last adjustment (s) */ 165 static l_fp time_offset; /* time offset (ns) */ 166 static l_fp time_freq; /* frequency offset (ns/s) */ 167 static l_fp time_adj; /* tick adjust (ns/s) */ 168 169 static int64_t time_adjtime; /* correction from adjtime(2) (usec) */ 170 171 static struct mtx ntp_lock; 172 MTX_SYSINIT(ntp, &ntp_lock, "ntp", MTX_SPIN); 173 174 #define NTP_LOCK() mtx_lock_spin(&ntp_lock) 175 #define NTP_UNLOCK() mtx_unlock_spin(&ntp_lock) 176 #define NTP_ASSERT_LOCKED() mtx_assert(&ntp_lock, MA_OWNED) 177 178 #ifdef PPS_SYNC 179 /* 180 * The following variables are used when a pulse-per-second (PPS) signal 181 * is available and connected via a modem control lead. They establish 182 * the engineering parameters of the clock discipline loop when 183 * controlled by the PPS signal. 184 */ 185 #define PPS_FAVG 2 /* min freq avg interval (s) (shift) */ 186 #define PPS_FAVGDEF 8 /* default freq avg int (s) (shift) */ 187 #define PPS_FAVGMAX 15 /* max freq avg interval (s) (shift) */ 188 #define PPS_PAVG 4 /* phase avg interval (s) (shift) */ 189 #define PPS_VALID 120 /* PPS signal watchdog max (s) */ 190 #define PPS_MAXWANDER 100000 /* max PPS wander (ns/s) */ 191 #define PPS_POPCORN 2 /* popcorn spike threshold (shift) */ 192 193 static struct timespec pps_tf[3]; /* phase median filter */ 194 static l_fp pps_freq; /* scaled frequency offset (ns/s) */ 195 static long pps_fcount; /* frequency accumulator */ 196 static long pps_jitter; /* nominal jitter (ns) */ 197 static long pps_stabil; /* nominal stability (scaled ns/s) */ 198 static long pps_lastsec; /* time at last calibration (s) */ 199 static int pps_valid; /* signal watchdog counter */ 200 static int pps_shift = PPS_FAVG; /* interval duration (s) (shift) */ 201 static int pps_shiftmax = PPS_FAVGDEF; /* max interval duration (s) (shift) */ 202 static int pps_intcnt; /* wander counter */ 203 204 /* 205 * PPS signal quality monitors 206 */ 207 static long pps_calcnt; /* calibration intervals */ 208 static long pps_jitcnt; /* jitter limit exceeded */ 209 static long pps_stbcnt; /* stability limit exceeded */ 210 static long pps_errcnt; /* calibration errors */ 211 #endif /* PPS_SYNC */ 212 /* 213 * End of phase/frequency-lock loop (PLL/FLL) definitions 214 */ 215 216 static void hardupdate(long offset); 217 static void ntp_gettime1(struct ntptimeval *ntvp); 218 static bool ntp_is_time_error(int tsl); 219 220 static bool 221 ntp_is_time_error(int tsl) 222 { 223 224 /* 225 * Status word error decode. If any of these conditions occur, 226 * an error is returned, instead of the status word. Most 227 * applications will care only about the fact the system clock 228 * may not be trusted, not about the details. 229 * 230 * Hardware or software error 231 */ 232 if ((tsl & (STA_UNSYNC | STA_CLOCKERR)) || 233 234 /* 235 * PPS signal lost when either time or frequency synchronization 236 * requested 237 */ 238 (tsl & (STA_PPSFREQ | STA_PPSTIME) && 239 !