Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This header needs Zephyr's specific type definitions. It also
needs struct k_mem_partition and struct k_mem_domain, but they
are defined opaquely here instead of pulling in kernel.h (which
would create nasty dependency loops)
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some SOCs (e.g. STM32F0) can map the flash to address 0 and
the flash base address at the same time. Prevent writing to
duplicate flash address which stops the SOC.
Allow Cortex M SOCs to create their own vector table relocation
function.
Provide a relocation function for STM32F0x SOCs.
Fixes#3923
Signed-off-by: Bobby Noelte <b0661n0e17e@gmail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
We need to track permission on stack memory regions like we do
with other kernel objects. We want stacks to live in a memory
area that is outside the scope of memory domain permission
management. We need to be able track what stacks are in use,
and what stacks may be used by user threads trying to call
k_thread_create().
Some special handling is needed because thread stacks appear as
variously-sized arrays of struct _k_thread_stack_element which is
just a char. We need the entire array to be considered an object,
but also properly handle arrays of stacks.
Validation of stacks also requires that the bounds of the stack
are not exceeded. Various approaches were considered. Storing
the size in some header region of the stack itself would not allow
the stack to live in 'noinit'. Having a stack object be a data
structure that points to the stack buffer would confound our
current APIs for declaring stacks as arrays or struct members.
In the end, the struct _k_object was extended to store this size.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
This wasn't working properly with CONFIG_APPLICATION_MEMORY enabled as
the sections weren't handled in the linker script.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The byte ones are required for ns16550 uart driver which is
present on some arm socs. Add half-word ones for completeness.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This was felt to be necessary at one point but actually isn't.
- When a thread is initialized to use a particular stack, calls will be
made to the MMU/MPU to restrict access to that stack to only that
thread. Once a stack is in use, it will not be generally readable even
if the buffer exists in application memory space.
- If a user thread wants to create a thread, we will need to have some
way to ensure that whatever stack buffer passed in is unused and
appropriate. Since unused stacks in application memory will be generally
accessible, we can just check that the calling thread to
k_thread_create() has access to the stack buffer passed in, it won't if
the stack is in use.
On ARM we had a linker definition for .stacks, but currently stacks are
just tagged with __noinit (which is fine).
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously, this was only done if an essential thread self-exited,
and was a runtime check that generated a kernel panic.
Now if any thread has k_thread_abort() called on it, and that thread
is essential to the system operation, this check is made. It is now
an assertion.
_NANO_ERR_INVALID_TASK_EXIT checks and printouts removed since this
is now an assertion.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
All system calls made from userspace which involve pointers to kernel
objects (including device drivers) will need to have those pointers
validated; userspace should never be able to crash the kernel by passing
it garbage.
The actual validation with _k_object_validate() will be in the system
call receiver code, which doesn't exist yet.
- CONFIG_USERSPACE introduced. We are somewhat far away from having an
end-to-end implementation, but at least need a Kconfig symbol to
guard the incoming code with. Formal documentation doesn't exist yet
either, but will appear later down the road once the implementation is
mostly finalized.
- In the memory region for RAM, the data section has been moved last,
past bss and noinit. This ensures that inserting generated tables
with addresses of kernel objects does not change the addresses of
those objects (which would make the table invalid)
- The DWARF debug information in the generated ELF binary is parsed to
fetch the locations of all kernel objects and pass this to gperf to
create a perfect hash table of their memory addresses.
- The generated gperf code doesn't know that we are exclusively working
with memory addresses and uses memory inefficently. A post-processing
script process_gperf.py adjusts the generated code before it is
compiled to work with pointer values directly and not strings
containing them.
- _k_object_init() calls inserted into the init functions for the set of
kernel object types we are going to support so far
Issue: ZEP-2187
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch fixes a couple of issues with the stack guard size and
properly constructs the STACK_ALIGN and STACK_ALIGN_SIZE definitions.
