This is used to have each arch canonically state how much
room in the stack object is reserved for non-thread use.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The ARM Cortex-M 321 application note is stressing that if
we disable interrupts by executing CPSID i(f), or by MSR
instructions (on PRIMASK, FAULTMASK registers), there is no
requirement to add barrier instructions after disabling
interupts. However, in ARMv7-M (and ARMv8-M Mainline) we use
BASEPRI, instead. Therefore, if we need the effect of disabling
interrupts to be recongnized immediately we should add barrier
instructions. This commit adds DSB and ISB barriers when
disabling interrupt using BASEPRI in the generic
arm _irq_lock() function as well as in the PendSV handler,
where we need to access kernel globals right after the interrups
are disabled.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
(OPTIONAL) was a vestiage from the initial import of the Zephyr code
base and we dont utilize it with the GNU linker. Additionally, the way
(OPTIONAL) gets defined to nothing creates a linker script that lld
(from llvm) doesn't like.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
* separate the ARC MPU driver into 2 parts
* arc_mpu_v2_internal.h for ARC MPUv2
* arc_mpu_v3_internal.h for ARC MPUv3
* For ARC MPUv2, keep the main design, but update and optimize the code
* For ARC MPUv3, implement mpu region split to supprt MPU region overlap
* misc updates and bug fixes
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
The clang ARM assembler is a bit stricter than GNU as. Change mov to
movs for ARMv6 case of Z_ARCH_EXCEPT.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This commit enhances the documentation of z_arch_buffer_validate
describing the cases where the validation is performed
successfully, as well as the cases where the result is
undefined.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
During testing with sorting section by alignment with qemu_nios2,
if rodata section is not aligned on 4-byte boundary and its size
not of multiple of 4, it would never boot correctly. So align
the rodata here. This is in preparation to enable the linker
option to sort sections by alignment.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The app_smem.ld is also being used by architectures other than ARM.
So move the linker script out of include/arch/arm and into
include/linker.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The ARM Cortex-M 321 application note is stressing that
when enabling interrupts by executing CPSIE i(f), or by MSR
instructions (on PRIMASK, FAULTMASK, or BASEPRI registers),
there is a need for synchronization barrier instructions,
if there is a requirement for the effect of enabling
interrupts to be recongnized immediately. _arch_irq_unlock()
is invoked in several places, therefore, we add the
barriers to make the interrupt enabling function
applicable to all usage scenarios.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
This commit corrects and improves the documentation for the
convenience macro _ARCH_THREAD_STACK_SIZEOF(sym). It stresses
that the returned size is guaranteed to match the amount of
stack that is available for the thread, that is, excluding any
areas not directly usable, e.g. a Stack Guard.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the MPU region re-programming functions,
to take as argument an array of pointers to memory partition
structures, instead of the whole array of the partitions. In
this way the stack usage can be minimized, if the actual
partition information is kept in statically allocated memory.
instead of the map itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The GCOV section is programmed as a static MPU region, only
in builds with support for User Mode, otherwise it is not
programmed into an MPU region at all. To reflect this in the
linker, the MPU-alignment for GCOV section is enforced only
under CONFIG_USERSPACE=y. Otherwise, single-word alignment
is enforced.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Retpolines were never completely implemented, even on x86.
Move this particular Kconfig to only concern itself with
the assembly code, and don't default it on ever since we
prefer SSBD instead.
We can restore the common kernel-wide CONFIG_RETPOLINE once
we have an end-to-end implementation.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is an integral part of userspace and cannot be used
on its own. Fold into the main userspace configuration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Instead of having to enable ramfunc support manually, just make it
transparently available to users, keeping the MPU region disabled if not
used to not waste a MPU region. This however wastes 24 bytes of code
area when the MPU is disabled and 48 bytes when it is enabled, and
probably a dozen of CPU cycles during boot. I believe it is something
acceptable.
Note that when XIP is used, code is already in RAM, so the __ramfunc
keyword does nothing, but does not generate an error.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Using __ramfunc to places a function in RAM instead of Flash.
Code that for example reprograms flash at runtime can't execute
from flash, in that case must placing code into RAM.
This commit create a new section named '.ramfunc' in link scripts,
all functions has __ramfunc keyword saved in thats sections and
will load from flash to sram after the system booted.
Fixes: #10253
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
Slightly enhance the build-time ASSERT rule for memory
partitions sanity on ARMv8-M platforms, to check,
additionally, for proper (32-byte) alignment of the start
address.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames irq_vectors_alloc_data.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames gdt.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames user_mmu_tables.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames mmu_tables.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
There are issues using lowercase min and max macros when compiling a C++
application with a third-party toolchain such as GNU ARM Embedded when
using some STL headers i.e. <chrono>.
This is because there are actual C++ functions called min and max
defined in some of the STL headers and these macros interfere with them.
By changing the macros to UPPERCASE, which is consistent with almost all
other pre-processor macros this naming conflict is avoided.
All files that use these macros have been updated.
Signed-off-by: Carlos Stuart <carlosstuart1970@gmail.com>
Upon hard/soft irq or exception entry/exit, handle transitions
off or onto the trampoline stack, which is the only stack that
can be used on the kernel side when the shadow page table
is active. We swap page tables when on this stack.
Adjustments to page tables are now as follows:
- Any adjustments for stack memory access now are always done
to the user page tables
- Any adjustments for memory domains are now always done to
the user page tables
- With KPTI, resetting a page now clears the present bit
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If kernel page table isolation is enabled, we generate a second
set of page tables. These tables, except for the shared page, have
all non-user pages marked as non-present.
The MMU generation script has been refactored:
- Debugging output has been make significantly simpler and less
verbose
- Useless globals removed or adjusted
- MMU region list is validated as it is read
- Some tuples unpacked into individual variables to make the
code easier to read.
- Useless command line option for output binary endian-ness
remobved
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
KPTI requires that there exist one kernel page marked
'present', because switching between the kernel and the
shadow page tables is not done automatically and certain
other CPU data structures must always be in a present page.
Move IDT, GDT, all TSS to this page, and set up a small
trampoline stack as a safe landing area when doing
privilege level transitions.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Since we know do DTS before Kconfig we should try and remove dts from
creating Kconfig namespaced symbols and leave that to Kconfig. So
rename CONFIG_CCM_<FOO> to DT_CCM_<FOO>.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
CONFIG_APPLICATION_MEMORY doesn't exist anymore, so the bit of code in
arm_core_mpu_dev.h related to it is dead and should be removed.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This was never a long-term solution, more of a gross hack
to get test cases working until we could figure out a good
end-to-end solution for memory domains that generated
appropriate linker sections. Now that we have this with
the app shared memory feature, and have converted all tests
to remove it, delete this feature.
To date all userspace APIs have been tagged as 'experimental'
which sidesteps deprecation policies.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
* K_APP_DMEM_SECTION/K_MEM_BMEM_SECTION macros now exist
to specifically define the name of the sections for data
and bss respectively.
* All boards now use the gen_app_partitions.py script, the
padding hacks for non-power-of-two arches didn't work right
in all cases. Linker scripts have been updated.