(tsl & STA_PPSSIGNAL)) || 240 241 /* 242 * PPS jitter exceeded when time synchronization requested 243 */ 244 (tsl & STA_PPSTIME && tsl & STA_PPSJITTER) || 245 246 /* 247 * PPS wander exceeded or calibration error when frequency 248 * synchronization requested 249 */ 250 (tsl & STA_PPSFREQ && 251 tsl & (STA_PPSWANDER | STA_PPSERROR))) 252 return (true); 253 254 return (false); 255 } 256 257 static void 258 ntp_gettime1(struct ntptimeval *ntvp) 259 { 260 struct timespec atv; /* nanosecond time */ 261 262 NTP_ASSERT_LOCKED(); 263 264 nanotime(&atv); 265 ntvp->time.tv_sec = atv.tv_sec; 266 ntvp->time.tv_nsec = atv.tv_nsec; 267 ntvp->maxerror = time_maxerror; 268 ntvp->esterror = time_esterror; 269 ntvp->tai = time_tai; 270 ntvp->time_state = time_state; 271 272 if (ntp_is_time_error(time_status)) 273 ntvp->time_state = TIME_ERROR; 274 } 275 276 /* 277 * ntp_gettime() - NTP user application interface 278 * 279 * See the timex.h header file for synopsis and API description. Note that 280 * the TAI offset is returned in the ntvtimeval.tai structure member. 281 */ 282 #ifndef _SYS_SYSPROTO_H_ 283 struct ntp_gettime_args { 284 struct ntptimeval *ntvp; 285 }; 286 #endif 287 /* ARGSUSED */ 288 int 289 sys_ntp_gettime(struct thread *td, struct ntp_gettime_args *uap) 290 { 291 struct ntptimeval ntv; 292 293 memset(&ntv, 0, sizeof(ntv)); 294 295 NTP_LOCK(); 296 ntp_gettime1(&ntv); 297 NTP_UNLOCK(); 298 299 td->td_retval[0] = ntv.time_state; 300 return (copyout(&ntv, uap->ntvp, sizeof(ntv))); 301 } 302 303 static int 304 ntp_sysctl(SYSCTL_HANDLER_ARGS) 305 { 306 struct ntptimeval ntv; /* temporary structure */ 307 308 memset(&ntv, 0, sizeof(ntv)); 309 310 NTP_LOCK(); 311 ntp_gettime1(&ntv); 312 NTP_UNLOCK(); 313 314 return (sysctl_handle_opaque(oidp, &ntv, sizeof(ntv), req)); 315 } 316 317 SYSCTL_NODE(_kern, OID_AUTO, ntp_pll, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, 318 ""); 319 SYSCTL_PROC(_kern_ntp_pll, OID_AUTO, gettime, CTLTYPE_OPAQUE | CTLFLAG_RD | 320 CTLFLAG_MPSAFE, 0, sizeof(struct ntptimeval) , ntp_sysctl, "S,ntptimeval", 321 ""); 322 323 #ifdef PPS_SYNC 324 SYSCTL_INT(_kern_ntp_pll, OID_AUTO, pps_shiftmax, CTLFLAG_RW, 325 &pps_shiftmax, 0, "Max interval duration (sec) (shift)"); 326 SYSCTL_INT(_kern_ntp_pll, OID_AUTO, pps_shift, CTLFLAG_RW, 327 &pps_shift, 0, "Interval duration (sec) (shift)"); 328 SYSCTL_LONG(_kern_ntp_pll, OID_AUTO, time_monitor, CTLFLAG_RD, 329 &time_monitor, 0, "Last time offset scaled (ns)"); 330 331 SYSCTL_S64(_kern_ntp_pll, OID_AUTO, pps_freq, CTLFLAG_RD | CTLFLAG_MPSAFE, 332 &pps_freq, 0, 333 "Scaled frequency offset (ns/sec)"); 334 SYSCTL_S64(_kern_ntp_pll, OID_AUTO, time_freq, CTLFLAG_RD | CTLFLAG_MPSAFE, 335 &time_freq, 0, 336 "Frequency offset (ns/sec)"); 337 #endif 338 339 /* 340 * ntp_adjtime() - NTP daemon application interface 341 * 342 * See the timex.h header file for synopsis and API description. Note that 343 * the timex.constant structure member has a dual purpose to set the time 344 * constant and to set the TAI offset. 345 */ 346 int 347 kern_ntp_adjtime(struct thread *td, struct timex *ntv, int *retvalp) 348 { 349 long freq; /* frequency ns/s) */ 350 int modes; /* mode bits from structure */ 351 int error, retval; 352 353 /* 354 * Update selected clock variables - only the superuser can 355 * change anything. Note that there is no error checking here on 356 * the assumption the superuser should know what it is doing. 357 * Note that either the time constant or TAI offset are loaded 358 * from the ntv.constant member, depending on the mode bits. If 359 * the STA_PLL bit in the status word is cleared, the state and 360 * status words are reset to the initial values at boot. 361 */ 362 modes = ntv->modes; 363 error = 0; 364 if (modes) 365 error = priv_check(td, PRIV_NTP_ADJTIME); 366 if (error != 0) 367 return (error); 368 NTP_LOCK(); 369 if (modes & MOD_MAXERROR) 370 time_maxerror = ntv->maxerror; 371 if (modes & MOD_ESTERROR) 372 time_esterror = ntv->esterror; 373 if (modes & MOD_STATUS) { 374 if (time_status & STA_PLL && !