mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2025-01-01 00:18:15 +01:00
597 lines
30 KiB
Plaintext
597 lines
30 KiB
Plaintext
Precision Time and Frequency Synchronization Using Modified Kernels
|
|
|
|
1. Introduction
|
|
|
|
This memo describes replacements for certain SunOS and Ultrix kernel
|
|
routines that manage the system clock and timer functions. They provide
|
|
improved accuracy and stability through the use of a disciplined clock
|
|
interface for use with the Network Time Protocol (NTP) or similar time-
|
|
synchronization protocol. In addition, for certain models of the
|
|
DECstation 5000 product line, the new routines provide improved
|
|
precision to +-1 microsecond (us) (SunOS 4.1.1 already does provide
|
|
precision to +-1 us). The current public NTP distribution cooperates
|
|
with these kernel routines to provide synchronization in principle to
|
|
within a microsecond, but in practice this is limited by the short-term
|
|
stability of the oscillator that drives the timer interrupt.
|
|
|
|
This memo describes the principles behind the design and operation of
|
|
the software. There are two versions of the software, one that operates
|
|
with the SunOS 4.1.1 kernel and the other that operates with the Ultrix
|
|
4.2a kernel (and probably the 4.3 kernel, although this has not been
|
|
tested). A detailed description of the variables and algorithms is given
|
|
in the hope that similar improvements can be incorporated in Unix
|
|
kernels for other machines. The software itself is not included in this
|
|
memo, since it involves licensed code. Detailed instructions on where to
|
|
obtain it for either SunOS or Ultrix will be given separately.
|
|
|
|
The principle function added to the SunOS and Ultrix kernels is to
|
|
change the way the system clock is controlled, in order to provide
|
|
precision time and frequency adjustments. Another function utilizes an
|
|
undocumented counter in the DECstation hardware to provide precise time
|
|
to the microsecond. This function can be used only with the DECstation
|
|
5000/240 and possibly others that use the same input/output chipset.
|
|
|
|
2. Design Principles
|
|
|
|
In order to understand how these routines work, it is useful to consider
|
|
how most Unix systems maintain the system clock. In the original design
|
|
a hardware timer interrupts the kernel at some fixed rate, such as 100
|
|
Hz in the SunOS kernel and 256 Hz in the Ultrix kernel. Since 256 does
|
|
not evenly divide the second in microseconds, the kernel inserts 64 us
|
|
once each second so that the system clock stays in step with real time.
|
|
The time returned by the gettimeofday() routine is thus characterized by
|
|
255 advances of 3906 us plus one of 3970 us.
|
|
|
|
Also in the original design it is possible to slew the system clock to a
|
|
new offset using the adjtime() system call. To do this the clock
|
|
frequency is changed by adding or subtracting a fixed amount (tickadj)
|
|
at each timer interrupt (tick) for a calculated number of ticks. Since
|
|
this calculation involves dividing the requested offset by tickadj, it
|
|
is possible to slew to a new offset with a precision only of tickadj,
|
|
which is usually in the neighborhood of 5 us, but sometimes much higher.
|
|
|
|
In order to maintain the system clock within specified bounds with this
|
|
scheme, it is necessary to call adjtime() on a regular basis. For
|
|
instance, let the bound be set at 100 us, which is a reasonable value
|
|
for NTP-synchronized hosts on a local network, and let the onboard
|
|
oscillator tolerance be 100 ppm, which is a reasonably conservative
|
|
assumption. This requires that adjtime() be called at intervals not
|
|
exceeding 1 second (s), which is in fact what the unmodified NTP
|
|
software daemon does.
|
|
|
|
In the modified kernel routines this scheme is replaced by another that
|
|
extends the low-order bits of the system clock to provide very precise
|
|
clock adjustments. At each timer interrupt a precisely calibrated time
|
|
adjustment is added to the composite time value and overflows handled as
|
|
required. The quantity to add is computed from the adjtime() call and,
|
|
in addition a frequency adjustment, which is automatically calculated
|
|
from previous time adjustments. This implementation operates as an
|
|
adaptive-parameter, first-order, type-II, phase-lock loop (PLL), which
|
|
in principle provides precision control of the system clock phase to
|
|
within +-1 us and frequency to within +-5 nanoseconds (ns) per day.