The ARM AAPCS requires that the stack pointers be 8 byte aligned. The
STACK_ALIGN_SIZE definition is meant to contain the stack pointer
alignment requirements. This is the required alignment at public API
boundaries (ie stack frames).
The STACK_ALIGN definition is the required alignment for the start
address for stack buffer storage. STACK_ALIGN is used to validate
the allocation sizes for stack buffers.
The MPU_GUARD_ALIGN_AND_SIZE definition is the minimum alignment and
size for the MPU. The minimum size and alignment just so happen to be
32 bytes for vanilla ARM MPU implementations.
When defining stack buffers, the stack guard alignment requirements
must be taken into consideration when allocating the stack memory.
The __align() must be filled in with either STACK_ALIGN_SIZE or the
align/size of the MPU stack guard. The align/size for the guard region
will be 0 when CONFIG_MPU_STACK_GUARD is not set, and 32 bytes when it
is.
The _ARCH_THREAD_STACK_XXXXXX APIs need to know the minimum alignment
requirements for the stack buffer memory and the stack guard size to
correctly allocate and reference the stack memory. This is reflected
in the macros with the use of the STACK_ALIGN definition and the
MPU_GUARD_ALIGN_AND_SIZE definition.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
An abnormal crash was encountered in ARMv6-M SoCs that don't have flash
starting at 0. With Zephyr OS the reason for this crash is that, on
ARMv6-M the system requires an exception vector table at the 0 address.
We implement the relocate_vector_table function to move the vector table
code to address 0 on systems which don't have the start of code already
at 0.
[kumar.gala: reworderd commit message, tweaked how we check if we need
to copy vector table]
Signed-off-by: Xiaorui Hu <xiaorui.hu@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This patch adjusts the ARM MPU implementation to be compliant to the
recent changes that introduced the opaque kernel data types.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch always defines the ARCH_THREAD_STACK_XXX macros/functions
regardless of the MPU_STACK_GUARD usage. Only use MPU_STACK_GUARD when
determining the minimum stack alignment.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The mimimum mpu size is 32 bytes, but requires mpu base address to be
aligned on 32 bytes to work. Define architecture thread macro when
MPU_STACK_GUARD config to allocate stack with 32 more bytes.
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
This patch adds the allow flash write CONFIG option to the ARM MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the allow flash write CONFIG option to the NXP MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This is a simpler memory arrangement; RAM will start with
app data, and everything after it is either kernel data or
unclaimed memory reserved for the kernel's use.
New linker variables are also implemented here.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch splits out the application data and bss from the
rest of the kernel. Choosing CONFIG_APPLICATION_MEMORY will
result in the application and kernel being split.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This is unmaintained and currently has no known users. It was
added to support a Wind River project. If in the future we need it
again, we should re-introduce it with an exception-based mechanism
for catching out-of-bounds memory queries from the debugger.
The mem_safe subsystem is also removed, it is only used by the
GDB server. If its functionality is needed in the future, it
shoudl be replaced with an exception-based mechanism.
The _image_{ram, rom, text}_{start, end} linker variables have
been left in place, they will be re-purposed and expanded to
support memory protection.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The porting of the TI CC2650 SoC introduces the need to
write a specific configuration area (CCFG) at the end of the
flash. It is read by the bootloader ROM of the SoC.
For now, this is a quick hack and not a generic solution;
similar needs may arise with other hardware.
Signed-off-by: Geoffrey Le Gourriérec <geoffrey.legourrierec@smile.fr>
Clearing fields in the region descriptor attributes doesn't always have
the expected effect of revoking permissions. In the case of bus master
supervisor mode fields (MxSM), setting to zero actually enables read,
write, and execute access.
When we reworked handling of region descriptor 0, we inadvertently
enabled execution from RAM by clearing the MxSM fields and enabling the
descriptor. This caused samples/mpu_test run to throw a usage fault
instead of an MPU-triggered bus fault.