* The defined k_mem_partition is now completely initialized
at build time. The region data structures now only exist
to zero BSS.
Based on some work submitted by Adithya Baglody
<adithya.baglody@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is a separate data section which needs to be copied into
RAM.
Most arches just use the kernel's _data_copy(), but x86 has its
own optimized copying code.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Replace Cortex-M3 with Cortex-M architecture family
in the header documentation of kernel_arch_data.h and
kernel_arch_func.h, which are generic header files for
the entire familty of ARM Cortex-M CPUs. The commit
adds some more minor style fixes in functions'
documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the documentation of internal ARM core
function _arch_irq_lock(..), adding a more detailed description
of its impact on the different Cortex-M processors.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
add the handling of APP_SHARED_MEM.
privileged threads can access all the mem
explictly defined in user mode, i.e., APP_MEM & APP_SHARED_MEM
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
PAE tables introduce the NX bit which is very desirable
from a security perspetive, back in 1995.
PAE tables are larger, but we are not targeting x86 memory
protection for RAM constrained devices.
Remove the old style 32-bit tables to make the x86 port
easier to maintain.
Renamed some verbosely named data structures, and fixed
incorrect number of entries for the page directory
pointer table.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit re-works the NXP MPU driver implementation so that
it aligns with the implementation for ARMv7-M and ARMv8-M MPU
architectures.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the unnecessary MPU region type definitions
from arm_core_mpu_dev.h, as they are not used any more in any of
the architecture-specific MPU implementations (ARMv7-M, NXP, and
ARMv8-M MPU).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes obsolete ARM CORE MPU API definitions
and related implementation from arm_mpu.c, in the wake of
the transition to the new ARM MPU design.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the ARM Core MPU API for memory domains,
to align with the principle of de-coupling the partitioning
and the access attribution with the architecture-specific
MPU driver implementation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces an internal ARM MPU API that allows the
user to re-configure a memory partition in run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces an ARM API that allows the user to
program a set of dynamic MPU regions at run-time. The API
function is invoked every time the memory map needs to be
re-programmed (for example at thread context-switch). The
functionality is implementated in arm_core_mpu.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces and documents the internal ARM MPU
API to configure the dynamic memory regions at run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces and documents the internal ARM MPU
API to configure the static memory regions at boot time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The ARM core MPU API now uses solely k_mem_partition_attr_t
objects to represent memory region attributes. The objects
now include all attribution properties (including cache-
ability and share-ability). This commit updates the macro
definitions to comply with the new ARM Core MPU standard.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the generic ARM (core) API, which allows
the user to program a set of static (fixed) MPU regions at boot
time. The API function is invoked upon initialization, in the
ARM-specific call of _arch_switch_to_main_thread(). The API
implementation is provided in arm_core_mpu.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This board is unmaintained and unsupported. It is not known to work and
has lots of conditional code across the tree that makes code
unmaintainable.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Add missing linker section to avoid warning about orphans when building
with host compiler.
Fixes#12719
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Building tests/kernel/common/kernel.common with the new crosstools
SDK-ng resulted in an orphan short read-only data section. Fix this by
adding the .srodata section to the RISC-V linker script.
Signed-off-by: Nathaniel Graff <nathaniel.graff@sifive.com>
This patch adds all the required hooks needed in the kernel to
get the coverage reports from x86 SoCs.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This patch adds all the required hooks needed in the kernel to
get the coverage reports from ARM SoCs.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Add missing sections being reported as orphan with latest compiler
version for x86 and discard them. Do the same on ARM.
Those sections are used for dynamic linking which we do not support in
Zephyr.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This patch adds a x86_64 architecture and qemu_x86_64 board to Zephyr.
Only the basic architecture support needed to run 64 bit code is
added; no drivers are added, though a low-level console exists and is
wired to printk().
The support is built on top of a "X86 underkernel" layer, which can be
built in isolation as a unit test on a Linux host.
Limitations:
+ Right now the SDK lacks an x86_64 toolchain. The build will fall
back to a host toolchain if it finds no cross compiler defined,
which is tested to work on gcc 8.2.1 right now.
+ No x87/SSE/AVX usage is allowed. This is a stronger limitation than
other architectures where the instructions work from one thread even
if the context switch code doesn't support it. We are passing
-no-sse to prevent gcc from automatically generating SSE
instructions for non-floating-point purposes, which has the side
effect of changing the ABI. Future work to handle the FPU registers
will need to be combined with an "application" ABI distinct from the
kernel one (or just to require USERSPACE).
+ Paging is enabled (it has to be in long mode), but is a 1:1 mapping
of all memory. No MMU/USERSPACE support yet.
+ We are building with -mno-red-zone for stack size reasons, but this
is a valuable optimization. Enabling it requires automatic stack
switching, which requires a TSS, which means it has to happen after
MMU support.
+ The OS runs in 64 bit mode, but for compatibility reasons is
compiled to the 32 bit "X32" ABI. So while the full 64 bit
registers and instruction set are available, C pointers are 32 bits
long and Zephyr is constrained to run in the bottom 4G of memory.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
I was half way through typing up my own one of these when I realized
there was one already in the tree. Move it to a shared header.
(FWIW: I really doubt that most architectures actually benefit from
their own versions of these tools -- GCC's optimizer is really good,
and custom assembly defeats optimization and factorizations of the
expressions in context.)
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Adds support for the device configuration data (DCD), which provides a
sequence of commands to the imx rt boot ROM to initialize components
such as an SDRAM.
It is now possible to use the external SDRAM instead of the internal
DTCM on the mimxrt1020_evk, mimxrt1050_evk, and mimxrt1060_evk. Note,
however, that the default board configurations still link data into
internal DTCM, therefore you must use a device tree overlay to override
"zephyr,sram = &sdram0"
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Adds support for the boot data, image vector table, and FlexSPI NOR
config structures used by the imx rt boot ROM to boot an application
from an external xip flash device.
It is now possible to build and flash a bootable zephyr image to the
external xip flash on the mimxrt1020_evk, mimxrt1050_evk, and
mimxrt1060_evk boards via the 'ninja flash' build target and jlink
runner. Note, however, that the default board configurations still link
code into internal ITCM, therefore you must set CONFIG_CODE_HYPERFLASH=y
or CONFIG_CODE_QSPI=y explicitly to override the default. You must also
set CONFIG_NXP_IMX_RT_BOOT_HEADER=y to build the boot header into the
image.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
The various linker scripts on arc would include autoconf.h in the arch
linker script but might have CONFIG_ symbols referenced in the soc
specific linker script. Move autoconf.h inclusion to top of the soc
specific linker script out of the arch specific one so we know
autoconf.h is seen before any CONFIG_ references.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
For all builds, _image_ram_start is initially set to RAM_ADDR,
before it is (possibly) aligned for MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The main function is just a weak function that should be override by the
applications if they need. Just adding a nop instructions to explicitly
says that this function does nothing.
