Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This header needs Zephyr's specific type definitions. It also
needs struct k_mem_partition and struct k_mem_domain, but they
are defined opaquely here instead of pulling in kernel.h (which
would create nasty dependency loops)
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some SOCs (e.g. STM32F0) can map the flash to address 0 and
the flash base address at the same time. Prevent writing to
duplicate flash address which stops the SOC.
Allow Cortex M SOCs to create their own vector table relocation
function.
Provide a relocation function for STM32F0x SOCs.
Fixes#3923
Signed-off-by: Bobby Noelte <b0661n0e17e@gmail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
This wasn't working properly with CONFIG_APPLICATION_MEMORY enabled as
the sections weren't handled in the linker script.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The byte ones are required for ns16550 uart driver which is
present on some arm socs. Add half-word ones for completeness.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This was felt to be necessary at one point but actually isn't.
- When a thread is initialized to use a particular stack, calls will be
made to the MMU/MPU to restrict access to that stack to only that
thread. Once a stack is in use, it will not be generally readable even
if the buffer exists in application memory space.
- If a user thread wants to create a thread, we will need to have some
way to ensure that whatever stack buffer passed in is unused and
appropriate. Since unused stacks in application memory will be generally
accessible, we can just check that the calling thread to
k_thread_create() has access to the stack buffer passed in, it won't if
the stack is in use.
On ARM we had a linker definition for .stacks, but currently stacks are
just tagged with __noinit (which is fine).
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously, this was only done if an essential thread self-exited,
and was a runtime check that generated a kernel panic.
Now if any thread has k_thread_abort() called on it, and that thread
is essential to the system operation, this check is made. It is now
an assertion.
_NANO_ERR_INVALID_TASK_EXIT checks and printouts removed since this
is now an assertion.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
All system calls made from userspace which involve pointers to kernel
objects (including device drivers) will need to have those pointers
validated; userspace should never be able to crash the kernel by passing
it garbage.
The actual validation with _k_object_validate() will be in the system
call receiver code, which doesn't exist yet.
- CONFIG_USERSPACE introduced. We are somewhat far away from having an
end-to-end implementation, but at least need a Kconfig symbol to
guard the incoming code with. Formal documentation doesn't exist yet
either, but will appear later down the road once the implementation is
mostly finalized.
- In the memory region for RAM, the data section has been moved last,
past bss and noinit. This ensures that inserting generated tables
with addresses of kernel objects does not change the addresses of
those objects (which would make the table invalid)
- The DWARF debug information in the generated ELF binary is parsed to
fetch the locations of all kernel objects and pass this to gperf to
create a perfect hash table of their memory addresses.
- The generated gperf code doesn't know that we are exclusively working
with memory addresses and uses memory inefficently. A post-processing
script process_gperf.py adjusts the generated code before it is
compiled to work with pointer values directly and not strings
containing them.
- _k_object_init() calls inserted into the init functions for the set of
kernel object types we are going to support so far
Issue: ZEP-2187
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
An abnormal crash was encountered in ARMv6-M SoCs that don't have flash
starting at 0. With Zephyr OS the reason for this crash is that, on
ARMv6-M the system requires an exception vector table at the 0 address.
We implement the relocate_vector_table function to move the vector table
code to address 0 on systems which don't have the start of code already
at 0.
[kumar.gala: reworderd commit message, tweaked how we check if we need
to copy vector table]
Signed-off-by: Xiaorui Hu <xiaorui.hu@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This patch adds the allow flash write CONFIG option to the ARM MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the allow flash write CONFIG option to the NXP MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This is a simpler memory arrangement; RAM will start with
app data, and everything after it is either kernel data or
unclaimed memory reserved for the kernel's use.
New linker variables are also implemented here.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch splits out the application data and bss from the
rest of the kernel. Choosing CONFIG_APPLICATION_MEMORY will
result in the application and kernel being split.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This is unmaintained and currently has no known users. It was
added to support a Wind River project. If in the future we need it
again, we should re-introduce it with an exception-based mechanism
for catching out-of-bounds memory queries from the debugger.
The mem_safe subsystem is also removed, it is only used by the
GDB server. If its functionality is needed in the future, it
shoudl be replaced with an exception-based mechanism.
The _image_{ram, rom, text}_{start, end} linker variables have
been left in place, they will be re-purposed and expanded to
support memory protection.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The porting of the TI CC2650 SoC introduces the need to
write a specific configuration area (CCFG) at the end of the
flash. It is read by the bootloader ROM of the SoC.
For now, this is a quick hack and not a generic solution;
similar needs may arise with other hardware.
Signed-off-by: Geoffrey Le Gourriérec <geoffrey.legourrierec@smile.fr>
Clearing fields in the region descriptor attributes doesn't always have
the expected effect of revoking permissions. In the case of bus master
supervisor mode fields (MxSM), setting to zero actually enables read,
write, and execute access.