(ntv->status & STA_PLL)) { 375 time_state = TIME_OK; 376 time_status = STA_UNSYNC; 377 #ifdef PPS_SYNC 378 pps_shift = PPS_FAVG; 379 #endif /* PPS_SYNC */ 380 } 381 time_status &= STA_RONLY; 382 time_status |= ntv->status & ~STA_RONLY; 383 } 384 if (modes & MOD_TIMECONST) { 385 if (ntv->constant < 0) 386 time_constant = 0; 387 else if (ntv->constant > MAXTC) 388 time_constant = MAXTC; 389 else 390 time_constant = ntv->constant; 391 } 392 if (modes & MOD_TAI) { 393 if (ntv->constant > 0) /* XXX zero & negative numbers ? */ 394 time_tai = ntv->constant; 395 } 396 #ifdef PPS_SYNC 397 if (modes & MOD_PPSMAX) { 398 if (ntv->shift < PPS_FAVG) 399 pps_shiftmax = PPS_FAVG; 400 else if (ntv->shift > PPS_FAVGMAX) 401 pps_shiftmax = PPS_FAVGMAX; 402 else 403 pps_shiftmax = ntv->shift; 404 } 405 #endif /* PPS_SYNC */ 406 if (modes & MOD_NANO) 407 time_status |= STA_NANO; 408 if (modes & MOD_MICRO) 409 time_status &= ~STA_NANO; 410 if (modes & MOD_CLKB) 411 time_status |= STA_CLK; 412 if (modes & MOD_CLKA) 413 time_status &= ~STA_CLK; 414 if (modes & MOD_FREQUENCY) { 415 freq = (ntv->freq * 1000LL) >> 16; 416 if (freq > MAXFREQ) 417 L_LINT(time_freq, MAXFREQ); 418 else if (freq < -MAXFREQ) 419 L_LINT(time_freq, -MAXFREQ); 420 else { 421 /* 422 * ntv->freq is [PPM * 2^16] = [us/s * 2^16] 423 * time_freq is [ns/s * 2^32] 424 */ 425 time_freq = ntv->freq * 1000LL * 65536LL; 426 } 427 #ifdef PPS_SYNC 428 pps_freq = time_freq; 429 #endif /* PPS_SYNC */ 430 } 431 if (modes & MOD_OFFSET) { 432 if (time_status & STA_NANO) 433 hardupdate(ntv->offset); 434 else 435 hardupdate(ntv->offset * 1000); 436 } 437 438 /* 439 * Retrieve all clock variables. Note that the TAI offset is 440 * returned only by ntp_gettime(); 441 */ 442 if (time_status & STA_NANO) 443 ntv->offset = L_GINT(time_offset); 444 else 445 ntv->offset = L_GINT(time_offset) / 1000; /* XXX rounding ? */ 446 ntv->freq = L_GINT((time_freq / 1000LL) << 16); 447 ntv->maxerror = time_maxerror; 448 ntv->esterror = time_esterror; 449 ntv->status = time_status; 450 ntv->constant = time_constant; 451 if (time_status & STA_NANO) 452 ntv->precision = time_precision; 453 else 454 ntv->precision = time_precision / 1000; 455 ntv->tolerance = MAXFREQ * SCALE_PPM; 456 #ifdef PPS_SYNC 457 ntv->shift = pps_shift; 458 ntv->ppsfreq = L_GINT((pps_freq / 1000LL) << 16); 459 if (time_status & STA_NANO) 460 ntv->jitter = pps_jitter; 461 else 462 ntv->jitter = pps_jitter / 1000; 463 ntv->stabil = pps_stabil; 464 ntv->calcnt = pps_calcnt; 465 ntv->errcnt = pps_errcnt; 466 ntv->jitcnt = pps_jitcnt; 467 ntv->stbcnt = pps_stbcnt; 468 #endif /* PPS_SYNC */ 469 retval = ntp_is_time_error(time_status) ? TIME_ERROR : time_state; 470 NTP_UNLOCK(); 471 472 *retvalp = retval; 473 return (0); 474 } 475 476 #ifndef _SYS_SYSPROTO_H_ 477 struct ntp_adjtime_args { 478 struct timex *tp; 479 }; 480 #endif 481 482 int 483 sys_ntp_adjtime(struct thread *td, struct ntp_adjtime_args *uap) 484 { 485 struct timex ntv; 486 int error, retval; 487 488 error = copyin(uap->tp, &ntv, sizeof(ntv)); 489 if (error == 0) { 490 error = kern_ntp_adjtime(td, &ntv, &retval); 491 if (error == 0) { 492 error = copyout(&ntv, uap->tp, sizeof(ntv)); 493 if (error == 0) 494 td->td_retval[0] = retval; 495 } 496 } 497 return (error); 498 } 499 500 /* 501 * second_overflow() - called after ntp_tick_adjust() 502 * 503 * This routine is ordinarily called immediately following the above 504 * routine ntp_tick_adjust(). While these two routines are normally 505 * combined, they are separated here only for the purposes of 506 * simulation. 