Upon return from a syscall handlers, the r1, r2, and r3 registers
could contain random kernel data that should not be leaked to user
mode. Zero these out before returning from _arm_do_syscall().
Fixes#7753.
The invocation macros need a clobber if r1, r2, or r3 are not used
to carry syscall arguments. This is a partial fix for #7754 but
there appear to be other issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Set bus master 4 to write and read access which allows
the USBFSOTG controller read/write access to the memory.
Signed-off-by: Johann Fischer <j.fischer@phytec.de>
This commit fixes the SecureFault IRQ number for non-CMSIS
compliant ARM Cortex-M MCUs. Erroneous IRQ number was introduced
in ec398e87796f8da2529f369746ae9b2b12d48ca4.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Newlib uses any RAM between _end and the bounds of physical
RAM for the _sbrk() heap. Set up a user-writable region
so that this works properly on x86.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Modify the linker script with the command INSERT.
It instructs the linker to augment the default linker script
SECTIONS with the ones provided with the one provided in
this script.
It also modified the meaning of the -T switch, so it no longer
replaces the default linker script
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
intel_s1000 has multiple levels of interrupts consisting of core, CAVS
Logic and designware interrupt controller. This patchset modifies
the regular gen_isr mechanism to support these multiple levels.
Change-Id: I0450666d4e601dfbc8cadc9c9d8100afb61a214c
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
intel_s1000 uses DesignWare IP for UART. National Semiconductor
16550 (UART) component specification is followed in this IP.
Change-Id: Ied7df1dc178d55b6dbe71d729d6383ba07274ea4
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
When MMU is enabled and the SOC we are running doesn't have
execute in-place(XIP) the final image will be a monolith which
sits in RAM. In such situations we need to maintain the alignment
for application memory. If not maintained the MMU boot tables
will not be configured properly.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
These functions were not used throughout the Zephyr code base, and
as such has been removed. They can be reinstated if there's a need,
but will need to be adapted to use retpolines when CONFIG_RETPOLINE
is set.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
In order to mitigate Spectre variant 2 (branch target injection), use
retpolines for indirect jumps and calls.
The newly-added hidden CONFIG_X86_NO_SPECTRE flag, which is disabled
by default, must be set by a x86 SoC if its CPU performs speculative
execution. Most targets supported by Zephyr do not, so this is
set to "y" by default.
A new setting, CONFIG_RETPOLINE, has been added to the "Security
Options" sections, and that will be enabled by default if
CONFIG_X86_NO_SPECTRE is disabled.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
The original exception handling has space to optimize and
and some bugs need to be fixed.
* define NANO_ESF
* add the definition of NANO_ESF which is an irq_stack_frame
* add the corresponding codes in exception entry and handler
* remove _default_esf
* implement the _ARCH_EXCEPT
* use trap exception to raise exception by kernel
* add corresponding trap exception entry
* add _do_kernel_oops to handle the exception raised by
_ARCH_EXCEPT.
* add the thread context switch in exception return
* case: kernel oops may raise thread context switch
* case: some tests will re-implement SysFatalHandler to raise
thread context switch.
* as the exception and isr are handled in kernel isr stack, so
the thread context switch must be in the return of exception/isr
, and the exception handler must return, should not be decorated
with FUNC_NORETURN
* for arc, _is_in_isr should consider the case of exception
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
This patch changes the ARM system calls to use registers for passing
or arguments. This removes the possibility of stack issues when
callers do not adhere to the AAPCS.