MISRA-C rule 2.2
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
The definition of __app_ram_end linker symbol has been
erroneously placed outside the last linker section of
application memory. This commit fixes the problem.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch splits the text section into 2 parts. The first section
will have some info regarding vector tables and debug info. The
second section will have the complete text section.
This is needed to force the required functions and data variables
the correct locations.
This is due to the behavior of the linker. The linker will only link
once and hence this text section had to be split to make room
for the generated linker script.
Added a new Kconfig CODE_DATA_RELOCATION which when enabled will
invoke the script, which does the required relocation.
Added hooks inside init.c for bss zeroing and data copy operations.
Needed when we have to copy data from ROM to required memory type.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
arm_core_mpu.h and arm_core_mpu.c defined and implement kernel
APIs for memory protection, respectively. Therefore, they do not
need to directly include ARM CMSIS headers, or arm_mpu.h (or
nxp_mpu.h) which are supposed to define MPU-related kernel types
and convenience macros for the specific MPU architecture. These
headers are indirectly included by including kernel.h.
Similarly, arm_mpu.h shall not need to include internal/external
headers of memory protection APIs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit does the following:
- it introduces additional convenience macros for representing
MPU attributions for no-cacheability, in both ARMv7-M and
ARMv8-M MPU architectures,
- it adds documentation in K_MEM_PARTITION_IS_WRITABLE/CACHEABLE
macros in all macro definitions in the different MPU variants
- it moves the type definition of k_mem_partition_attr_t inside
the architecture-specific MPU headers, so it can be defined
per-architecture. It generalizes app_mem_domain.h, to be able
to work with _any_ (struct) type of k_mem_partition_attr_t.
- it refactors the type of k_mem_partition_attr_t for ARMv8-M
to comply with the MPU register API.
- for NXP MPU, the commit moves the macros for region access
permissions' attributes inside nxp_mpu.h, to align with what
we do for ARM MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit exposes k_mem_partition_attr_t outside User Mode, so
we can use struct k_mem_partition for defining memory partitions
outside the scope of user space (for example, to describe thread
stack guards or no-cacheable MPU regions). A requirement is that
the Zephyr build supports Memory protection. To signify this, a
new hidden, all-architecture Kconfig symbol is defined (MPU). In
the wake of exposing k_mem_partition_attr_t, the commit exposes
the MPU architecture-specific access permission attribute macros
outside the User space context (for all ARCHs), so they can be
used in a more generic way.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
RISC-V permits myriad extensions to the ISA, any of which may imply
additional context that must be saved and restored on ISR entry and
exit. The current in-tree example is the Pulpino core, which has extra
registers used by ISA extensions for running loops that shouldn't get
clobbered by an ISR.
This is currently supported by including pulpino-specific definitions
in the generic architecture code. This works, but it's a bit inelegant
and is something of a layering violation. A more generic mechanism is
required to support other RISC-V SoCs with similar requirements
without cluttering the arch code too much.
Provide that by extending the semantics of the existing
CONFIG_RISCV_SOC_CONTEXT_SAVE option to allow other SoCs to allocate
space for saving and restoring their own state, promoting the
currently pulpino-specific __soc_save_context / __soc_restore_context
routines to a RISC-V arch API.
The cost of making this generic is two more instructions in each ISR
to pass the SoC specific context to these routines in a0 rather than
just assuming the stack points to the right place. This is minimal,
and should have been done anyway to keep with the ABI.
As a first (and currently only in-tree) customer, convert the Pulpino
SoC code to this new mechanism.
Signed-off-by: Marti Bolivar <marti@foundries.io>
Add symbol which contains the number of bytes contained
in the image.
Using '_image_rom_end' will not work, as there are
symbols loaded after its value.
Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
Add a "nocache" read-write memory section that is configured to
not be cached. This memory section can be used to perform DMA
transfers when cache coherence issues are not optimal or can not
be solved using cache maintenance operations.
This is currently only supported on ARM Cortex M7 with MPU.
Fixes#2927
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Helper macro, MPU_ALIGN() is used by script
gen_app_partitions.py, so the macro needs to be available,
if the APP Shared memory feature is to be used. This commit
defines MPU_ALIGN() in the ARC linker.ld script.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit moves the app_data_alignment.ld scripts
under arch/arc sub-directory, as it is not not used
at all in ARM builds. The script is still used for
ARC, whose v2 MPU also has the reuquirement for
power-of-two size alignment.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Move the definition of _image_ram_start at the beginning
of the RAMMABLE (SRAM) region, so it points to the actual
start of RAM linker sections.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit standardizes and simplifies the way we enforce
linker section alignment, to comply with minimum alignment
requirement for MPU, if we build Zephyr with MPU support:
- it enforces alignment with the minimum MPU granularity at
the beginning and end of linker sections that require to
be protected by MPU,
- it enforces alignment with size if required by the MPU
architecture.
Particularly for the Application Memory section, the commit
simplifies how the proper alignment is enforced, removing
the need of calculating the alignment with a post-linker
python script. It also removes the need for an additional
section for padding.
For the Application Shared Memory section(s), the commit
enforces minimum alignment besides the requirement for
alignment with size (for the respective MPUs) and fixes
a bug where the app_data_align was erronously used in the
scipts for auto-generating the linker scripts.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit enforces the use of ARM_MPU_REGION_MIN_ALIGN_AND_SIZE
in include/arch/arm/arch.h, instead of using 32 as a hard-coded
value. The symbol is also used in arm/thread.c to truncate the
thread stack size to satisfy MPU granularity. The commit does
not introduce behavioral changes.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug in the ARMv7-M convenience macro that
evaluates write-ability of given access permissions attributes.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Declare and define nxp_mpu_config and nxp_mpu_regions
structs as const, as they are not modified in run-time.
Fixes#10320
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Declare and define arm_mpu_config and arm_mpu_regions
structs as const, as they are not modified in run-time.
Fixes#10320
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit enhances the documentation of the nxp_mpu_config
element in include/arch/arm/cortex_m/mpu/nxp_mpu.h, stressing
that it intends to store information for fixed MPU regions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
These changes were obtained by running a script created by
Ulf Magnusson <Ulf.Magnusson@nordicsemi.no> for the following
specification:
1. Read the contents of all dts_fixup.h files in Zephyr
2. Check the left-hand side of the #define macros (i.e. the X in
#define X Y)
3. Check if that name is also the name of a Kconfig option
3.a If it is, then do nothing
3.b If it is not, then replace CONFIG_ with DT_ or add DT_ if it
has neither of these two prefixes
4. Replace the use of the changed #define in the code itself
(.c, .h, .ld)
Additionally, some tweaks had to be added to this script to catch some
of the macros used in the code in a parameterized form, e.g.:
- CONFIG_GPIO_STM32_GPIO##__SUFFIX##_BASE_ADDRESS
- CONFIG_UART_##idx##_TX_PIN
- I2C_SBCON_##_num##_BASE_ADDR
and to prevent adding DT_ prefix to the following symbols:
- FLASH_START
- FLASH_SIZE
- SRAM_START
- SRAM_SIZE
- _ROM_ADDR
- _ROM_SIZE
- _RAM_ADDR
- _RAM_SIZE
which are surprisingly also defined in some dts_fixup.h files.
