* apply STACK_GUARD_SIZE, no extra space will be added if
MPU_STACK_GUARD is disabled
* When ARC_STACK_CHECKING is enabled, MPU_STACK_GUARD will be
disabled
* add two new api: arc_core_mpu_default and arc_core_mpu_region
to configure mpu regions
* improve arc_core_mpu_enable and arc_core_mpu_disable
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
* add arc mpu driver
* modify the corresponding kconfig and kbuild
* currently only em_starterkit 2.2's em7d configuration
has mpu feature (mpu version 2)
* as the minimum region size of arc mpu version 2 is 2048 bytes and
region size should be power of 2, the stack size of threads
(including main thread and idle thread) should be at least
2048 bytes and power of 2
* for mpu stack guard feature, a stack guard region of 2048 bytes
is generated. This brings more memory footprint
* For arc mpu version 3, the minimum region size is 32 bytes.
* the codes are tested by the mpu_stack_guard_test and stackprot
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Fix misspellings in .h files missed during code reviews
and affecting generated API documentation
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
An abnormal crash was encountered in ARMv6-M SoCs that don't have flash
starting at 0. With Zephyr OS the reason for this crash is that, on
ARMv6-M the system requires an exception vector table at the 0 address.
We implement the relocate_vector_table function to move the vector table
code to address 0 on systems which don't have the start of code already
at 0.
[kumar.gala: reworderd commit message, tweaked how we check if we need
to copy vector table]
Signed-off-by: Xiaorui Hu <xiaorui.hu@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
The Xtensa port was the only one remaining to be converted to the new
way of connecting interrupts in Zephyr. Some things are still
unconverted, mainly the exception table, and this will be performed
another time.
Of note: _irq_priority_set() isn't called on _ARCH_IRQ_CONNECT(), since
IRQs can't change priority on Xtensa: while the architecture has the
concept of interrupt priority levels, each line has a fixed level and
can't be changed.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This patch adjusts the ARM MPU implementation to be compliant to the
recent changes that introduced the opaque kernel data types.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch always defines the ARCH_THREAD_STACK_XXX macros/functions
regardless of the MPU_STACK_GUARD usage. Only use MPU_STACK_GUARD when
determining the minimum stack alignment.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The mimimum mpu size is 32 bytes, but requires mpu base address to be
aligned on 32 bytes to work. Define architecture thread macro when
MPU_STACK_GUARD config to allocate stack with 32 more bytes.
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
This patch adds the allow flash write CONFIG option to the ARM MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the allow flash write CONFIG option to the NXP MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This is a simpler memory arrangement; RAM will start with
app data, and everything after it is either kernel data or
unclaimed memory reserved for the kernel's use.
New linker variables are also implemented here.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Kernel data size shifts in between linker passes due to the addition
of the page tables. We would like application memory bounds to
remain fixed so that we can program the MMU permissions for it
at build time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Page faults will additionally dump out some interesting
page directory and page table flags for the faulting
memory address.
Intended to help determine whether the page tables have been
configured incorrectly as we enable memory protection features.
This only happens if CONFIG_EXCEPTION_DEBUG is turned on.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Subsequent patches will set this guard page as unmapped,
triggering a page fault on access. If this is due to
stack overflow, a double fault will be triggered,
which we are now capable of handling with a switch to
a know good stack.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now create a special IA hardware task for handling
double faults. This has a known good stack so that if
the kernel tries to push stack data onto an unmapped page,
we don't triple-fault and reset the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We will need this for stack memory protection scenarios
where a writable GDT with Task State Segment descriptors
will be used. The addresses of the TSS segments cannot be
put in the GDT via preprocessor magic due to architecture
requirments that the address be split up into different
fields in the segment descriptor.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This has one use-case: configuring the double-fault #DF
exception handler to do an IA task switch to a special
IA task with a known good stack, such that we can dump
diagnostic information and then panic.