|
|
|
|
This PLL model is identical to the one implemented in NTP, except that
|
|
in NTP the software daemon has to simulate the PLL using only the
|
|
original adjtime() system call. The daemon is considerably complicated
|
|
by the need to parcel time adjustments at frequent intervals in order to
|
|
maintain the accuracy to specified bounds. The kernel routines do this
|
|
directly, allowing vast gobs of ugly daemon code to be avoided at the
|
|
expense of only a small amount of new code in the kernel. In fact, the
|
|
amount of code added to the kernel for the new scheme is about the
|
|
amount removed for the old scheme. The new adjtime() routine needs to be
|
|
called only as each new time update is determined, which in NTP occurs
|
|
at intervals of from 64 s to 1024 s. In addition, doing the frequency
|
|
correction in the kernel means that the system time runs true even if
|
|
the daemon were to cease operation or the network paths to the primary
|
|
reference source fail.
|
|
|
|
Note that the degree to which the adjtime() adjustment can be made is
|
|
limited to a specific maximum value, presently +-128 milliseconds (ms),
|
|
in order to achieve microsecond resolution. It is the intent in the
|
|
design that settimeofday() be used for changes in system time greater
|
|
than +-128 ms. It has been the Internet experience that the need to
|
|
change the system time in increments greater than +-128 milliseconds is
|
|
extremely rare and is usually associated with a hardware or software
|
|
malfunction. Nevertheless, the limit applies to each adjtime() call and
|
|
it is possible, but not recommended, that this routine is called at
|
|
intervals smaller than 64 seconds, which is the NTP lower limit.
|
|
|
|
For the most accurate and stable operation, adjtime() should be called
|
|
at specified intervals; however, the PLL is quite forgiving and neither
|
|
moderate loss of updates nor variations in the length of the interval is
|
|
serious. The current engineering parameters have been optimized for
|
|
intervals not greater than about 64 s. For larger intervals the PLL time
|
|
constant can be adjusted to optimize the dynamic response up to
|
|
intervals of 1024 s. Normally, this is automatically done by NTP. In any
|
|
case, if updates are suspended, the PLL coasts at the frequency last
|
|
determinated, which usually results in errors increasing only to a few
|
|
tens of milliseconds over a day.
|
|
|
|
The new code needs to know the initial frequency offset and time
|
|
constant for the PLL, and the daemon needs to know the current frequency
|
|
offset computed by the kernel for monitoring purposes. This is provided
|
|
by a small change in the second argument of the kernel adjtime() calling
|
|
sequence, which is documented later in this memo. Ordinarily, only the
|
|
daemon will call the adjtime() routine, so the modified calling sequence
|
|
is easily accommodated. Other than this change, the operation of
|
|
adjtime() is transparent to the original.
|
|
|
|
In the DECstation 5000/240 and possibly other models there happens to be
|
|
an undocumented hardware register that counts system bus cycles at a
|
|
rate of 25 MHz. The new kernel routines test for the CPU type and, in
|
|
the case of the '240, use this register to interpolate system time
|
|
between hardware timer interrupts. This results in a precision of +-1 us
|
|
for all time values obtained via the gettimeofday() system call. This
|
|
routine calls the kernel routine microtime(), which returns the actual
|
|
interpolated value, but does not change the kernel time variable.
|
|
Therefore, other kernel routines that access the kernel time variable
|
|
directly and do not call either gettimeofday() or microtime() will
|
|
continue their present behavior.