When we reworked handling of region descriptor 0, we inadvertently
enabled execution from RAM by clearing the MxSM fields and enabling the
descriptor. This caused samples/mpu_test run to throw a usage fault
instead of an MPU-triggered bus fault.
Fix this by setting all the MxSM fields to 2'b11, which gives supervisor
mode the same access as user mode.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
We need to make sure that __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS
are set to the same value. Add a simple build time check to ensure
this is the case. This is to catch future cases of issues like
ZEP-2243. This is a stop gap til we resolve ZEP-2262, which covers use
of both __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Fixes an issue where if a thread calls k_panic() or k_oops()
with interrupts locked, control would return to the thread
and it would only be aborted after interrupts were unlocked
again.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The REGION bits (bit[3:0]) of MPU_RBAR register can specify the number
of the region to update if the VALID bit (bit[4]) is also set.
If the bit[3:0] of "region_addr" are not zero, might cause to update
unexpected region. This could happen since we might not declare stack
memory with specific alignment.
This patch will mask the bit[4:0] of "region_addr" to prevent updating
unexpected region.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Calling 'svc' on ARMv6 causes a hard fault if interrups are locked.
Force them unlocked before making the svc call.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ethernet on K64F is connected via Logical Bus Master 3.
Section 19.3.8 of K64F reference manual establishes bits 20-18
(M3UM) on page 427 as "Bus Master 3 User Mode Access Control".
To fix RWX user mode access via Bus Master 3 when MPU is enabled,
we need to add these bits to the MPU region descriptors.
This fixes ETH0 on K64F when MPU is enabled.
Fix recommended by Maureen Helm <maureen.helm@nxp.com>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Let's clarify what bits are being set by removing magic numbers in the
MPU READ/WRITE/EXECUTE User Mode and Supervisor Mode defines.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
This patch add arm core MPU support to NXP MPU driver.
With this feature it is now possible to enable stack guarding on NXP
MPUs.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch add arm core MPU support to ARM MPU driver.
Change-Id: I5a61da4615ae687bf42f1c9947e291ebfd2d2c1d
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds the arm core MPU interface, a common way to access the
pu functionalities by the arm zephyr kernel.
The interface can be divided in two parts:
- a core part that will be implemented by the arm_core_mpu driver and
used directly by the kernel
- a driver part that will be implemented by the mpu drivers and used by
the arm_core_mpu driver
Change-Id: I590bd284abc40d98b06fdf1efb5800903313aa00
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds initial MPU support to NXP K6x family.
The boot configuration prevents the following security issues:
* Prevent to read at an address that is reserved in the memory map.
* Prevent to write into the boot Flash/ROM.
* Prevent from running code located in SRAM.
This driver has been tested on FRDM-K64F.
Change-Id: I907168fff0c6028f1c665f1d3c224cbeec31be32
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
We don't use __scs or __scp anymore so we can remove the related linker
script and various defines and such associated with them.
Change-Id: Ibbbe27c23a3f2b816b992dfdeb4f80cf798e0d40
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
CC3220SF_LAUNCHXL effectively replaces the CC3200_LAUNCHXL,
with support for the CC3220SF SoC, which is an update for
the CC3200 SoC.
This is supported by the Texas Instruments CC3220 SDK.
Jira: ZEP-1958
Change-Id: I2484d3ee87b7f909c783597d95128f2b45db36f2
Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
This patch add the Memory Protection Unit parameter to the arm core
configuration.
Change-Id: Ifee8cdd5738391a6f182e8d0382d27eeb8c546ba
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Marc Moreno <marc.morenoberengue@linaro.org>
Put the reason code in r0 and make a SVC #2 call, which will be
propagated to _fatal_error_handler as an exception.
The _is_in_isr() implementation had to be tweaked a bit. User-generated
SVC exception no longer just used for irq_offload(); just because we are
in it does not mean we are in interrupt context. Instead, have the
irq_offload code set and clear the offload_routine global; it will be
non-NULL only if it's in use. Upcoming changes to support memory
protection (which will require system calls) will need this too.
We free up some small amount of ROM deleting _default_esf struct as it's
no longer needed.
Issue: ZEP-843
Change-Id: Ie82bd708575934cffe41e64f5c128c8704ca4e48
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Unlike assertions, these APIs are active at all times. The kernel will
treat these errors in the same way as fatal CPU exceptions. Ultimately,
the policy of what to do with these errors is implemented in
_SysFatalErrorHandler.
If the archtecture supports it, a real CPU exception can be triggered
which will provide a complete register dump and PC value when the
problem occurs. This will provide more helpful information than a fake
exception stack frame (_default_esf) passed to the arch-specific exception
handling code.
Issue: ZEP-843
Change-Id: I8f136905c05bb84772e1c5ed53b8e920d24eb6fd
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
For exceptions where we are just going to abort the current thread, we
need to exit handler mode properly so that PendSV can run and perform a
context switch. For ARM architecture this means that the fatal error
handling code path can indeed return if we were 1) in handler mode and
2) only wish to abort the current thread.