507 */ 508 void 509 ntp_update_second(int64_t *adjustment, time_t *newsec) 510 { 511 int tickrate; 512 l_fp ftemp; /* 32/64-bit temporary */ 513 514 NTP_LOCK(); 515 516 /* 517 * On rollover of the second both the nanosecond and microsecond 518 * clocks are updated and the state machine cranked as 519 * necessary. The phase adjustment to be used for the next 520 * second is calculated and the maximum error is increased by 521 * the tolerance. 522 */ 523 time_maxerror += MAXFREQ / 1000; 524 525 /* 526 * Leap second processing. If in leap-insert state at 527 * the end of the day, the system clock is set back one 528 * second; if in leap-delete state, the system clock is 529 * set ahead one second. The nano_time() routine or 530 * external clock driver will insure that reported time 531 * is always monotonic. 532 */ 533 switch (time_state) { 534 /* 535 * No warning. 536 */ 537 case TIME_OK: 538 if (time_status & STA_INS) 539 time_state = TIME_INS; 540 else if (time_status & STA_DEL) 541 time_state = TIME_DEL; 542 break; 543 544 /* 545 * Insert second 23:59:60 following second 546 * 23:59:59. 547 */ 548 case TIME_INS: 549 if (!(time_status & STA_INS)) 550 time_state = TIME_OK; 551 else if ((*newsec) % 86400 == 0) { 552 (*newsec)--; 553 time_state = TIME_OOP; 554 time_tai++; 555 } 556 break; 557 558 /* 559 * Delete second 23:59:59. 560 */ 561 case TIME_DEL: 562 if (!(time_status & STA_DEL)) 563 time_state = TIME_OK; 564 else if (((*newsec) + 1) % 86400 == 0) { 565 (*newsec)++; 566 time_tai--; 567 time_state = TIME_WAIT; 568 } 569 break; 570 571 /* 572 * Insert second in progress. 573 */ 574 case TIME_OOP: 575 time_state = TIME_WAIT; 576 break; 577 578 /* 579 * Wait for status bits to clear. 580 */ 581 case TIME_WAIT: 582 if (!(time_status & (STA_INS | STA_DEL))) 583 time_state = TIME_OK; 584 } 585 586 /* 587 * Compute the total time adjustment for the next second 588 * in ns. The offset is reduced by a factor depending on 589 * whether the PPS signal is operating. Note that the 590 * value is in effect scaled by the clock frequency, 591 * since the adjustment is added at each tick interrupt. 592 */ 593 ftemp = time_offset; 594 #ifdef PPS_SYNC 595 /* XXX even if PPS signal dies we should finish adjustment ? */ 596 if (time_status & STA_PPSTIME && time_status & 597 STA_PPSSIGNAL) 598 L_RSHIFT(ftemp, pps_shift); 599 else 600 L_RSHIFT(ftemp, SHIFT_PLL + time_constant); 601 #else 602 L_RSHIFT(ftemp, SHIFT_PLL + time_constant); 603 #endif /* PPS_SYNC */ 604 time_adj = ftemp; 605 L_SUB(time_offset, ftemp); 606 L_ADD(time_adj, time_freq); 607 608 /* 609 * Apply any correction from adjtime(2). If more than one second 610 * off we slew at a rate of 5ms/s (5000 PPM) else 500us/s (500 PPM) 611 * until the last second is slewed the final < 500 usecs. 