Finally, some manual corrections had to be done as well:
- name##_IRQ -> DT_##name##_IRQ in uart_stm32.c
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
We now place the linker directives for the SW ISR table
in the common linker scripts, instead of repeating it
everywhere.
The table will be placed in RAM if dynamic interrupts are
enabled.
A dedicated section is used, as this data must not move
in between build phases.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If dynamic interrupts are enabled, a set of trampoline stubs
are generated which transfer control to a common dynamic
interrupt handler function, which then looks up the proper
handler and parameter and then executes the interrupt.
Based on the prior x86 dynamic interrupt implementation which
was removed from the kernel some time ago, and adapted to
changes in the common interrupt handling code, build system,
and IDT generation tools.
An alternative approach could be to read the currently executing
vector out of the APIC, but this is a much slower operation.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit contributes a patch to the Arm Cortex-M linker
script, which guarantees that the linker sections for shared
memory and the application memory will have sufficient padding
in between, so that the latter will start from an address that
is 32-byte aligned. This is required for ensuring that the MPU
regions defined using the start and end addresses of the two
sections will not overlap. The patch targets ARMv8-M MPU with
no requirement for power-of-two alignment and size.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Patch is useful for RISCV platforms which can not provide ROM memory.
Switching CONFIG_XIP to "n" disables allocating ROM region.
Signed-off-by: Vitaly Gaiduk <vitaly.gaiduk@cloudbear.ru>
With newer linker for ARC we can possibly get a warning like:
real-ld: warning: orphan section `.ARC.attributes' from `(foo.o)'
being placed in section `.ARC.attributes'.
Fixes#11060
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
struct segment_selector is defined but never used. Besides that, this
tag identifier was clashing with other identifier, what is an undefined
behaviour in C99.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
When using C++ exceptions in a Cortex-M, the linker return a warning:
warning: orphan section ".ARM.extab"
.ARM.extab section containing exception unwinding information.
This section is missing in the linker script for Cortex-M.
Signed-off-by: Benoit Leforestier <benoit.leforestier@gmail.com>
(Previous patch set was reverted due to issue with priv_stack.
Resubmitting after fixing the faults caused by priv_stack.noinit
not at the end of RAM.)
This adds a linker flag and necessary changes to linker scripts
so that linker will warn about orphan sections.
Relates to #5534.
Fixes#10473, #10474, #10515.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This puts the priviledged stack at the end of RAM.
This combines PR #10507 and #10542.
Fixes#10473Fixes#10474Fixes#10515
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The Cypress PSoC6 specifies some input sections in the startup
scripts. These sections (.heap, .stack, etc.) need to be placed
at correct location.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This allows the SoC to specify some additional linker script
fragments into the bss, data and read-only data sections.
For example, the Cypress PSOC6 has a few input sections that
must be put into bss and data sections. Without specifying
these in the linker script, they are consider orphan sections
and the placement is based on linker heuristic which is
arbitrary.
POSIX is not supported as the main linker script is
provided by the host system's binutils and we have no control
over it. Also, currently Xtensa SoCs have their own linker
scripts so there is no need to this feature.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The function _arc_v2_irq_unit_is_in_isr computes a Boolean
value but the function returns a integer value.
Fix the return type of the function.
This makes the zephyr api _is_in_isr() return a boolean type.
Thereby making it consistent across all the architectures.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Update rel-sections.ld to use wildcards instead of
spelling out those sections one by one.
Also, for POSIX, don't include this and turns off
the warnings. With different host toolchain across
different OS, it would be maintanence nightmare
to account for all those combinations. So this reverts
the POSIX linker script to before the first orphan
section changes.
Fixes#10493
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
In ARMv8-M MPU it is not possible to have the following access
permissions: Privileged RW / Unprivileged RO. So we define
K_MEM_PARTITION_IS_WRITABLE macro separately for v8M and v7M MPU
architectures (in the separate include files).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This adds a linker flag and necessary changes to linker scripts
so that linker will warn about orphan sections.
Relates to #5534.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The Cypress PSoC6 specifies some input sections in the startup
scripts. These sections (.heap, .stack, etc.) need to be placed
at correct location.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This allows the SoC to specify some additional linker script
fragments into the bss, data and read-only data sections.
For example, the Cypress PSOC6 has a few input sections that
must be put into bss and data sections. Without specifying
these in the linker script, they are consider orphan sections
and the placement is based on linker heuristic which is
arbitrary.
POSIX is not supported as the main linker script is
provided by the host system's binutils and we have no control
over it. Also, currently Xtensa SoCs have their own linker
scripts so there is no need to this feature.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Instead of hardcoding in linker script, use a Kconfig and deal with
dependencies in Kconfig instead of directly in the linker file.
This patch moves both:
PRIVILEGED_STACK_TEXT_AREA
and
KOBJECT_TEXT_AREA
to arch/Kconfig.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Improve the documentation of the ARMv8-M MPU convenience macros
for setting up MPU regions at boot time, stressing that the
macros intend to be used for non-overlapping, fixed MPU regions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit enhances the documentation of the mpu_config
element in include/arch/arm/cortex_m/mpu/arm_mpu.h, stressing
that it intends to store information for fixed MPU regions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Remove an inline explanatory comment for the thread
stack region type that is obsolete. The comment had
been been erroneously kept in after the enumeration
of MPU region types was refactored and cleaned up.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Any calculation based on linker variables shouldn't be inside
sections.
Also added the linker macro needed for the shared memory.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
According with ISO/IEC 9899:1999 §6.7 Declarations, typedefs name must
be uniques.
C99 clause 6.7
MISRA-C rule 1.1
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Some minor style fixes and rewording of the documentation
for ARM MPU region types.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit groups together the MPU region types
that are related to the User-space feature, so that
a single #ifdef USERSPACE is present in the enum.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Several style and typo fixes in inline comments of arm kernel
files and thread.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The header should check if the macro _MPU_PRESENT is defined
and create it only if not defined.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
The size calculation for power of 2 MPUs were incorrect.
The calculation was not taking into account the amount of padding
the linker does when doing the required alignment. Hence the size
being calculated was completely incorrect.
With this patch the code now is optimized and the size of
partitions is now provided by the linker.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This commit removes all MPU-related (ARM_CORE_MPU and NXP_MPU)
options exept ARM_MPU, which becomes master switch controlling
MPU support on ARM.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
Any word started with underscore followed by and uppercase letter or a
second underscore is a reserved word according with C99.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit moves the documentation corresponding to
_ARCH_THREAD_STACK_DEFINE(..) macro to the right place.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This reverts commit 17e9d623b4.
Single thread keep introducing more issues, decided to remove the
feature completely and push any required changes for after 1.13.
See #9808
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Some applications have a use case for a tiny MULTITHREADING=n build
(which lacks most of the kernel) but still want special-purpose
drivers in that mode that might need to handle interupts. This
creates a chicken and egg problem, as arch code (for obvious reasons)
runs _Cstart() with interrupts disabled, and enables them only on
switching into a newly created thread context. Zephyr does not have a
"turn interrupts on now, please" API at the architecture level.