|
|
|
|
The new kernel routines include provisions for error statistics (maximum
|
|
error and estimated error), leap seconds and system clock status. These
|
|
are intended to support applications that need such things; however,
|
|
there are no applications other than the time-synchronization daemon
|
|
itself that presently use them. At issue is the manner in which these
|
|
data can be provided to application clients, such as new system calls
|
|
and data interfaces. While a proposed interface is described later in
|
|
this memo, it has not yet been implemented. This is an area for further
|
|
study.
|
|
|
|
While any time-synchronization daemon can in principle be modified to
|
|
use the new code, the most likely will be users of the xntp3
|
|
distribution of NTP. The code in the xntp3 distribution determines
|
|
whether the new kernel code is in use and automatically reconfigures as
|
|
required. When the new code is in use, the daemon reads the frequency
|
|
offset from a file and provides it and the initial time constant via
|
|
adjtime(). In subsequent calls to adjtime(), only the time adjustment
|
|
and time constant are affected. The daemon reads the frequency from the
|
|
kernel (returned as the second argument of adjtime()) at intervals of
|
|
one hour and writes it to the file.
|
|
|
|
3. Technical Description
|
|
|
|
Following is a technical description of how the new scheme works in
|
|
terms of the variables and algorithms involved. These components are
|
|
discussed as a distinct entity and do not involve coding details
|
|
specific to the Ultrix kernel. The algorithms involve only minor changes
|
|
to the system clock and interval timer routines, but do not in
|
|
themselves provide a conduit for application programs to learn the
|
|
system clock status or statistics of the time-synchronization process.
|
|
In a later section a number of new system calls are proposed to do this,
|
|
along with an interface specification.
|
|
|
|
The new scheme works like the companion simulator called kern.c and
|
|
included in this directory. This stand-alone simulator includes code
|
|
fragments identical to those in the modified kernel routines and
|
|
operates in the same way. The system clock is implemented in the kernel
|
|
using a set of variables and algorithms defined below and in the
|
|
simulator. The algorithms are driven by explicit calls from the
|
|
synchronization protocol as each time update is computed. The clock is
|
|
read and set using the gettimeofday() and settimeofday() system calls,
|
|
which operate in the same way as the originals, but return a status word
|
|
describing the state of the system clock.
|
|
|
|
Once the system clock has been set, the adjtime() system call is used to
|
|
provide periodic updates including the time offset and possibly
|
|
frequency offset and time constant. With NTP this occurs at intervals of
|
|
from 64 s to 1024 s, deending on the time constant value. The kernel
|
|
implements an adaptive-parameter, first-order, type-II, phase-lock loop
|
|
(PLL) in order to integrate this offset into the phase and frequency of
|
|
the system clock. The kernel keeps track of the time of the last update
|
|
and adjusts the maximum error to grow by an amount equal to the
|
|
oscillator frequency tolerance times the elapsed time since the last
|
|
update.
|
|
|
|
Occasionally, it is necessary to adjust the PLL parameters in response
|
|
to environmental conditions, such as leap-second warning and oscillator
|
|
stability observations. While the interface to do this has not yet been
|
|
implemented, proposals to to that are included in a later section. A
|
|
system call (setloop()) is used on such occasions to communicate these
|
|
data. In addition, a system call (getloop())) is used to extract these
|
|
data from the kernel for monitoring purposes.
|
|
|
|
All programs utilize the system clock status variable time_status, which
|
|
records whether the clock is synchronized, waiting for a leap second,
|
|
etc. The value of this variable is returned by each system call. It can
|
|
be set explicitly by the setloop() system call and implicitly by the
|
|
settimeofday() system call and in the timer-interrupt routine. Values
|
|
presently defined in the header file timex.h are as follows:
|
|
|
|
int time_status = TIME_BAD; /* clock synchronization status */
|
|
|
|
#define TIME_UNS 0 /* unspecified or unknown */
|
|
#define TIME_OK 1 /* operation succeeded */
|
|
#define TIME_INS 1 /* insert leap second at end of current day */
|
|
#define TIME_DEL 2 /* delete leap second at end of current day */
|
|
#define TIME_OOP 3 /* leap second in progress */
|
|
#define TIME_BAD 4 /* system clock is not synchronized */
|
|
#define TIME_ADR -1 /* operation failed: invalid address */
|
|
#define TIME_VAL -2 /* operation failed: invalid argument */
|
|
#define TIME_PRV -3 /* operation failed: priviledged operation */
|
|
|
|
In case of a negative result code, the operation has failed; however,
|
|
some variables may have been modified before the error was detected.