612 */ 613 if (time_adjtime != 0) { 614 if (time_adjtime > 1000000) 615 tickrate = 5000; 616 else if (time_adjtime < -1000000) 617 tickrate = -5000; 618 else if (time_adjtime > 500) 619 tickrate = 500; 620 else if (time_adjtime < -500) 621 tickrate = -500; 622 else 623 tickrate = time_adjtime; 624 time_adjtime -= tickrate; 625 L_LINT(ftemp, tickrate * 1000); 626 L_ADD(time_adj, ftemp); 627 } 628 *adjustment = time_adj; 629 630 #ifdef PPS_SYNC 631 if (pps_valid > 0) 632 pps_valid--; 633 else 634 time_status &= ~STA_PPSSIGNAL; 635 #endif /* PPS_SYNC */ 636 637 NTP_UNLOCK(); 638 } 639 640 /* 641 * hardupdate() - local clock update 642 * 643 * This routine is called by ntp_adjtime() to update the local clock 644 * phase and frequency. The implementation is of an adaptive-parameter, 645 * hybrid phase/frequency-lock loop (PLL/FLL). The routine computes new 646 * time and frequency offset estimates for each call. If the kernel PPS 647 * discipline code is configured (PPS_SYNC), the PPS signal itself 648 * determines the new time offset, instead of the calling argument. 649 * Presumably, calls to ntp_adjtime() occur only when the caller 650 * believes the local clock is valid within some bound (+-128 ms with 651 * NTP). If the caller's time is far different than the PPS time, an 652 * argument will ensue, and it's not clear who will lose. 653 * 654 * For uncompensated quartz crystal oscillators and nominal update 655 * intervals less than 256 s, operation should be in phase-lock mode, 656 * where the loop is disciplined to phase. For update intervals greater 657 * than 1024 s, operation should be in frequency-lock mode, where the 658 * loop is disciplined to frequency. Between 256 s and 1024 s, the mode 659 * is selected by the STA_MODE status bit. 660 */ 661 static void 662 hardupdate(long offset /* clock offset (ns) */) 663 { 664 long mtemp; 665 l_fp ftemp; 666 667 NTP_ASSERT_LOCKED(); 668 669 /* 670 * Select how the phase is to be controlled and from which 671 * source. If the PPS signal is present and enabled to 672 * discipline the time, the PPS offset is used; otherwise, the 673 * argument offset is used. 674 */ 675 if (!(time_status & STA_PLL)) 676 return; 677 if (!(time_status & STA_PPSTIME && time_status & 678 STA_PPSSIGNAL)) { 679 if (offset > MAXPHASE) 680 time_monitor = MAXPHASE; 681 else if (offset < -MAXPHASE) 682 time_monitor = -MAXPHASE; 683 else 684 time_monitor = offset; 685 L_LINT(time_offset, time_monitor); 686 } 687 688 /* 689 * Select how the frequency is to be controlled and in which 690 * mode (PLL or FLL). If the PPS signal is present and enabled 691 * to discipline the frequency, the PPS frequency is used; 692 * otherwise, the argument offset is used to compute it. 693 */ 694 if (time_status & STA_PPSFREQ && time_status & STA_PPSSIGNAL) { 695 time_reftime = time_uptime; 696 return; 697 } 698 if (time_status & STA_FREQHOLD || time_reftime == 0) 699 time_reftime = time_uptime; 700 mtemp = time_uptime - time_reftime; 701 L_LINT(ftemp, time_monitor); 702 L_RSHIFT(ftemp, (SHIFT_PLL + 2 + time_constant) << 1); 703 L_MPY(ftemp, mtemp); 704 L_ADD(time_freq, ftemp); 705 time_status &= ~STA_MODE; 706 if (mtemp >= MINSEC && (time_status & STA_FLL || mtemp > 707 MAXSEC)) { 708 L_LINT(ftemp, (time_monitor << 4) / mtemp); 709 L_RSHIFT(ftemp, SHIFT_FLL + 4); 710 L_ADD(time_freq, ftemp); 711 time_status |= STA_MODE; 712 } 713 time_reftime = time_uptime; 714 if (L_GINT(time_freq) > MAXFREQ) 715 L_LINT(time_freq, MAXFREQ); 716 else if (L_GINT(time_freq) < -MAXFREQ) 717 L_LINT(time_freq, -MAXFREQ); 718 } 719 720 #ifdef PPS_SYNC 721 /* 722 * hardpps() - discipline CPU clock oscillator to external PPS signal 723 * 724 * This routine is called at each PPS interrupt in order to discipline 725 * the CPU clock oscillator to the PPS signal. There are two independent 726 * first-order feedback loops, one for the phase, the other for the 727 * frequency. The phase loop measures and grooms the PPS phase offset 728 * and leaves it in a handy spot for the seconds overflow routine. The 729 * frequency loop averages successive PPS phase differences and 730 * calculates the PPS frequency offset, which is also processed by the 731 * seconds overflow routine. The code requires the caller to capture the 732 * time and architecture-dependent hardware counter values in 733 * nanoseconds at the on-time PPS signal transition. 