Fix this by setting all the MxSM fields to 2'b11, which gives supervisor
mode the same access as user mode.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
We need to make sure that __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS
are set to the same value. Add a simple build time check to ensure
this is the case. This is to catch future cases of issues like
ZEP-2243. This is a stop gap til we resolve ZEP-2262, which covers use
of both __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Fixes an issue where if a thread calls k_panic() or k_oops()
with interrupts locked, control would return to the thread
and it would only be aborted after interrupts were unlocked
again.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The REGION bits (bit[3:0]) of MPU_RBAR register can specify the number
of the region to update if the VALID bit (bit[4]) is also set.
If the bit[3:0] of "region_addr" are not zero, might cause to update
unexpected region. This could happen since we might not declare stack
memory with specific alignment.
This patch will mask the bit[4:0] of "region_addr" to prevent updating
unexpected region.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Calling 'svc' on ARMv6 causes a hard fault if interrups are locked.
Force them unlocked before making the svc call.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ethernet on K64F is connected via Logical Bus Master 3.
Section 19.3.8 of K64F reference manual establishes bits 20-18
(M3UM) on page 427 as "Bus Master 3 User Mode Access Control".
To fix RWX user mode access via Bus Master 3 when MPU is enabled,
we need to add these bits to the MPU region descriptors.
This fixes ETH0 on K64F when MPU is enabled.
Fix recommended by Maureen Helm <maureen.helm@nxp.com>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Let's clarify what bits are being set by removing magic numbers in the
MPU READ/WRITE/EXECUTE User Mode and Supervisor Mode defines.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
This patch add arm core MPU support to NXP MPU driver.
With this feature it is now possible to enable stack guarding on NXP
MPUs.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch add arm core MPU support to ARM MPU driver.
Change-Id: I5a61da4615ae687bf42f1c9947e291ebfd2d2c1d
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds the arm core MPU interface, a common way to access the
pu functionalities by the arm zephyr kernel.
The interface can be divided in two parts:
- a core part that will be implemented by the arm_core_mpu driver and
used directly by the kernel
- a driver part that will be implemented by the mpu drivers and used by
the arm_core_mpu driver
Change-Id: I590bd284abc40d98b06fdf1efb5800903313aa00
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds initial MPU support to NXP K6x family.
The boot configuration prevents the following security issues:
* Prevent to read at an address that is reserved in the memory map.
* Prevent to write into the boot Flash/ROM.
* Prevent from running code located in SRAM.
This driver has been tested on FRDM-K64F.
Change-Id: I907168fff0c6028f1c665f1d3c224cbeec31be32
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
We don't use __scs or __scp anymore so we can remove the related linker
script and various defines and such associated with them.
Change-Id: Ibbbe27c23a3f2b816b992dfdeb4f80cf798e0d40
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
CC3220SF_LAUNCHXL effectively replaces the CC3200_LAUNCHXL,
with support for the CC3220SF SoC, which is an update for
the CC3200 SoC.
This is supported by the Texas Instruments CC3220 SDK.
Jira: ZEP-1958
Change-Id: I2484d3ee87b7f909c783597d95128f2b45db36f2
Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
This patch add the Memory Protection Unit parameter to the arm core
configuration.
Change-Id: Ifee8cdd5738391a6f182e8d0382d27eeb8c546ba
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Marc Moreno <marc.morenoberengue@linaro.org>
Put the reason code in r0 and make a SVC #2 call, which will be
propagated to _fatal_error_handler as an exception.
The _is_in_isr() implementation had to be tweaked a bit. User-generated
SVC exception no longer just used for irq_offload(); just because we are
in it does not mean we are in interrupt context. Instead, have the
irq_offload code set and clear the offload_routine global; it will be
non-NULL only if it's in use. Upcoming changes to support memory
protection (which will require system calls) will need this too.
We free up some small amount of ROM deleting _default_esf struct as it's
no longer needed.