So this creates one as an arch-specific wrapper around
_arch_irq_unlock(). It's implemented as an optional macro the arch
can define to enable this behavior, falling back to the previous
scheme (and printing a helpful message) if it doesn't find it defined.
Only ARM and x86 are enabled in this patch.
Fixes#8393
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Define generic interface and hooks for tracing to replace
kernel_event_logger and existing tracing facilities with something more
common.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit implements and integrates the ARMv8-M MPU driver
into the memory protection system for ARM.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces a type definition for the ARM MPU
region attribute container. This allows to abstract the type
of the attribute container and make the code extendible for
ARMv8-M, where the size and structure of the attribute
container will be different.
Therefore, we can, now, move the definition of the region
data structure in the common arm_mpu.h header.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds K-config options that allow the user to
signify an ARM Secure Firmware that contains Secure Entry
functions and to define the starting address of the linker
section that will contain the Secure Entry functions. It
also instructs the linker to append the NSC section if
instructed so by the user.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Split out the arch specific syscall code to reduce include pollution
from other arch related headers. For example on ARM its possible to get
errno.h included via SoC specific headers. Which created an interesting
compile issue because of the order of syscall & errno/errno syscall
inclusion.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
If MMU is enabled, always make the BSS section MMU page aligned.
According to the comments, it is always aligned anyway.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Some drivers or tests need to execute some code before Zephyr is
booted, dynamically register command line arguments, etc.
For this purpose, we generalize the NATIVE_EXIT_TASK to also
provide hooks to run a function at a given point during the startup
of native_posix.
Also, test/boards/native_posix/exit_tasks is generalized to cover
this new functionality.
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
The .eh_frame symbol was causing __data_rom_start to contain the wrong
offset into the ROM, resulting in corrupt data copied into RAM by
_data_copy(). Fix by placing the .eh_frame in the .text section as is
done in include/arch/x86/linker.ld
Signed-off-by: Nathaniel Graff <nathaniel.graff@sifive.com>
When building the real mode, the linker definition has to place
the real mode entry code at the start of flash area.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Summary: revised attempt at addressing issue 6290. The
following provides an alternative to using
CONFIG_APPLICATION_MEMORY by compartmentalizing data into
Memory Domains. Dependent on MPU limitations, supports
compartmentalized Memory Domains for 1...N logical
applications. This is considered an initial attempt at
designing flexible compartmentalized Memory Domains for
multiple logical applications and, with the provided python
script and edited CMakeLists.txt, provides support for power
of 2 aligned MPU architectures.
Overview: The current patch uses qualifiers to group data into
subsections. The qualifier usage allows for dynamic subsection
creation and affords the developer a large amount of flexibility
in the grouping, naming, and size of the resulting partitions and
domains that are built on these subsections. By additional macro
calls, functions are created that help calculate the size,
address, and permissions for the subsections and enable the
developer to control application data in specified partitions and
memory domains.
Background: Initial attempts focused on creating a single
section in the linker script that then contained internally
grouped variables/data to allow MPU/MMU alignment and protection.
This did not provide additional functionality beyond
CONFIG_APPLICATION_MEMORY as we were unable to reliably group
data or determine their grouping via exported linker symbols.
Thus, the resulting decision was made to dynamically create
subsections using the current qualifier method. An attempt to
group the data by object file was tested, but found that this
broke applications such as ztest where two object files are
created: ztest and main. This also creates an issue of grouping
the two object files together in the same memory domain while
also allowing for compartmenting other data among threads.
Because it is not possible to know a) the name of the partition
and thus the symbol in the linker, b) the size of all the data
in the subsection, nor c) the overall number of partitions
created by the developer, it was not feasible to align the
subsections at compile time without using dynamically generated
linker script for MPU architectures requiring power of 2
alignment.
In order to provide support for MPU architectures that require a
power of 2 alignment, a python script is run at build prior to
when linker_priv_stacks.cmd is generated. This script scans the
built object files for all possible partitions and the names given
to them. It then generates a linker file (app_smem.ld) that is
included in the main linker.ld file. This app_smem.ld allows the
compiler and linker to then create each subsection and align to
the next power of 2.
Usage:
- Requires: app_memory/app_memdomain.h .
- _app_dmem(id) marks a variable to be placed into a data
section for memory partition id.
- _app_bmem(id) marks a variable to be placed into a bss
section for memory partition id.
- These are seen in the linker.map as "data_smem_id" and
"data_smem_idb".
- To create a k_mem_partition, call the macro
app_mem_partition(part0) where "part0" is the name then used to
refer to that partition. This macro only creates a function and
necessary data structures for the later "initialization".
- To create a memory domain for the partition, the macro
app_mem_domain(dom0) is called where "dom0" is the name then
used for the memory domain.
- To initialize the partition (effectively adding the partition
to a linked list), init_part_part0() is called. This is followed
by init_app_memory(), which walks all partitions in the linked
list and calculates the sizes for each partition.
- Once the partition is initialized, the domain can be
initialized with init_domain_dom0(part0) which initializes the
domain with partition part0.
- After the domain has been initialized, the current thread
can be added using add_thread_dom0(k_current_get()).
- The code used in ztests ans kernel/init has been added under
a conditional #ifdef to isolate the code from other tests.
The userspace test CMakeLists.txt file has commands to insert
the CONFIG_APP_SHARED_MEM definition into the required build
targets.
Example:
/* create partition at top of file outside functions */
app_mem_partition(part0);
/* create domain */
app_mem_domain(dom0);
_app_dmem(dom0) int var1;
_app_bmem(dom0) static volatile int var2;
int main()
{
init_part_part0();
init_app_memory();
init_domain_dom0(part0);
add_thread_dom0(k_current_get());
...
}
- If multiple partitions are being created, a variadic
preprocessor macro can be used as provided in
app_macro_support.h:
FOR_EACH(app_mem_partition, part0, part1, part2);
or, for multiple domains, similarly:
FOR_EACH(app_mem_domain, dom0, dom1);
Similarly, the init_part_* can also be used in the macro:
FOR_EACH(init_part, part0, part1, part2);
Testing:
- This has been successfully tested on qemu_x86 and the
ARM frdm_k64f board. It compiles and builds power of 2
aligned subsections for the linker script on the 96b_carbon
boards. These power of 2 alignments have been checked by
hand and are viewable in the zephyr.map file that is
produced during build. However, due to a shortage of
available MPU regions on the 96b_carbon board, we are unable
to test this.
- When run on the 96b_carbon board, the test suite will
enter execution, but each individaul test will fail due to
an MPU FAULT. This is expected as the required number of
MPU regions exceeds the number allowed due to the static
allocation. As the MPU driver does not detect this issue,
the fault occurs because the data being accessed has been
placed outside the active MPU region.
- This now compiles successfully for the ARC boards
em_starterkit_em7d and em_starterkit_em7d_v22. However,
as we lack ARC hardware to run this build on, we are unable
to test this build.