Fixes a very long-standing bug where a thread that generates an
exception, and should only abort the thread, instead takes down the
entire system.
Issue: ZEP-2052
Change-Id: Ib356a34a6fda2e0f8aff39c4b3270efceb81e54d
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Convert code to use u{8,16,32,64}_t and s{8,16,32,64}_t instead of C99
integer types. This handles the remaining includes and kernel, plus
touching up various points that we skipped because of include
dependancies. We also convert the PRI printf formatters in the arch
code over to normal formatters.
Jira: ZEP-2051
Change-Id: Iecbb12601a3ee4ea936fd7ddea37788a645b08b0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This is a start to move away from the C99 {u}int{8,16,32,64}_t types to
Zephyr defined u{8,16,32,64}_t and s{8,16,32,64}_t. This allows Zephyr
to define the sized types in a consistent manor across all the
architectures we support and not conflict with what various compilers
and libc might do with regards to the C99 types.
We introduce <zephyr/types.h> as part of this and have it include
<stdint.h> for now until we transition all the code away from the C99
types.
We go with u{8,16,32,64}_t and s{8,16,32,64}_t as there are some
existing variables defined u8 & u16 as well as to be consistent with
Zephyr naming conventions.
Jira: ZEP-2051
Change-Id: I451fed0623b029d65866622e478225dfab2c0ca8
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Scanning for typos in comments and strings.
Change-Id: I3d4db89e0824959252c79c19baa50028354247bd
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
The CONFIG_FLASH_LOAD_OFFSET allows the zephyr image to be placed at
an offset from the start of flash. This is useful for situations,
such as with a bootloader, to allow the image to not occupy the very
beginning of flash.
Complement this by adding a CONFIG_FLASH_LOAD_SIZE config, that can
constrain the size of the flash image. With the default of zero, the
behavior is as before, with the image allowed to occupy the rest of
the flash. It can also be defined to a non-zero value which will
constrain the image to occupy that many bytes of flash.
Although this is defined generally, it is currently only supported on
cortex-m targets.
Change-Id: I6e4a0e79c8459f931cd4757c932d20dac740f5f6
Signed-off-by: David Brown <david.brown@linaro.org>
Currently, ARM Cortex-M image ROMs are linked starting at the flash
device's base address (CONFIG_FLASH_BASE_ADDRESS). This prevents XIP
Zephyr applications from being linked to run from elsewhere on the
flash device. Linking Zephyr applications to run from elsewhere can be
necessary when running under a bootloader (i.e., booting into a Zephyr
application from a bootloader, not using Zephyr as a bootloader).
To enable this use case, add a new config option: FLASH_LOAD_OFFSET.
This option directs the linker to treat ROM as if it started that many
bytes from the base of flash on Cortex-M targets. The option defaults
to zero to preserve backwards compatibility.
Change-Id: I64f82aee257c19c2451f9789b0ab56999775b761
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Some arches may want to define this as an inline function, or
define in core arch code instead of timer driver code.
Unfortunately, this means we need to remove from the footprint
tests, but this is not typically a large function.
Issue: ZEP-1546
Change-Id: Ic0d7a33507da855995838f4703d872cd613a2ca2
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In order for OpenOCD to have a high-level view of an RTOS, it uses the
GDB protocol to obtain symbols from the system.
The GDB protocol, however, does not allow obtaining fields from
structures directly, and hardcoding offsets is not only brittle (due to
possibly different architectures or changes in the code), it's also
infeasible considering Zephyr is highly-configurable and parts of key
structs can be compiled in or out.
Export an array with offsets for these key structs. Also add a version
element in that array to allow changes in those structs.
Change-Id: I83bcfa0a7bd57d85582e5ec6efe70e1cceb1fc51
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This replaces the hard-coded vector table, as well as the
software ISR table created by the linker. Now both are generated
in build via script.
Issue: ZEP-1038, ZEP-1165
Change-Id: Ie6faaf8f7ea3a7a25ecb542f6cf7740836ad7da3
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now use CMSIS for ARM Cortex-M SoCs so we can remove the last bits of
scs and scb.
Jira: ZEP-1568
Change-Id: I0c7c45b0321dc402ed594e9faffb5109922edcf0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
_SCS_CPACR_CP10_Pos and _SCS_CPACR_CP11_Pos come from scs.h, we have
versions defined in cmsis.h we should be using instead.
Change-Id: Icd8db02000bbc9ef8b2cf89d359e008f62a7d5e9
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Coverted:
_ScbMemFaultMmfarReset
_ScbBusFaultBfarReset
_ScbUsageFaultAllFaultsReset
To use direct CMSIS register access.
Also removed scb.h and references as there is no longer any code in it.
Jira: ZEP-1568
Change-Id: I469f6af39d1bd41db712454b0b3e5ab331979033
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