Issue: ZEP-843
Change-Id: Ie82bd708575934cffe41e64f5c128c8704ca4e48
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Unlike assertions, these APIs are active at all times. The kernel will
treat these errors in the same way as fatal CPU exceptions. Ultimately,
the policy of what to do with these errors is implemented in
_SysFatalErrorHandler.
If the archtecture supports it, a real CPU exception can be triggered
which will provide a complete register dump and PC value when the
problem occurs. This will provide more helpful information than a fake
exception stack frame (_default_esf) passed to the arch-specific exception
handling code.
Issue: ZEP-843
Change-Id: I8f136905c05bb84772e1c5ed53b8e920d24eb6fd
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
For exceptions where we are just going to abort the current thread, we
need to exit handler mode properly so that PendSV can run and perform a
context switch. For ARM architecture this means that the fatal error
handling code path can indeed return if we were 1) in handler mode and
2) only wish to abort the current thread.
Fixes a very long-standing bug where a thread that generates an
exception, and should only abort the thread, instead takes down the
entire system.
Issue: ZEP-2052
Change-Id: Ib356a34a6fda2e0f8aff39c4b3270efceb81e54d
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Convert code to use u{8,16,32,64}_t and s{8,16,32,64}_t instead of C99
integer types. This handles the remaining includes and kernel, plus
touching up various points that we skipped because of include
dependancies. We also convert the PRI printf formatters in the arch
code over to normal formatters.
Jira: ZEP-2051
Change-Id: Iecbb12601a3ee4ea936fd7ddea37788a645b08b0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This is a start to move away from the C99 {u}int{8,16,32,64}_t types to
Zephyr defined u{8,16,32,64}_t and s{8,16,32,64}_t. This allows Zephyr
to define the sized types in a consistent manor across all the
architectures we support and not conflict with what various compilers
and libc might do with regards to the C99 types.
We introduce <zephyr/types.h> as part of this and have it include
<stdint.h> for now until we transition all the code away from the C99
types.
We go with u{8,16,32,64}_t and s{8,16,32,64}_t as there are some
existing variables defined u8 & u16 as well as to be consistent with
Zephyr naming conventions.
Jira: ZEP-2051
Change-Id: I451fed0623b029d65866622e478225dfab2c0ca8
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Scanning for typos in comments and strings.
Change-Id: I3d4db89e0824959252c79c19baa50028354247bd
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
The CONFIG_FLASH_LOAD_OFFSET allows the zephyr image to be placed at
an offset from the start of flash. This is useful for situations,
such as with a bootloader, to allow the image to not occupy the very
beginning of flash.
Complement this by adding a CONFIG_FLASH_LOAD_SIZE config, that can
constrain the size of the flash image. With the default of zero, the
behavior is as before, with the image allowed to occupy the rest of
the flash. It can also be defined to a non-zero value which will
constrain the image to occupy that many bytes of flash.
Although this is defined generally, it is currently only supported on
cortex-m targets.
Change-Id: I6e4a0e79c8459f931cd4757c932d20dac740f5f6
Signed-off-by: David Brown <david.brown@linaro.org>
Currently, ARM Cortex-M image ROMs are linked starting at the flash
device's base address (CONFIG_FLASH_BASE_ADDRESS). This prevents XIP
Zephyr applications from being linked to run from elsewhere on the
flash device. Linking Zephyr applications to run from elsewhere can be
necessary when running under a bootloader (i.e., booting into a Zephyr
application from a bootloader, not using Zephyr as a bootloader).
To enable this use case, add a new config option: FLASH_LOAD_OFFSET.
This option directs the linker to treat ROM as if it started that many
bytes from the base of flash on Cortex-M targets. The option defaults
to zero to preserve backwards compatibility.
Change-Id: I64f82aee257c19c2451f9789b0ab56999775b761
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Some arches may want to define this as an inline function, or
define in core arch code instead of timer driver code.
Unfortunately, this means we need to remove from the footprint
tests, but this is not typically a large function.
Issue: ZEP-1546
Change-Id: Ic0d7a33507da855995838f4703d872cd613a2ca2
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