Fixes#6802
Signed-off-by: Andy Gross <andy.gross@linaro.org>
User mode shouldn't be able to read/write to this memory directly,
needs to be done on its behalf by driver system calls.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Define IRQ number for SecureFault Handler when building Secure
Firmware for non-CMSIS-compliant ARM Cortex-M MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macros for ARM fault flags from
include/arch/arm/cortex_m/cmsis.h header, since they are
defined in the respective core_cmXX.h header files. It also
modifies fault.c to use the updated fault macros taken directly
from ARM CMSIS headers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug in the ARM HardFAult handler, which
prevented from dumping the right UsageFault flags, after a
UsageFault had escalated to HardFault.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In asm2, the machine exception handler runs in interrupt context (this
is good: it allows us to defer the test against exception type until
after we have done the stack switch and dispatched any true
interrupts), but that means that the user error handler needs to be
invoked and then return through the interrupt exit code.
So the __attribute__(__noreturn__) that it was being decorated with
was incorrect. And actually fatal, as with gcc xtensa will crash
trying to return from a noreturn call.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The xtensa arch code had this empty offsets.h header sitting around.
Its name collides with the autogenerated offsets.h, making it
dangerously dependent on include file path order. Seems to be benign,
but it's freaking me out. Remove.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The new thread stack layout is as follow:
|---------------------|
| user stack |
|---------------------|
| stack guard (opt.) |
|---------------------|
| privilege stack |
-----------------------
For MPUv2
* user stack is aligned to the power of 2 of user stack size
* the stack guard is 2048 bytes
* the default size of privileg stack is 256 bytes.
For user thread, the following MPU regions are needded
* one region for user stack, no need of stack guard for user stack
* one region for stack guard when stack guard is enbaled
* regions for memory domain.
For kernel thread, the stack guard region will be at the top, adn
The user stack and privilege stack will be merged.
MPUv3 is the same as V2's layout, except no need of power of 2
alignment.
* reimplement the user mode enter function. Now it's possible for
kernel thread to drop privileg to user thread.
* add a separate entry for user thread
* bug fixes in the cleanup of regs when go to user mode
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
The application memory area has a requirement of address alignment,
especially when MPU requires power of 2.
Modify the linker tmemplate to apply application memory address
alignment generation
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Enable us bit to check user mode more efficienly.
US is read as zero in user mode. This will allow use mode sleep
instructions, and it enables a form of denial-of-service attack
by putting the processor in sleep mode, but since interrupt
level/mask can't be set from user space that's not worse than
executing a loop without yielding.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
* add the implementation of syscall
* based on 'trap_s' intruction, id = 3
* add the privilege stack
* the privilege stack is allocted with thread stack
* for the kernel thread, the privilege stack is also a
part of thread stack, the start of stack can be configured
as stack guard
* for the user thread, no stack guard, when the user stack is
overflow, it will fall into kernel memory area which requires
kernel privilege, privilege violation will be raised
* modify the linker template and add MPU_ADDR_ALIGN
* add user space corresponding codes in mpu
* the user sp aux reg will be part of thread context
* When user thread is interruptted for the 1st time, the context is
saved in user stack (U bit of IRQ_CTLR is set to 1). When nest
interrupt comes, the context is saved in thread's privilege stack
* the arc_mpu_regions.c is moved to board folder, as it's board
specific
* the above codes have been tested through tests/kernel/mem_protect/
userspace for MPU version 2
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
This patch adjusts the default permissions on the bus master 3 (NET).
Recent changes restricted this to supervisor only, and this caused
issues with the network controllers access to memory.
Restrictions on access should really be enforced on the ARM core bus
master.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds support for userspace on ARM architectures. Arch
specific calls for transitioning threads to user mode, system calls,
and associated handlers.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds a configure_mpu_user_context API and implements
the required function placeholders in the NXP and ARM MPU files.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The STM32 has special Core Coupled Memory, ccm for short, that can
only be accessed through the CPU and can not be use for DMA.
The following 3 sections have been added.