|
|
Note that the new system calls never return a value of zero, so it is
|
|
possible to determine whether the old routines or the new ones are in
|
|
use. The syntax of the modified adjtime() is as follows:
|
|
|
|
/*
|
|
* adjtime - adjuts system time
|
|
*/
|
|
#include <sys/timex.h>
|
|
|
|
int gettimexofday(tp, fiddle)
|
|
|
|
struct timeval *tp; /* system time adjustment*/
|
|
struct timeval *fiddle; /* sneak path */
|
|
|
|
On entry the "timeval" sneak path is coded:
|
|
|
|
struct timeval {
|
|
long tv_sec = time_constant; /* time constant */
|
|
long tv_usec = time_freq; /* new frequency offset */
|
|
}
|
|
|
|
However, the sneak is ignored if fiddle is the null pointer and the new
|
|
frequency offset is ignored if zero.
|
|
|
|
The value returned on exit is the system clock status defined above. The
|
|
"timeval" sneak path is modified as follows:
|
|
|
|
struct timeval {
|
|
long tv_sec = time_precision; /* system clock precision */
|
|
long tv_usec = time_freq; /* current frequency offset */
|
|
}
|
|
|
|
3.1. Kernel Variables
|
|
|
|
The following variables are used by the new code:
|
|
|
|
long time_offset = 0; /* time adjustment (us) */
|
|
|
|
This variable is used by the PLL to adjust the system time in small
|
|
increments. It is scaled by (1 << SHIFT_UPDATE) in binary microseconds.
|
|
The maximum value that can be represented is about +-130 ms and the
|
|
minimum value or precision is about one nanosecond.
|
|
|
|
long time_constant = SHIFT_TAU; /* pll time constant */
|
|
|
|
This variable determines the bandwidth or "stiffness" of the PLL. It is
|
|
used as a shift, with the effective value in positive powers of two. The
|
|
optimum value for this variable is equal to 1/64 times the update
|
|
interval. The default value SHIFT_TAU (0) corresponds to a PLL time
|
|
constant of about one hour or an update interval of about one minute,
|
|
which is appropriate for typical uncompensated quartz oscillators used
|
|
in most computing equipment. Values larger than four are not useful,
|
|
unless the local clock timebase is derived from a precision oscillator.
|
|
|
|
long time_tolerance = MAXFREQ; /* frequency tolerance (ppm) */
|
|
|
|
This variable represents the maximum frequency error or tolerance of the
|
|
particular platform and is a property of the architecture. It is
|
|
expressed as a positive number greater than zero in parts-per-million
|
|
(ppm). The default MAXFREQ (100) is appropriate for conventional
|
|
workstations.
|
|
|
|
long time_precision = 1000000 / HZ; /* clock precision (us) */
|
|
|
|
This variable represents the maximum error in reading the system clock.
|
|
It is expressed as a positive number greater than zero in microseconds
|
|
and is usually based on the number of microseconds between timer
|
|
interrupts, in the case of the Ultrix kernel, 3906. However, in cases
|
|
where the time can be interpolated between timer interrupts with
|
|
microsecond resolution, the precision is specified as 1. This variable
|
|
is computed by the kernel for use by the time-synchronization daemon,
|
|
but is otherwise not used by the kernel.
|
|
|
|
struct timeval time_maxerror; /* maximum error */
|
|
|
|
This variable represents the maximum error, expressed as a Unix timeval,
|
|
of the system clock. For NTP, it is computed as the synchronization
|
|
distance, which is equal to one-half the root delay plus the root
|
|
dispersion. It is increased by a small amount (time_tolerance) each
|
|
second to reflect the clock frequency tolerance. This variable is
|
|
computed by the time-synchronization daemon and the kernel for use by
|
|
the application program, but is otherwise not used by the kernel.