734 * 735 * Note that, on some Unix systems this routine runs at an interrupt 736 * priority level higher than the timer interrupt routine hardclock(). 737 * Therefore, the variables used are distinct from the hardclock() 738 * variables, except for the actual time and frequency variables, which 739 * are determined by this routine and updated atomically. 740 * 741 * tsp - time at current PPS event 742 * delta_nsec - time elapsed between the previous and current PPS event 743 */ 744 void 745 hardpps(struct timespec *tsp, long delta_nsec) 746 { 747 long u_sec, u_nsec, v_nsec; /* temps */ 748 l_fp ftemp; 749 750 NTP_LOCK(); 751 752 /* 753 * The signal is first processed by a range gate and frequency 754 * discriminator. The range gate rejects noise spikes outside 755 * the range +-500 us. The frequency discriminator rejects input 756 * signals with apparent frequency outside the range 1 +-500 757 * PPM. If two hits occur in the same second, we ignore the 758 * later hit; if not and a hit occurs outside the range gate, 759 * keep the later hit for later comparison, but do not process 760 * it. 761 */ 762 time_status |= STA_PPSSIGNAL | STA_PPSJITTER; 763 time_status &= ~(STA_PPSWANDER | STA_PPSERROR); 764 pps_valid = PPS_VALID; 765 u_sec = tsp->tv_sec; 766 u_nsec = tsp->tv_nsec; 767 if (u_nsec >= (NANOSECOND >> 1)) { 768 u_nsec -= NANOSECOND; 769 u_sec++; 770 } 771 v_nsec = u_nsec - pps_tf[0].tv_nsec; 772 if (u_sec == pps_tf[0].tv_sec && v_nsec < NANOSECOND - MAXFREQ) 773 goto out; 774 pps_tf[2] = pps_tf[1]; 775 pps_tf[1] = pps_tf[0]; 776 pps_tf[0].tv_sec = u_sec; 777 pps_tf[0].tv_nsec = u_nsec; 778 779 /* 780 * Update the frequency accumulator using the difference between the 781 * current and previous PPS event measured directly by the timecounter. 782 */ 783 pps_fcount += delta_nsec - NANOSECOND; 784 if (v_nsec > MAXFREQ || v_nsec < -MAXFREQ) 785 goto out; 786 time_status &= ~STA_PPSJITTER; 787 788 /* 789 * A three-stage median filter is used to help denoise the PPS 790 * time. The median sample becomes the time offset estimate; the 791 * difference between the other two samples becomes the time 792 * dispersion (jitter) estimate. 793 */ 794 if (pps_tf[0].tv_nsec > pps_tf[1].tv_nsec) { 795 if (pps_tf[1].tv_nsec > pps_tf[2].tv_nsec) { 796 v_nsec = pps_tf[1].tv_nsec; /* 0 1 2 */ 797 u_nsec = pps_tf[0].tv_nsec - pps_tf[2].tv_nsec; 798 } else if (pps_tf[2].tv_nsec > pps_tf[0].tv_nsec) { 799 v_nsec = pps_tf[0].tv_nsec; /* 2 0 1 */ 800 u_nsec = pps_tf[2].tv_nsec - pps_tf[1].tv_nsec; 801 } else { 802 v_nsec = pps_tf[2].tv_nsec; /* 0 2 1 */ 803 u_nsec = pps_tf[0].tv_nsec - pps_tf[1].tv_nsec; 804 } 805 } else { 806 if (pps_tf[1].tv_nsec < pps_tf[2].tv_nsec) { 807 v_nsec = pps_tf[1].tv_nsec; /* 2 1 0 */ 808 u_nsec = pps_tf[2].tv_nsec - pps_tf[0].tv_nsec; 809 } else if (pps_tf[2].tv_nsec < pps_tf[0].tv_nsec) { 810 v_nsec = pps_tf[0].tv_nsec; /* 1 0 2 */ 811 u_nsec = pps_tf[1].tv_nsec - pps_tf[2].tv_nsec; 812 } else { 813 v_nsec = pps_tf[2].tv_nsec; /* 1 2 0 */ 814 u_nsec = pps_tf[1].tv_nsec - pps_tf[0].tv_nsec; 815 } 816 } 817 818 /* 819 * Nominal jitter is due to PPS signal noise and interrupt 820 * latency. If it exceeds the popcorn threshold, the sample is 821 * discarded. otherwise, if so enabled, the time offset is 822 * updated. We can tolerate a modest loss of data here without 823 * much degrading time accuracy. 