Will be used for stack overflow detection in kernel mode,
as otherwise the CPU will triple-fault and reset.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
A user space buffer must be validated before required operation
can proceed. This API will check the current MMU
configuration to determine if the buffer held by the user is valid.
Jira: ZEP-2326
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This needs to be in <arch/cpu.h> so that it can be called
from the k_panic()/k_oops() macros in kernel.h.
Fixes build errors on these arches when using k_panic() or
k_oops().
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Different areas of memory will need to have different access
policies programmed into the MMU. We introduce MMU page alignment
to the following areas:
- The boundaries of the image "ROM" area
- The beginning of RAM representing kernel datas/bss/nonit
- The beginning of RAM representing app datas/bss/noinit
Some old alignment directives that are no longer necessary have
been removed.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch splits out the application data and bss from the
rest of the kernel. Choosing CONFIG_APPLICATION_MEMORY will
result in the application and kernel being split.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Implements CONFIG_APPLICATION_MEMORY for x86. Working in
XIP and non-XIP configurations.
This patch does *not* implement any alignment constraints
imposed by the x86 MMU, such enabling will be done later.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
patch adds necessary files and does the modification to the existing
files to add device support for x86 based intel quark microcontroller
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
This is unmaintained and currently has no known users. It was
added to support a Wind River project. If in the future we need it
again, we should re-introduce it with an exception-based mechanism
for catching out-of-bounds memory queries from the debugger.
The mem_safe subsystem is also removed, it is only used by the
GDB server. If its functionality is needed in the future, it
shoudl be replaced with an exception-based mechanism.
The _image_{ram, rom, text}_{start, end} linker variables have
been left in place, they will be re-purposed and expanded to
support memory protection.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The porting of the TI CC2650 SoC introduces the need to
write a specific configuration area (CCFG) at the end of the
flash. It is read by the bootloader ROM of the SoC.
For now, this is a quick hack and not a generic solution;
similar needs may arise with other hardware.
Signed-off-by: Geoffrey Le Gourriérec <geoffrey.legourrierec@smile.fr>
Clearing fields in the region descriptor attributes doesn't always have
the expected effect of revoking permissions. In the case of bus master
supervisor mode fields (MxSM), setting to zero actually enables read,
write, and execute access.
When we reworked handling of region descriptor 0, we inadvertently
enabled execution from RAM by clearing the MxSM fields and enabling the
descriptor. This caused samples/mpu_test run to throw a usage fault
instead of an MPU-triggered bus fault.
Fix this by setting all the MxSM fields to 2'b11, which gives supervisor
mode the same access as user mode.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
We need to make sure that __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS
are set to the same value. Add a simple build time check to ensure
this is the case. This is to catch future cases of issues like
ZEP-2243. This is a stop gap til we resolve ZEP-2262, which covers use
of both __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Macro is used to create a structure to specify the boot time
page table configuration. Needed by the gen_mmu.py script to generate
the actual page tables.
Linker script is needed for the following:
1. To place the MMU page tables at 4KByte boundary.
2. To keep the configuration structure created by
the Macro(mentioned above).
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Fixes an issue where if a thread calls k_panic() or k_oops()
with interrupts locked, control would return to the thread
and it would only be aborted after interrupts were unlocked
again.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The REGION bits (bit[3:0]) of MPU_RBAR register can specify the number
of the region to update if the VALID bit (bit[4]) is also set.
If the bit[3:0] of "region_addr" are not zero, might cause to update
unexpected region. This could happen since we might not declare stack
memory with specific alignment.
This patch will mask the bit[4:0] of "region_addr" to prevent updating
unexpected region.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Inserting the IDT results in any data afterwards being shifted.
We want the memory addresses between the zephyr_prebuilt.elf
and zephyr.elf to be as close as possible. Insert some dummy
data in the linker script the same size as the gen_idt data
structures. Needed for forthcoming patches which generate MMU
page tables at build time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Calling 'svc' on ARMv6 causes a hard fault if interrups are locked.