Current known issues:
1) While the script and edited CMakeLists.txt creates the
ability to align to the next power of 2, this does not
address the shortage of available MPU regions on certain
devices (e.g. 96b_carbon). In testing the APB and PPB
regions were commented out.
2) checkpatch.pl lists several issues regarding the
following:
a) Complex macros. The FOR_EACH macros as defined in
app_macro_support.h are listed as complex macros needing
parentheses. Adding parentheses breaks their
functionality, and we have otherwise been unable to
resolve the reported error.
b) __aligned() preferred. The _app_dmem_pad() and
_app_bmem_pad() macros give warnings that __aligned()
is preferred. Prior iterations had this implementation,
which resulted in errors due to "complex macros".
c) Trailing semicolon. The macro init_part(name) has
a trailing semicolon as the semicolon is needed for the
inlined macro call that is generated when this macro
expands.
Update: updated to alternative CONFIG_APPLCATION_MEMORY.
Added config option CONFIG_APP_SHARED_MEM to enable a new section
app_smem to contain the shared memory component. This commit
seperates the Kconfig definition from the definition used for the
conditional code. The change is in response to changes in the
way the build system treats definitions. The python script used
to generate a linker script for app_smem was also midified to
simplify the alignment directives. A default linker script
app_smem.ld was added to remove the conditional includes dependency
on CONFIG_APP_SHARED_MEM. By addining the default linker script
the prebuild stages link properly prior to the python script running
Signed-off-by: Joshua Domagalski <jedomag@tycho.nsa.gov>
Signed-off-by: Shawn Mosley <smmosle@tycho.nsa.gov>
This commit adds the implementation that allows the ARM CPU
to recover from (otherwise fatal) MPU faults. A new error
reason, _NANO_ERR_RECOVERABLE, is introduced. The error
reason is used to suppress fault dump information, if the
error is actually recoverable.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Shouldn't declare this and then pull in headers, fixes
error like "util.h:41:1: error: template with C linkage"
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Shouldn't declare this and then pull in headers, fixes
errors like "util.h:41:1: error: template with C linkage"
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some of the native application components or drivers need to
do a proper cleanup before the executable exits.
So we provide a macro similar to SYS_INIT but which will be
called just before exiting.
This can be used for freeing up resources, closing descriptors,
or doing any neccessary signaling to any other host process.
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
Change the REGION_FLASH_ATTR macros to set the cache attributes on Flash
regions to "Outer and inner write-through. No write allocate.". This
matches the cache attributes used when the MPU is disabled.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Change the REGION_RAM_ATTR macro to set the cache attributes on RAM
regions to "Outer and inner write-back. Write and read allocate". This
matches the cache attributes used when the MPU is disabled.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Fix NORMAL_OUTER_INNER_WRITE_BACK_WRITE_READ_ALLOCATE_NONSHAREABLE, the
bufferable bit should be set, while the shareable one should not be set.
At the same time, rename it from ..._NONSHAREABLE to _NON_SHAREABLE to
keep the same naming convention for all macro. Given it's not (yet)
used, it should not be an issue.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Reduces the number of mpu regions statically reserved at boot time by
one, giving a total of five. We originally sought to reduce the total to
three: 1 background region with lowest precendence for supervisor r/w, 1
flash region, and 1 sram region. However, the nxp mpu hardware does not
give precedence to any region over another, and thus we cannot revoke
access from the background region with a higher priority region. This
means we cannot support hardware stack protection with a single
background region.
Instead, create two background regions that cover the entire address
space, except for sram.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Fix the title comment in the linker.ld script for ARM, to
make it clear that this is the common linker script for all
Cortex-M based platforms.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit re-defines the REGION_SIZE_<x> macros, present in
include/arch/arm/cortex_m/mpu/arm_mpu_v7m.h, with the help of
the existing ARM MPU regions size definitions in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors internal functions in arm_mpu.c to use
bitsets and functions taken directly from ARM CMSIS instead of
hardcoded arithmetic literals. In several internal functions
some part of the implementation is abstracted further in inline
functions or convenience macros, to facilitate extending the
arm_mpu.c for ARMv8-M. In addition, the commit adds minor
improvements in internal function documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit moves the macro definitions and convenience wrappers
for ARM MPU that are specific to ARMv6-m, and ARMv7-m to an
arch-specific MPU header file. It leaves only the generic
content in arm_mpu.h, i.e. the content that is supposed to
be common for ARMv8-M MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit modifies the interal macro defitions for MPU region
attributes in arm_mpu.h to use bitset flags directly from CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the redundant HAL definition for the ARM
Cortex-M MPU registers, and modifies the ARM MPU driver
implementation to directly use the provided HAL from CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The entry point can and therefore should be set by linker
scripts. Whenever possible one should express things in the source
language, be it .c or .ld, and not in code generators or in the build
system.
This patch removes the flag -eCONFIG_KERNEL_ENTRY from the linker's
command line and replaces it with the linker script command
ENTRY(CONFIG_KERNEL_ENTRY)
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
This is a public macro which calculates the size to be allocated for
stacks inside a stack array. This is necessitated because of some
internal padding (e.g. for MPU scenarios). This is particularly
useful when a reference to K_THREAD_STACK_ARRAY_DEFINE needs to be
made from within a struct.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
* We are now *much* better at not reserving unnecessary
system MPU regions based on configuration. The #defines
for intent are now an enumerated type. As a bonus, the
implementation of _get_region_index_by_type() is much
simpler. Previously we were wasting regions for stack guard
and application memory if they were not configured.
* NXP MPU doesn't reserve the last region if HW stack
protection isn't enabled.
* Certain parts of the MPU code are now properly ifdef'd
based on configuration.
* THREAD_STACK_REGION and THREAD_STACK_USER_REGION was a
confusing construction and has now been replaced with
just THREAD_STACK_REGION, which represents the MPU region
for a user mode thread stack. Supervisor mode stacks
do not require an MPU region.
* The bounds of CONFIG_APPLICATION_MEMORY never changes
and we just do it once during initialization instead of
every context switch.
* Assertions have been added to catch out-of-bounds cases.
Fixes: #7384
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
intList has been populated with the number of isrs, aka interrupts,
but nothing has not been using this information so we drop it and
everything used to construct it.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
This commit includes the arch/arm/cortex_m/cmsis.h directly
in arm_mpu.h. This is requires as arm_mpu.h uses CMSIS macro
defines directly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
All architecture defines OCTET_TO_SIZEOFUNIT and SIZEOFUNIT_TO_OCTET
as identity functions. But the only user is tests/benchmarks/app_kernel.
It's effectively a no-op. Remove them.
Signed-off-by: Yasushi SHOJI <y-shoji@ispace-inc.com>
Set Zero Latency IRQ to priority level zero and SVCs to priority level
one when Zero Latency IRQ is enabled.
This makes Zero Zatency truly zero latency when the kernel has been
configured with userspace enabled, or when IRQ offloading is used.
Exceptions can still delay Zero Latency IRQ, but this is considered
ok since exceptions indicate a serious error, and the system needs to
recover.