824 * 825 * The measurements being checked here were made with the system 826 * timecounter, so the popcorn threshold is not allowed to fall below 827 * the number of nanoseconds in two ticks of the timecounter. For a 828 * timecounter running faster than 1 GHz the lower bound is 2ns, just 829 * to avoid a nonsensical threshold of zero. 830 */ 831 if (u_nsec > lmax(pps_jitter << PPS_POPCORN, 832 2 * (NANOSECOND / (long)qmin(NANOSECOND, tc_getfrequency())))) { 833 time_status |= STA_PPSJITTER; 834 pps_jitcnt++; 835 } else if (time_status & STA_PPSTIME) { 836 time_monitor = -v_nsec; 837 L_LINT(time_offset, time_monitor); 838 } 839 pps_jitter += (u_nsec - pps_jitter) >> PPS_FAVG; 840 u_sec = pps_tf[0].tv_sec - pps_lastsec; 841 if (u_sec < (1 << pps_shift)) 842 goto out; 843 844 /* 845 * At the end of the calibration interval the difference between 846 * the first and last counter values becomes the scaled 847 * frequency. It will later be divided by the length of the 848 * interval to determine the frequency update. If the frequency 849 * exceeds a sanity threshold, or if the actual calibration 850 * interval is not equal to the expected length, the data are 851 * discarded. We can tolerate a modest loss of data here without 852 * much degrading frequency accuracy. 853 */ 854 pps_calcnt++; 855 v_nsec = -pps_fcount; 856 pps_lastsec = pps_tf[0].tv_sec; 857 pps_fcount = 0; 858 u_nsec = MAXFREQ << pps_shift; 859 if (v_nsec > u_nsec || v_nsec < -u_nsec || u_sec != (1 << pps_shift)) { 860 time_status |= STA_PPSERROR; 861 pps_errcnt++; 862 goto out; 863 } 864 865 /* 866 * Here the raw frequency offset and wander (stability) is 867 * calculated. If the wander is less than the wander threshold 868 * for four consecutive averaging intervals, the interval is 869 * doubled; if it is greater than the threshold for four 870 * consecutive intervals, the interval is halved. The scaled 871 * frequency offset is converted to frequency offset. The 872 * stability metric is calculated as the average of recent 873 * frequency changes, but is used only for performance 874 * monitoring. 875 */ 876 L_LINT(ftemp, v_nsec); 877 L_RSHIFT(ftemp, pps_shift); 878 L_SUB(ftemp, pps_freq); 879 u_nsec = L_GINT(ftemp); 880 if (u_nsec > PPS_MAXWANDER) { 881 L_LINT(ftemp, PPS_MAXWANDER); 882 pps_intcnt--; 883 time_status |= STA_PPSWANDER; 884 pps_stbcnt++; 885 } else if (u_nsec < -PPS_MAXWANDER) { 886 L_LINT(ftemp, -PPS_MAXWANDER); 887 pps_intcnt--; 888 time_status |= STA_PPSWANDER; 889 pps_stbcnt++; 890 } else { 891 pps_intcnt++; 892 } 893 if (pps_intcnt >= 4) { 894 pps_intcnt = 4; 895 if (pps_shift < pps_shiftmax) { 896 pps_shift++; 897 pps_intcnt = 0; 898 } 899 } else if (pps_intcnt <= -4 || pps_shift > pps_shiftmax) { 900 pps_intcnt = -4; 901 if (pps_shift > PPS_FAVG) { 902 pps_shift--; 903 pps_intcnt = 0; 904 } 905 } 906 if (u_nsec < 0) 907 u_nsec = -u_nsec; 908 pps_stabil += (u_nsec * SCALE_PPM - pps_stabil) >> PPS_FAVG; 909 910 /* 911 * The PPS frequency is recalculated and clamped to the maximum 912 * MAXFREQ. If enabled, the system clock frequency is updated as 913 * well. 914 */ 915 L_ADD(pps_freq, ftemp); 916 u_nsec = L_GINT(pps_freq); 917 if (u_nsec > MAXFREQ) 918 L_LINT(pps_freq, MAXFREQ); 919 else if (u_nsec < -MAXFREQ) 920 L_LINT(pps_freq, -MAXFREQ); 921 if (time_status & STA_PPSFREQ) 922 time_freq = pps_freq; 923 924 out: 925 NTP_UNLOCK(); 926 } 927 #endif /* PPS_SYNC */ 928 929 #ifndef _SYS_SYSPROTO_H_ 930 struct adjtime_args { 931 struct timeval *delta; 932 struct timeval *olddelta; 933 }; 934 #endif 935 /* ARGSUSED */ 936 int 937 sys_adjtime(struct thread *td, struct adjtime_args *uap) 938 { 939 struct timeval delta, olddelta, *deltap; 940 int error; 941 942 if (uap->delta) { 943 error = copyin(uap->delta, &delta, sizeof(delta)); 944 if (error) 945 return (error); 946 deltap = δ 947 } else 948 deltap = NULL; 949 error = kern_adjtime(td, deltap, &olddelta); 950 if (uap->olddelta && error == 0) 951 error = copyout(&olddelta, uap->olddelta, sizeof(olddelta)); 952 return (error); 953 } 954 955 int 956 kern_adjtime(struct thread *td, struct timeval *delta, struct timeval *olddelta) 957 { 958 struct timeval atv; 959 int64_t ltr, ltw; 960 int error; 961 962 if (delta != NULL) { 963 error = priv_check(td, PRIV_ADJTIME); 964 if (error != 0) 965 return (error); 966 ltw = (int64_t)delta->tv_sec * 1000000 + delta->tv_usec; 967 } 968 NTP_LOCK(); 969 ltr = time_adjtime; 970 if (delta != NULL) 971 time_adjtime = ltw; 972 NTP_UNLOCK(); 973 if (olddelta != NULL) { 974 atv.tv_sec = ltr / 1000000; 975 atv.tv_usec = ltr % 1000000; 976 if (atv.tv_usec < 0) { 977 atv.tv_usec += 1000000; 978 atv.tv_sec--; 979 } 980 *olddelta = atv; 981 } 982 return (0); 983 } 984 985 static struct callout resettodr_callout; 986 static int resettodr_period = 1800; 987 988 static void 989 periodic_resettodr(void *arg __unused) 990 { 991 992 /* 993 * Read of time_status is lock-less, which is fine since 994 * ntp_is_time_error() operates on the consistent read value. 995 */ 996 if (!ntp_is_time_error(time_status)) 997 resettodr(); 998 if (resettodr_period > 0) 999 callout_schedule(&resettodr_callout, resettodr_period * hz); 1000 } 1001 1002 static void 1003 shutdown_resettodr(void *arg __unused, int howto __unused) 1004 { 1005 1006 callout_drain(&resettodr_callout); 1007 /* Another unlocked read of time_status */ 1008 if (resettodr_period > 0 && !ntp_is_time_error(time_status)) 1009 resettodr(); 1010 } 1011 1012 static int 1013 sysctl_resettodr_period(SYSCTL_HANDLER_ARGS) 1014 { 1015 int error; 1016 1017 error = sysctl_handle_int(oidp, oidp->oid_arg1, oidp->oid_arg2, req); 1018 if (error || !req->newptr) 1019 return (error); 1020 if (cold) 1021 goto done; 1022 if (resettodr_period == 0) 1023 callout_stop(&resettodr_callout); 1024 else 1025 callout_reset(&resettodr_callout, resettodr_period * hz, 1026 periodic_resettodr, NULL); 1027 done: 1028 return (0); 1029 } 1030 1031 SYSCTL_PROC(_machdep, OID_AUTO, rtc_save_period, CTLTYPE_INT | CTLFLAG_RWTUN | 1032 CTLFLAG_MPSAFE, &resettodr_period, 1800, sysctl_resettodr_period, "I", 1033 "Save system time to RTC with this period (in seconds)"); 1034 1035 static void 1036 start_periodic_resettodr(void *arg __unused) 1037 { 1038 1039 EVENTHANDLER_REGISTER(shutdown_pre_sync, shutdown_resettodr, NULL, 1040 SHUTDOWN_PRI_FIRST); 1041 callout_init(&resettodr_callout, 1); 1042 if (resettodr_period == 0) 1043 return; 1044 callout_reset(&resettodr_callout, resettodr_period * hz, 1045 periodic_resettodr, NULL); 1046 } 1047 1048 SYSINIT(periodic_resettodr, SI_SUB_LAST, SI_ORDER_MIDDLE, 1049 start_periodic_resettodr, NULL); 1050