|
|
|
|
struct timeval time_esterror; /* estimated error */
|
|
|
|
This variable represents the best estimate of the actual error,
|
|
expressed as a Unix timeval, of the system clock based on its past
|
|
behavior, together with observations of multiple clocks within the peer
|
|
group. This variable is computed by the time-synchronization daemon for
|
|
use by the application program, but is otherwise not used by the kernel.
|
|
|
|
The PLL itself is controlled by the following variables:
|
|
|
|
long time_phase = 0; /* phase offset (scaled us) */
|
|
long time_freq = 0; /* frequency offset (scaled ppm) */long
|
|
time_adj = 0; /* tick adjust (scaled 1 / HZ) */
|
|
|
|
These variables control the phase increment and the frequency increment
|
|
of the system clock at each tick of the clock. The time_phase variable
|
|
is scaled by (1 << SHIFT_SCALE) in binary microseconds, giving a minimum
|
|
value (time resolution) of 9.3e-10 us. The time_freq variable is scaled
|
|
by (1 << SHIFT_KF) in parts-per-million (ppm), giving it a maximum value
|
|
of about +-130 ppm and a minimum value (frequency resolution) of 6e-8
|
|
ppm. The time_adj variable is the actual phase increment in scaled
|
|
microseconds to add to time_phase once each tick. It is computed from
|
|
time_phase and time_freq once per second.
|
|
|
|
long time_reftime = 0; /* time at last adjustment (s) */
|
|
|
|
This variable is the second's portion of the system time on the last
|
|
call to adjtime(). It is used to adjust the time_freq variable as the
|
|
time since the last update increases.
|
|
|
|
The HZ define establishes the timer interrupt frequency, 256 Hz for the
|
|
Ultrix kernel and 100 Hz for the SunOS kernel. The SHIFT_HZ define
|
|
expresses the same value as the nearest power of two in order to avoid
|
|
hardware multiply operations. These are the only parameters that need to
|
|
be changed for different timer interrupt rates.
|
|
|
|
#define HZ 256 /* timer interrupt frequency (Hz) */
|
|
#define SHIFT_HZ 8 /* log2(HZ) */
|
|
|
|
The following defines establish the engineering parameters of the PLL
|
|
model. They are chosen for an initial convergence time of about an hour,
|
|
an overshoot of about seven percent and a final convergence time of
|
|
several hours, depending on initial frequency error.
|
|
|
|
#define SHIFT_KG 10 /* shift for phase increment */
|
|
#define SHIFT_KF 24 /* shift for frequency increment */
|
|
#define SHIFT_TAU 0 /* default time constant (shift) */
|
|
|
|
The SHIFT_SCALE define establishes the decimal point on the time_phase
|
|
variable which serves as a an extension to the low-order bits of the
|
|
system clock variable. The SHIFT_UPDATE define establishes the decimal
|
|
point of the phase portion of the adjtime() update. The FINEUSEC define
|
|
represents 1 us in scaled units.
|
|
|
|
#define SHIFT_SCALE 28 /* shift for scale factor */
|
|
#define SHIFT_UPDATE 14 /* shift for offset scale factor */
|
|
#define FINEUSEC (1 << SHIFT_SCALE) /* 1 us in scaled units */
|
|
|
|
The FINETUNE define represents the residual, in ppm, to be added to the
|
|
system clock variable in addition to the integral 1-us value given by
|
|
tick. This allows a systematic frequency offset in cases where the timer
|
|
interrupt frequency does not exactly divide the second in microseconds.