- ccm_bss for zero initialized data
- ccm_data for initialized data
- ccm_noinit for uninitialized data
Signed-off-by: Erwin Rol <erwin@erwinrol.com>
This feature is X86 only and is not used or being tested. It is legacy
feature and no one can prove it actually works. Remove it until we have
proper documentation and samples and multi architecture support.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit defines the Kconfig options for
ARM Cortex-M23 and Cortex-M33 CPUs. It also
udpates the generic memory map for M23 and M33
implementations.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This PR includes the required changes in order to support
conditional compilation for Armv8-M architecture. Two
variants of the Armv8-M architecture are defined:
- the Armv8-M Baseline (backwards compatible with ARMv6-M),
- the Armv8-M Mainline (backwards compatible with ARMv7-M).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch adds the generation and incorporation of privileged stack
regions that are used by ARM user mode threads. This patch adds the
infrastructure for privileged stacks. Later patches will utilize the
generated stacks and helper functions.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds application data section alignment constraints
to match the region definition requirements for ARM MPUs. Most MPUs
require a minimum of 32 bytes of alignment for any regions, but some
require power of two alignment to the size of a region.
This requires that the linker align the application data section to
the size of the section. This requires a linker pass to determine the
size. Once this is accomplished the correct value is added to a linker
include file that is utilized in subsequent linker operations.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
For SoCs that don't support vector table relocation in hardware, may not
support bootloader like mcuboot.
We introduce a way to relocate vector table in software by forwarding
the control of incoming IRQs to a new vector table which address is save
at fixed SRAM address.
User can change the data in that fixed SRAM address in order to relocate
vector table in software way.
Signed-off-by: Ding Tao <miyatsu@qq.com>
Refering the ARM's implementation, the initial support of memory
domain in ARC is added:
* changes in MPU drivers
* changes in Kconfig
* codes to configure memory domain during thread swap
* changes in linker script template
* memory domain related macro definitions
the commited codes are simply tested through
samples/mpu/mem_domain_apis_test.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
The _vector_start was placed before the CONFIG_TEXT_SECTION_OFFSET, thus
adding the offset in the relocated vector table, making the table
invalid when relocated with a non null CONFIG_TEXT_SECTION_OFFSET.
This was tested using MCUboot with a 0x200 offset for the image header.
Fixes: eb48a0a73c ("arm: armv6-m: Support relocating vector table")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
A new arch (posix) which relies on pthreads to emulate the context
switching
A new soc for it (inf_clock) which emulates a CPU running at an
infinely high clock (so when the CPU is awaken it runs till completion
in 0 time)
A new board, which provides a trivial system tick timer and
irq generation.
Origin: Original
Fixes#1891
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Add an architecure specfic code for the memory domain
configuration. This is needed to support a memory domain API
k_mem_domain_add_thread.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
MPU version 3 is included in em7d of em_starterkit 2.3.
The differences of MPU version 3 and version 2 are:
* different aux reg interface
* The address alignment requirement is 32 bytes
* supports secure mode
* supports SID (option)
* does not support memory region overlap
This commit adds the support MPU version 3 and also make some changes to
MPU version 2 to have an unified interface.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
In ARC's SecureShield, a new secure mode (currently only em) is added.
The secure/normal mode is orthogonal to kernel/user mode. The
differences between secure mode and normal mode are following:
* different irq stack frame. so need to change the definition of
_irq_stack_frame, assembly code.
* new aux regs, e.g, secure status(SEC_STAT), secure vector base
(VECT_BASE_S)
* interrupts and exceptions, secure mode has its own vector base;
interrupt can be configured as secure or normal through the
interrupt priority aux reg.
* secure timers. Two secure timers (secure timer 0 and timer 1) are
added.Here, for simplicity and backwards compatibility original
internal timers (timer 0 and timer1) are used as sys clock of zephyr
* on reset, the processor is in secure mode and secure vector base is
used.
Note: the mix of secure and normal mode is not supported, i.e. it's
assumed that the processor is always in secure mode.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Define _image_rodata_start/end to match x86 and so that we can
refer to them in the userspace test among others.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Implement API to validate user buffer. This API will iterate
all MPU regions to check if the given buffer is user accessible
or not. For #3832.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