Fixes: #7869
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit moves code from fe310 platform into RISC-V privilege common
folder. This way the code can be reused by other platforms in future.
signed-off-by: Karol Gugala <kgugala@antmicro.com>
This commit removes the macro definitions for MPU_RASR register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macro definitions for MPU_RBAR register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macro definitions for MPU_CTRL register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
* the original stack check codes have no consideration
for userspace case. This will wrong cause possible stack
check exception.
* this commit refactors the arc stack check support to
support the usperspace.
* this commit fixes#7885. All the failed tests in #7885
are run again to verify this commit. The test results are ok
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Previously, the stack buffer array wasn't being page-aligned.
If private kernel data was stored after the stack buffer in
the same page, the current thread would incorrectly have
access to it. Round stack sizes up on x86 to prevent this
problem.
Fixes#8118
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The r7 register is used as a frame pointer on ARM Thumb. As result, it
cannot be modified by the assembly code in functions using stack frame.
This commit replaces r7 by r8, which is a general purpose register.
Also it fixes#7704.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
Change the zero latency interrupt priority level from 2 to 1.
This is the priority level that the kernel has reserved for the
zero latency IRQ feature by the _IRQ_PRIO_OFFSET constant.
The zero latency IRQ will now not be masked by the irq_lock function.
Update comments to reflect the priority levels reserved by the kernel.
Fixes: #8073
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Because the address alignment of MPUv2, the address should
not only be aligned at the start but also for the array member.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
This commit removes a redundant #ifdef check for
CONFIG_CPU_CORTEX_M_HAS_BASEPRI, which is covered
CONFIG_CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS, present
in the same ifdef check.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
CONFIG_UART_NSIM depends on CONFIG_NSIM, which was removed in commit
9bc69a46fa ("boards: Update arc em_starterkit support from 2.2 to
2.3"). Remove the dependency, and also remove the CONFIG_NSIM=y setting
from the test_nsim test (which should now work).
Also change the condition for EXTERN()ing _VectorTable in
include/arch/arc/v2/linker.ld to check CONFIG_UART_NSIM instead of
CONFIG_NSIM. I'm guessing the EXTERN() is there to make the symbol
visible to nSIM, though I don't know anything about it.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Upon return from a syscall handlers, the r1, r2, and r3 registers
could contain random kernel data that should not be leaked to user
mode. Zero these out before returning from _arm_do_syscall().
Fixes#7753.
The invocation macros need a clobber if r1, r2, or r3 are not used
to carry syscall arguments. This is a partial fix for #7754 but
there appear to be other issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Set bus master 4 to write and read access which allows
the USBFSOTG controller read/write access to the memory.
Signed-off-by: Johann Fischer <j.fischer@phytec.de>
This commit fixes the SecureFault IRQ number for non-CMSIS
compliant ARM Cortex-M MCUs. Erroneous IRQ number was introduced
in ec398e87796f8da2529f369746ae9b2b12d48ca4.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Newlib uses any RAM between _end and the bounds of physical
RAM for the _sbrk() heap. Set up a user-writable region
so that this works properly on x86.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Modify the linker script with the command INSERT.
It instructs the linker to augment the default linker script
SECTIONS with the ones provided with the one provided in
this script.
It also modified the meaning of the -T switch, so it no longer
replaces the default linker script
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
intel_s1000 has multiple levels of interrupts consisting of core, CAVS
Logic and designware interrupt controller. This patchset modifies
the regular gen_isr mechanism to support these multiple levels.
Change-Id: I0450666d4e601dfbc8cadc9c9d8100afb61a214c
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
intel_s1000 uses DesignWare IP for UART. National Semiconductor
16550 (UART) component specification is followed in this IP.
Change-Id: Ied7df1dc178d55b6dbe71d729d6383ba07274ea4
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
When MMU is enabled and the SOC we are running doesn't have
execute in-place(XIP) the final image will be a monolith which
sits in RAM. In such situations we need to maintain the alignment
for application memory. If not maintained the MMU boot tables
will not be configured properly.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
These functions were not used throughout the Zephyr code base, and
as such has been removed. They can be reinstated if there's a need,
but will need to be adapted to use retpolines when CONFIG_RETPOLINE
is set.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
In order to mitigate Spectre variant 2 (branch target injection), use
retpolines for indirect jumps and calls.
The newly-added hidden CONFIG_X86_NO_SPECTRE flag, which is disabled
by default, must be set by a x86 SoC if its CPU performs speculative
execution. Most targets supported by Zephyr do not, so this is
set to "y" by default.
A new setting, CONFIG_RETPOLINE, has been added to the "Security
Options" sections, and that will be enabled by default if
CONFIG_X86_NO_SPECTRE is disabled.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
The original exception handling has space to optimize and
and some bugs need to be fixed.
* define NANO_ESF
* add the definition of NANO_ESF which is an irq_stack_frame
* add the corresponding codes in exception entry and handler
* remove _default_esf
* implement the _ARCH_EXCEPT
* use trap exception to raise exception by kernel
* add corresponding trap exception entry
* add _do_kernel_oops to handle the exception raised by
_ARCH_EXCEPT.
* add the thread context switch in exception return
* case: kernel oops may raise thread context switch
* case: some tests will re-implement SysFatalHandler to raise
thread context switch.
* as the exception and isr are handled in kernel isr stack, so
the thread context switch must be in the return of exception/isr
, and the exception handler must return, should not be decorated
with FUNC_NORETURN
* for arc, _is_in_isr should consider the case of exception
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
This patch changes the ARM system calls to use registers for passing
or arguments. This removes the possibility of stack issues when
callers do not adhere to the AAPCS.
Fixes#6802
Signed-off-by: Andy Gross <andy.gross@linaro.org>
User mode shouldn't be able to read/write to this memory directly,
needs to be done on its behalf by driver system calls.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Define IRQ number for SecureFault Handler when building Secure
Firmware for non-CMSIS-compliant ARM Cortex-M MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macros for ARM fault flags from
include/arch/arm/cortex_m/cmsis.h header, since they are
defined in the respective core_cmXX.h header files. It also
modifies fault.c to use the updated fault macros taken directly
from ARM CMSIS headers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug in the ARM HardFAult handler, which
prevented from dumping the right UsageFault flags, after a
UsageFault had escalated to HardFault.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In asm2, the machine exception handler runs in interrupt context (this
is good: it allows us to defer the test against exception type until
after we have done the stack switch and dispatched any true
interrupts), but that means that the user error handler needs to be
invoked and then return through the interrupt exit code.
So the __attribute__(__noreturn__) that it was being decorated with
was incorrect. And actually fatal, as with gcc xtensa will crash
trying to return from a noreturn call.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The xtensa arch code had this empty offsets.h header sitting around.
Its name collides with the autogenerated offsets.h, making it
dangerously dependent on include file path order. Seems to be benign,
but it's freaking me out. Remove.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The new thread stack layout is as follow:
|---------------------|
| user stack |
|---------------------|
| stack guard (opt.) |
|---------------------|
| privilege stack |
-----------------------
For MPUv2
* user stack is aligned to the power of 2 of user stack size
* the stack guard is 2048 bytes
* the default size of privileg stack is 256 bytes.