|
|
|
|
#define FINETUNE (1000000 - (1000000 / HZ) * HZ) /* frequency adjustment
|
|
* for non-isochronous HZ (ppm) */
|
|
|
|
The following four defines establish the performance envelope of the
|
|
PLL, one to bound the maximum phase error, another to bound the maximum
|
|
frequency error and the last two to bound the minimum and maximum time
|
|
between updates. The intent of these bounds is to force the PLL to
|
|
operate within predefined limits in order to conform to the correctness
|
|
models assumed by time-synchronization protocols like NTP and DTSS. An
|
|
excursion which exceeds these bounds is clamped to the bound and
|
|
operation proceeds accordingly. In practice, this can occur only if
|
|
something has failed or is operating out of tolerance, but otherwise the
|
|
PLL continues to operate in a stable mode. Note that the MAXPHASE define
|
|
conforms to the maximum offset allowed in NTP before the system time is
|
|
reset, rather than incrementally adjusted.
|
|
|
|
#define MAXPHASE 128000 /* max phase error (us) */
|
|
#define MINSEC 64 /* min interval between updates (s) */
|
|
#define MAXFREQ 100 /* max frequency error (ppm) */
|
|
#define MAXSEC 1024 /* max interval between updates (s) */
|
|
|
|
3.2. Code Segments
|
|
|
|
The code segments illustrated in the simulator should make clear the
|
|
operations at various points in the code. These segments are not derived
|
|
from any licensed code. The hardupdate() fragment is called by adjtime()
|
|
to update the system clock phase and frequency. This is an
|
|
implementation of an adaptive-parameter, first-order, type-II phase-lock
|
|
loop. Note that the time constant is in units of powers of two, so that
|
|
multiplies can be done by simple shifts. The phase variable is computed
|
|
as the offset multiplied by the time constant. Then, the time since the
|
|
last update is computed and clamped to a maximum (for robustness) and to
|
|
zero if initializing. The offset is multiplied (sorry about the ugly
|
|
multiply) by the result and by the square of the time constant and then
|
|
added to the frequency variable. Finally, the frequency variable is
|
|
clamped not to exceed the tolerance. Note that all shifts are assumed to
|
|
be positive and that a shift of a signed quantity to the right requires
|
|
a litle dance.
|
|
|
|
With the defines given, the maximum time offset is determined by the
|
|
size in bits of the long type (32) less the SHIFT_UPDATE (14) scale
|
|
factor or 18 bits (signed). The scale factor is chosen so that there is
|
|
no loss of significance in later steps, which may involve a right shift
|
|
up to 14 bits. This results in a maximum offset of about +-130 ms. Since
|
|
the time_constant must be greater than or equal to zero, the maximum
|
|
frequency offset is determined by the SHIFT_KF (24) scale factor, or
|
|
about +-130 ppm. In the addition step the value of offset * mtemp is
|
|
represented in 18 + 10 = 28 bits, which will not overflow a long add.
|
|
There could be a loss of precision due to the right shift of up to eight
|
|
bits, since time_constant is bounded at four. This results in a net
|
|
worst-case frequency error of about 2^-16 us or well down into the
|
|
oscillator phase noise. While the time_offset value is assumed checked
|
|
before entry, the time_phase variable is an accumulator, so is clamped
|
|
to the tolerance on every call. This helps to damp transients before the
|
|
oscillator frequency has been determined, as well as to satisfy the
|
|
correctness assertions if the time-synchronization protocol comes
|
|
unstuck.
|
|
|
|
The hardclock() fragment is inserted in the hardware timer interrupt
|
|
routine at the point the system clock is to be incremented. The phase
|
|
adjustment (time_adj) is added to the clock phase (time_phase) and
|
|
tested for overflow of the microsecond. If an overflow occurs, the
|
|
microsecond (tick) in incremented or decremented.
|
|
|
|
The second_overflow() fragment is inserted at the point where the
|
|
microseconds field of the system time variable is being checked for
|
|
overflow. On rollover of the second the maximum error is increased by
|
|
the tolerance. The time offset is divided by the phase weight (SHIFT_KG)
|
|
and time constant. The time offset is then reduced by the result and the
|
|
result is scaled and becomes the value of the phase adjustment. The
|
|
phase adjustment is then corrected for the calculated frequency offset
|
|
and a fixed offset FINETUNE which is a property of the architecture. On
|
|
rollover of the day the leap-warning indicator is checked and the
|
|
apparent time adjusted +-1 s accordingly. The gettimeofday() routine
|
|
insures that the reported time is always monotonically increasing.
