Use of pipes is now configurable. All tests that use pipes must enable
that feature. (Note: no sample projects currently use pipes.)
Signed-off-by: Peter Mitsis <peter.mitsis@intel.com>
Assignments have no effect on promptless symbols. Flagged by
https://github.com/zephyrproject-rtos/zephyr/pull/20742.
This symbol should already be getting enabled if CONFIG_USERSPACE is
enabled, because CONFIG_ERRNO is default y and has
select THREAD_USERSPACE_LOCAL_DATA if USERSPACE
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Stack canaries require that the z_libc_partition be added to
the memory domain, otherwise user thread access to the
stack canary value will result in an MPU/MMU fault.
These tests define their own domains to test specific userspace
features. Adding another partition to them would be invasive,
would potentially break some platforms with a limited number
of MPU regions, and these tests are not designed to validate
stack canaries anyway, we have other tests for that.
Fixes: #17595
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Unlike CONFIG_HW_STACK_PROTECTION, which greatly helps
expose stack overflows in test code, activating
userspace without putting threads in user mode is of
very limited value.
Now CONFIG_TEST_USERSPACE is off by default. Any test
which puts threads in user mode will need to set
CONFIG_TEST_USERSPACE.
This should greatly increase sanitycheck build times
as there is non-trivial build time overhead to
enabling this feature. This also allows some tests
which failed the build on RAM-constrained platforms
to compile properly.
tests/drivers/build_all is a special case; it doesn't
put threads in user mode, but we want to ensure all
the syscall handlers compile properly.
Fixes: #15103 (and probably others)
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The stack information stored in the thread->stack_info
fields need to represent the actual writable area for
its associated thread. Perform various tests to ensure
that the various reported and specified values are in
agreement.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
CONFIG_APPLICATION_MEMORY was a stopgap feature that is
being removed from the kernel. Convert tests and samples
to use the application shared memory feature instead,
in most cases using the domain set up by ztest.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We want CONFIG_APPLICATION_MEMORY specifically disabled
for this test, but it was being transitively selected by
CONFIG_TEST_USERSPACE which defaults to on for CONFIG_TEST.
Turn it off so that disabling application memory in the
config actually has an effect.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Summary: revised attempt at addressing issue 6290. The
following provides an alternative to using
CONFIG_APPLICATION_MEMORY by compartmentalizing data into
Memory Domains. Dependent on MPU limitations, supports
compartmentalized Memory Domains for 1...N logical
applications. This is considered an initial attempt at
designing flexible compartmentalized Memory Domains for
multiple logical applications and, with the provided python
script and edited CMakeLists.txt, provides support for power
of 2 aligned MPU architectures.
Overview: The current patch uses qualifiers to group data into
subsections. The qualifier usage allows for dynamic subsection
creation and affords the developer a large amount of flexibility
in the grouping, naming, and size of the resulting partitions and
domains that are built on these subsections. By additional macro
calls, functions are created that help calculate the size,
address, and permissions for the subsections and enable the
developer to control application data in specified partitions and
memory domains.
Background: Initial attempts focused on creating a single
section in the linker script that then contained internally
grouped variables/data to allow MPU/MMU alignment and protection.
This did not provide additional functionality beyond
CONFIG_APPLICATION_MEMORY as we were unable to reliably group
data or determine their grouping via exported linker symbols.
Thus, the resulting decision was made to dynamically create
subsections using the current qualifier method. An attempt to
group the data by object file was tested, but found that this
broke applications such as ztest where two object files are
created: ztest and main. This also creates an issue of grouping
the two object files together in the same memory domain while
also allowing for compartmenting other data among threads.
Because it is not possible to know a) the name of the partition
and thus the symbol in the linker, b) the size of all the data
in the subsection, nor c) the overall number of partitions
created by the developer, it was not feasible to align the
subsections at compile time without using dynamically generated
linker script for MPU architectures requiring power of 2
alignment.
In order to provide support for MPU architectures that require a
power of 2 alignment, a python script is run at build prior to
when linker_priv_stacks.cmd is generated. This script scans the
built object files for all possible partitions and the names given
to them. It then generates a linker file (app_smem.ld) that is
included in the main linker.ld file. This app_smem.ld allows the
compiler and linker to then create each subsection and align to
the next power of 2.
Usage:
- Requires: app_memory/app_memdomain.h .
- _app_dmem(id) marks a variable to be placed into a data
section for memory partition id.
- _app_bmem(id) marks a variable to be placed into a bss
section for memory partition id.
- These are seen in the linker.map as "data_smem_id" and
"data_smem_idb".
- To create a k_mem_partition, call the macro
app_mem_partition(part0) where "part0" is the name then used to
refer to that partition. This macro only creates a function and
necessary data structures for the later "initialization".
- To create a memory domain for the partition, the macro
app_mem_domain(dom0) is called where "dom0" is the name then
used for the memory domain.
- To initialize the partition (effectively adding the partition
to a linked list), init_part_part0() is called. This is followed
by init_app_memory(), which walks all partitions in the linked
list and calculates the sizes for each partition.
- Once the partition is initialized, the domain can be
initialized with init_domain_dom0(part0) which initializes the
domain with partition part0.
- After the domain has been initialized, the current thread
can be added using add_thread_dom0(k_current_get()).
- The code used in ztests ans kernel/init has been added under
a conditional #ifdef to isolate the code from other tests.
The userspace test CMakeLists.txt file has commands to insert
the CONFIG_APP_SHARED_MEM definition into the required build
targets.
Example:
/* create partition at top of file outside functions */
app_mem_partition(part0);
/* create domain */
app_mem_domain(dom0);
_app_dmem(dom0) int var1;
_app_bmem(dom0) static volatile int var2;
int main()
{
init_part_part0();
init_app_memory();
init_domain_dom0(part0);
add_thread_dom0(k_current_get());
...