Force them unlocked before making the svc call.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ethernet on K64F is connected via Logical Bus Master 3.
Section 19.3.8 of K64F reference manual establishes bits 20-18
(M3UM) on page 427 as "Bus Master 3 User Mode Access Control".
To fix RWX user mode access via Bus Master 3 when MPU is enabled,
we need to add these bits to the MPU region descriptors.
This fixes ETH0 on K64F when MPU is enabled.
Fix recommended by Maureen Helm <maureen.helm@nxp.com>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Let's clarify what bits are being set by removing magic numbers in the
MPU READ/WRITE/EXECUTE User Mode and Supervisor Mode defines.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
This patch add arm core MPU support to NXP MPU driver.
With this feature it is now possible to enable stack guarding on NXP
MPUs.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Here are the main changes:
* board: Update EMSK onboard resources such as Button, Switch and LEDs
+ update soc.h for em7d, em9d, em11d
+ update board.h for em_starterkit board
* arc: Add floating point support and code density support
+ add kconfig configuration
+ add compiler options
+ add register definitions, marcos, assembly codes
+ fixes in existing codes and configurations.
* arc: Update detailed board configurations for cores of emsk 2.3
* script: Provide arc_debugger.sh for debugging em_starterkit board
+ make BOARD=em_starterkit debug
This will start openocd server for emsk, and arc gdb will connect
to this debug server, user can run `continue` command if user just
want to run the application, or other commands if debugging needed.
+ make BOARD=em_starterkit debugserver
This will start an openocd debugger server for emsk, and user can
connect to this debugserver using arc gdb and do what they want to.
+ make BOARD=em_starterkit flash
This will download the zephyr application elf file to emsk,
and run it.
Signed-off-by: Huaqi Fang <huaqi.fang@synopsys.com>
This patch add arm core MPU support to ARM MPU driver.
Change-Id: I5a61da4615ae687bf42f1c9947e291ebfd2d2c1d
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds the arm core MPU interface, a common way to access the
pu functionalities by the arm zephyr kernel.
The interface can be divided in two parts:
- a core part that will be implemented by the arm_core_mpu driver and
used directly by the kernel
- a driver part that will be implemented by the mpu drivers and used by
the arm_core_mpu driver
Change-Id: I590bd284abc40d98b06fdf1efb5800903313aa00
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds initial MPU support to NXP K6x family.
The boot configuration prevents the following security issues:
* Prevent to read at an address that is reserved in the memory map.
* Prevent to write into the boot Flash/ROM.
* Prevent from running code located in SRAM.
This driver has been tested on FRDM-K64F.
Change-Id: I907168fff0c6028f1c665f1d3c224cbeec31be32
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
For various reasons its often necessary to generate certain
complex data structures at build-time by separate tools outside
of the C compiler. Data is populated to these tools by way of
special binary sections not intended to be included in the final
binary. We currently do this to generate interrupt tables, forthcoming
work will also use this to generate MMU page tables.
The way we have been doing this is to generatea "kernel_prebuilt.elf",
extract the metadata sections with objcopy, run the tool, and then
re-link the kernel with the extra data *and* use objcopy to pull
out the unwanted sections.
This doesn't scale well if multiple post-build steps are needed.
Now this is much simpler; in any Makefile, a special
GENERATED_KERNEL_OBJECT_FILES variable may be appended to containing
the filenames to the generated object files, which will be generated
by Make in the usual fashion.
Instead of using objcopy to pull out, we now create a linker-pass2.cmd
which additionally defines LINKER_PASS2. The source linker script
can #ifdef around this to use the special /DISCARD/ section target
to not include metadata sections in the final binary.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
These are macros that are expected to be defined at all times by
the compiler. We need them at the very beginning of kernel.h for
the k_thread definition, before it's possible to include arch.h.
Make a special toolchain header for XCC compiler and place these
defines in there. Otherwise inherit all the other GCC defines.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