|
|
|
|
The simulator can be used to check the loop operation over the design
|
|
range of +-128 ms in time error and +-100 ppm in frequency error. This
|
|
confirms that no overflows occur and that the loop initially converges
|
|
in about 50-60 minutes for timer interrupt rates from 50 Hz to 1024 Hz.
|
|
The loop has a normal overshoot of about seven percent and a final
|
|
convergence time of several hours, depending on the initional frequency
|
|
error.
|
|
|
|
3.3. Leap Seconds
|
|
|
|
The leap-warning condition is determined by the synchronization protocol
|
|
(if remotely synchronized), by the timecode receiver (if available), or
|
|
by the operator (if awake). The time_status value must be set on the day
|
|
the leap event is to occur (30 June or 31 December) and is automatically
|
|
reset after the event. If the value is TIME_DEL, the kernel adds one
|
|
second to the system time immediately following second 23:59:58 and
|
|
resets time_status to TIME_OK. If the value is TIME_INS, the kernel
|
|
subtracts one second from the system time immediately following second
|
|
23:59:59 and resets time_status to TIME_OOP, in effect causing system
|
|
time to repeat second 59. Immediately following the repeated second, the
|
|
kernel resets time_status to TIME_OK.
|
|
|
|
Depending upon the system call implementation, the reported time during
|
|
a leap second may repeat (with a return code set to advertise that fact)
|
|
or be monotonically adjusted until system time "catches up" to reported
|
|
time. With the latter scheme the reported time will be correct before
|
|
and after the leap second, but freeze or slowly advance during the leap
|
|
second itself. However, Most programs will probably use the ctime()
|
|
library routine to convert from timeval (seconds, microseconds) format
|
|
to tm format (seconds, minutes,...). If this routine is modified to
|
|
inspect the return code of the gettimeofday() routine, it could simply
|
|
report the leap second as second 60.
|
|
|
|
To determine local midnight without fuss, the kernel simply finds the
|
|
residue of the time.tv_sec value mod 86,400, but this requires a messy
|
|
divide. Probably a better way to do this is to initialize an auxiliary
|
|
counter in the settimeofday() routine using an ugly divide and increment
|
|
the counter at the same time the time.tv_sec is incremented in the timer
|
|
interrupt routine. For future embellishment.
|
|
|
|
4. Proposed Application Program Interface
|
|
|
|
Most programs read the system clock using the gettimeofday() system
|
|
call, which returns the system time and time-zone data. In the modified
|
|
5000/240 kernel, the gettimeofday() routine calls the microtime()
|
|
routine, which interpolates between hardware timer interrupts to a
|
|
precision of +-1 microsecond. However, the synchronization protocol
|
|
provides additional information that will be of interest in many
|
|
applications. For some applications it is necessary to know the maximum
|
|
error of the reported time due to all causes, including those due to the
|
|
system clock reading error, oscillator frequency error and accumulated
|
|
errors due to intervening time servers on the path to a primary
|
|
reference source. However, for those protocols that adjust the system
|
|
clock frequency as well as the time offset, the errors expected in
|
|
actual use will almost always be much less than the maximum error.
|
|
Therefore, it is useful to report the estimated error, as well as the
|
|
maximum error.
|
|
|
|
It does not seem useful to provide additional details private to the
|
|
kernel and synchronization protocol, such as stratum, reference
|
|
identifier, reference timestamp and so forth. It would in principle be
|
|
possible for the application to independently evaluate the quality of
|
|
time and project into the future how long this time might be "valid."