}
- If multiple partitions are being created, a variadic
preprocessor macro can be used as provided in
app_macro_support.h:
FOR_EACH(app_mem_partition, part0, part1, part2);
or, for multiple domains, similarly:
FOR_EACH(app_mem_domain, dom0, dom1);
Similarly, the init_part_* can also be used in the macro:
FOR_EACH(init_part, part0, part1, part2);
Testing:
- This has been successfully tested on qemu_x86 and the
ARM frdm_k64f board. It compiles and builds power of 2
aligned subsections for the linker script on the 96b_carbon
boards. These power of 2 alignments have been checked by
hand and are viewable in the zephyr.map file that is
produced during build. However, due to a shortage of
available MPU regions on the 96b_carbon board, we are unable
to test this.
- When run on the 96b_carbon board, the test suite will
enter execution, but each individaul test will fail due to
an MPU FAULT. This is expected as the required number of
MPU regions exceeds the number allowed due to the static
allocation. As the MPU driver does not detect this issue,
the fault occurs because the data being accessed has been
placed outside the active MPU region.
- This now compiles successfully for the ARC boards
em_starterkit_em7d and em_starterkit_em7d_v22. However,
as we lack ARC hardware to run this build on, we are unable
to test this build.
Current known issues:
1) While the script and edited CMakeLists.txt creates the
ability to align to the next power of 2, this does not
address the shortage of available MPU regions on certain
devices (e.g. 96b_carbon). In testing the APB and PPB
regions were commented out.
2) checkpatch.pl lists several issues regarding the
following:
a) Complex macros. The FOR_EACH macros as defined in
app_macro_support.h are listed as complex macros needing
parentheses. Adding parentheses breaks their
functionality, and we have otherwise been unable to
resolve the reported error.
b) __aligned() preferred. The _app_dmem_pad() and
_app_bmem_pad() macros give warnings that __aligned()
is preferred. Prior iterations had this implementation,
which resulted in errors due to "complex macros".
c) Trailing semicolon. The macro init_part(name) has
a trailing semicolon as the semicolon is needed for the
inlined macro call that is generated when this macro
expands.
Update: updated to alternative CONFIG_APPLCATION_MEMORY.
Added config option CONFIG_APP_SHARED_MEM to enable a new section
app_smem to contain the shared memory component. This commit
seperates the Kconfig definition from the definition used for the
conditional code. The change is in response to changes in the
way the build system treats definitions. The python script used
to generate a linker script for app_smem was also midified to
simplify the alignment directives. A default linker script
app_smem.ld was added to remove the conditional includes dependency
on CONFIG_APP_SHARED_MEM. By addining the default linker script
the prebuild stages link properly prior to the python script running
Signed-off-by: Joshua Domagalski <jedomag@tycho.nsa.gov>
Signed-off-by: Shawn Mosley <smmosle@tycho.nsa.gov>
This is still work-in-progress, but putting it up in case it is
helpful to people working in this area and for early comments.
Add a set of tests to validate the expected security properties
of threads created with K_USER when CONFIG_USERSPACE=y. This can
be used as a regression test for architectures that already implement
this support and as a validation test for others.
I considered incorporating these tests into the existing protection
test, but decided against it since protection does not enable or rely
upon CONFIG_USERSPACE for its existing tests and passes on everything
that provides MPU or MMU support, even without full userspace support.
I also considered incorporating these tests into the existing
obj_validation test, but decided against it since obj_validation only
tests the object validation/permission logic, does not run any user
mode threads (or strictly depend on that support), and passes
on both x86 and arm today, unlike these tests. That said, I have no
strong objections if it would be preferable to fold these into it
(and perhaps rename it to be more general).
The current tests implemented in this test program verify the following
for a thread created with K_USER:
is_usermode: is running in usermode
priv_insn: cannot invoke privileged insns directly
write_control: cannot write to control registers
disable_mmu_mpu: cannot disable memory protections (MMU/MPU)
read_kernram: cannot read from kernel RAM
write_kernram: cannot write to kernel RAM
write_kernro: cannot write to kernel rodata
write_kerntext: cannot write to kernel text
read_kernel_data: cannot read __kernel-marked data
write_kernel_data: cannot write __kernel-marked data
read_kernel_stack: cannot read the kernel/privileged stack
write_kernel_stack: cannot write the kernel/privileged stack
pass_user_object: cannot pass a non-kernel object to a syscall
pass_noperms_object: cannot pass an object to a syscall without a grant
start_kernel_thread: cannot start a kernel (non-user) thread
Some of the tests overlap and could possibly be dropped, but it
seems harmless to retain them. The particular targets of read/write
tests are arbitrary other than meeting the test criteria and can be
changed (e.g. in data, rodata, or text) if desired to avoid coupling
to kernel implementation details that may change in the future.
On qemu_x86, all of the tests pass. And, if you replace all
occurrences of ztest_user_unit_test() with ztest_unit_test(), then
all of the tests fail (i.e. when the tests are run in kernel mode,
they all fail as expected). On frdm_k64f presently (w/o the arm
userspace patches), all of the tests fail except for write_kernro and
write_kerntext, as expected.
ToDo:
- Verify that a user thread cannot access data in another memory domain.
- Verify that a user thread cannot access another thread's stack.
- Verify that a user thread cannot access another thread's kobject.
- Verify that k_thread_user_mode_enter() transitions correctly.
- Verify that k_object_access_revoke() is enforced.
- Verify that syscalls return to user mode upon completion.
- Verify that a user thread cannot abuse other svc calls (ARM-specific).
- Other suggested properties we should be testing?
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