|
|
However, to do that properly would duplicate the functionality of the
|
|
synchronization protocol and require knowledge of many mundane details
|
|
of the platform architecture, such as the tick value, reachability
|
|
status and related variables. Therefore, the application interface does
|
|
not reveal anything except the time, timezone and error data.
|
|
|
|
With respect to NTP, the data maintained by the protocol include the
|
|
roundtrip delay and total dispersion to the source of synchronization.
|
|
In terms of the above, the maximum error is computed as half the delay
|
|
plus the dispersion, while the estimated error is equal to the
|
|
dispersion. These are reported in timeval structures. A new system call
|
|
is proposed that includes all the data in the gettimeofday() plus the
|
|
two new timeval structures.
|
|
|
|
The proposed interface involves modifications to the gettimeofday(),
|
|
settimeofday() and adjtime() system calls, as well as new system calls
|
|
to get and set various system parameters. In order to minimize
|
|
confusion, by convention the new system calls are named with an "x"
|
|
following the "time"; e.g., adjtime() becomes adjtimex(). The operation
|
|
of the modified gettimexofday(), settimexofday() and adjtimex() system
|
|
calls is identical to that of their prototypes, except for the error
|
|
quantities and certain other side effects, as documented below. By
|
|
convention, a NULL pointer can be used in place of any argument, in
|
|
which case the argument is ignored.
|
|
|
|
The synchronization protocol daemon needs to set and adjust the system
|
|
clock and certain other kernel variables. It needs to read these
|
|
variables for monitoring purposes as well. The present list of these
|
|
include a subset of the variables defined previously:
|
|
|
|
long time_precision
|
|
long time_timeconstant
|
|
long time_tolerance
|
|
long time_freq
|
|
long time_status
|
|
|
|
/*
|
|
* gettimexofday, settimexofday - get/set date and time
|
|
*/
|
|
#include <sys/timex.h>
|
|
|
|
int gettimexofday(tp, tzp, tmaxp, testp)
|
|
|
|
struct timeval *tp; /* system time */
|
|
struct timezone *tzp; /* timezone */
|
|
struct timeval *tmaxp; /* maximum error */
|
|
struct timeval *testp; /* estimated error */
|
|
|
|
The settimeofday() syntax is identical. Note that a call to
|
|
settimexofday() automatically results in the system being declared
|
|
unsynchronized (TIME_BAD return code), since the synchronization
|
|
condition can only be achieved by the synchronization daemon using an
|
|
internal or external primary reference source and the adjtimex() system
|
|
call.
|
|
|
|
/*
|
|
* adjtimex - adjust system time
|
|
*/
|
|
#include <sys/timex.h>
|
|
|
|
int adjtimex(tp, tzp, freq, tc)
|
|
|
|
struct timeval *tp; /* system time */
|
|
struct timezone *tzp; /* timezone */
|
|
long freq; /* frequency adjustment */
|
|
long tc; /* time constant */
|
|
|
|
/*
|
|
* getloop, setloop - get/set kernel time variables
|
|
*/
|
|
#include <sys/timex.h>
|
|
|
|
int getloop(code, argp)
|
|
|
|
int code; /* operation code */
|
|
long *argp; /* argument pointer */
|
|
|
|
The paticular kernal variables affected by these routines are selected
|
|
by the operation code. Values presently defined in the header file
|
|
timex.h are as follows:
|
|
|
|
#define TIME_PREC 1 /* precision (log2(sec)) */
|
|
#define TIME_TCON 2 /* time constant (log2(sec) */
|
|
#define TIME_FREQ 3 /* frequency tolerance */
|
|
#define TIME_FREQ 4 /* frequency offset (scaled) */
|
|
#define TIME_STAT 5 /* status (see return codes) */
|
|
|
|
The getloop() syntax is identical.
|
|
|
|
Comments welcome, but very little support is available:
|
|
|
|
David L. Mills
|
|
Electrical Engineering Department
|
|
University of Delaware
|
|
Newark, DE 19716
|
|
302 831 8247 fax 302 831 4316
|
|
mills@udel.edu
|