For user thread, the following MPU regions are needded
* one region for user stack, no need of stack guard for user stack
* one region for stack guard when stack guard is enbaled
* regions for memory domain.
For kernel thread, the stack guard region will be at the top, adn
The user stack and privilege stack will be merged.
MPUv3 is the same as V2's layout, except no need of power of 2
alignment.
* reimplement the user mode enter function. Now it's possible for
kernel thread to drop privileg to user thread.
* add a separate entry for user thread
* bug fixes in the cleanup of regs when go to user mode
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
The application memory area has a requirement of address alignment,
especially when MPU requires power of 2.
Modify the linker tmemplate to apply application memory address
alignment generation
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Enable us bit to check user mode more efficienly.
US is read as zero in user mode. This will allow use mode sleep
instructions, and it enables a form of denial-of-service attack
by putting the processor in sleep mode, but since interrupt
level/mask can't be set from user space that's not worse than
executing a loop without yielding.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
* add the implementation of syscall
* based on 'trap_s' intruction, id = 3
* add the privilege stack
* the privilege stack is allocted with thread stack
* for the kernel thread, the privilege stack is also a
part of thread stack, the start of stack can be configured
as stack guard
* for the user thread, no stack guard, when the user stack is
overflow, it will fall into kernel memory area which requires
kernel privilege, privilege violation will be raised
* modify the linker template and add MPU_ADDR_ALIGN
* add user space corresponding codes in mpu
* the user sp aux reg will be part of thread context
* When user thread is interruptted for the 1st time, the context is
saved in user stack (U bit of IRQ_CTLR is set to 1). When nest
interrupt comes, the context is saved in thread's privilege stack
* the arc_mpu_regions.c is moved to board folder, as it's board
specific
* the above codes have been tested through tests/kernel/mem_protect/
userspace for MPU version 2
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
This patch adjusts the default permissions on the bus master 3 (NET).
Recent changes restricted this to supervisor only, and this caused
issues with the network controllers access to memory.
Restrictions on access should really be enforced on the ARM core bus
master.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds support for userspace on ARM architectures. Arch
specific calls for transitioning threads to user mode, system calls,
and associated handlers.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds a configure_mpu_user_context API and implements
the required function placeholders in the NXP and ARM MPU files.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The STM32 has special Core Coupled Memory, ccm for short, that can
only be accessed through the CPU and can not be use for DMA.
The following 3 sections have been added.
- ccm_bss for zero initialized data
- ccm_data for initialized data
- ccm_noinit for uninitialized data
Signed-off-by: Erwin Rol <erwin@erwinrol.com>
This feature is X86 only and is not used or being tested. It is legacy
feature and no one can prove it actually works. Remove it until we have
proper documentation and samples and multi architecture support.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit defines the Kconfig options for
ARM Cortex-M23 and Cortex-M33 CPUs. It also
udpates the generic memory map for M23 and M33
implementations.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This PR includes the required changes in order to support
conditional compilation for Armv8-M architecture. Two
variants of the Armv8-M architecture are defined:
- the Armv8-M Baseline (backwards compatible with ARMv6-M),
- the Armv8-M Mainline (backwards compatible with ARMv7-M).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch adds the generation and incorporation of privileged stack
regions that are used by ARM user mode threads. This patch adds the
infrastructure for privileged stacks. Later patches will utilize the
generated stacks and helper functions.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds application data section alignment constraints
to match the region definition requirements for ARM MPUs. Most MPUs
require a minimum of 32 bytes of alignment for any regions, but some
require power of two alignment to the size of a region.
This requires that the linker align the application data section to
the size of the section. This requires a linker pass to determine the
size. Once this is accomplished the correct value is added to a linker
include file that is utilized in subsequent linker operations.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
For SoCs that don't support vector table relocation in hardware, may not
support bootloader like mcuboot.
We introduce a way to relocate vector table in software by forwarding
the control of incoming IRQs to a new vector table which address is save
at fixed SRAM address.
User can change the data in that fixed SRAM address in order to relocate
vector table in software way.
Signed-off-by: Ding Tao <miyatsu@qq.com>
Refering the ARM's implementation, the initial support of memory
domain in ARC is added:
* changes in MPU drivers
* changes in Kconfig
* codes to configure memory domain during thread swap
* changes in linker script template
* memory domain related macro definitions
the commited codes are simply tested through
samples/mpu/mem_domain_apis_test.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
The _vector_start was placed before the CONFIG_TEXT_SECTION_OFFSET, thus
adding the offset in the relocated vector table, making the table
invalid when relocated with a non null CONFIG_TEXT_SECTION_OFFSET.
This was tested using MCUboot with a 0x200 offset for the image header.
Fixes: eb48a0a73c ("arm: armv6-m: Support relocating vector table")
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
A new arch (posix) which relies on pthreads to emulate the context
switching
A new soc for it (inf_clock) which emulates a CPU running at an
infinely high clock (so when the CPU is awaken it runs till completion
in 0 time)
A new board, which provides a trivial system tick timer and
irq generation.
Origin: Original
Fixes#1891
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Add an architecure specfic code for the memory domain
configuration. This is needed to support a memory domain API
k_mem_domain_add_thread.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
MPU version 3 is included in em7d of em_starterkit 2.3.
The differences of MPU version 3 and version 2 are:
* different aux reg interface
* The address alignment requirement is 32 bytes
* supports secure mode
* supports SID (option)
* does not support memory region overlap
This commit adds the support MPU version 3 and also make some changes to
MPU version 2 to have an unified interface.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
In ARC's SecureShield, a new secure mode (currently only em) is added.
The secure/normal mode is orthogonal to kernel/user mode. The
differences between secure mode and normal mode are following:
* different irq stack frame. so need to change the definition of
_irq_stack_frame, assembly code.
* new aux regs, e.g, secure status(SEC_STAT), secure vector base
(VECT_BASE_S)
* interrupts and exceptions, secure mode has its own vector base;
interrupt can be configured as secure or normal through the
interrupt priority aux reg.
* secure timers. Two secure timers (secure timer 0 and timer 1) are
added.Here, for simplicity and backwards compatibility original
internal timers (timer 0 and timer1) are used as sys clock of zephyr
* on reset, the processor is in secure mode and secure vector base is
used.
Note: the mix of secure and normal mode is not supported, i.e. it's
assumed that the processor is always in secure mode.
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Define _image_rodata_start/end to match x86 and so that we can
refer to them in the userspace test among others.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Implement API to validate user buffer. This API will iterate
all MPU regions to check if the given buffer is user accessible
or not. For #3832.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This is intended for memory-constrained systems and will save
4K per thread, since we will no longer reserve room for or
activate a kernel stack guard page.
If CONFIG_USERSPACE is enabled, stack overflows will still be
caught in some situations:
1) User mode threads overflowing stack, since it crashes into the
kernel stack page
2) Supervisor mode threads overflowing stack, since the kernel
stack page is marked non-present for non-user threads
Stack overflows will not be caught:
1) When handling a system call
2) When the interrupt stack overflows
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is an introductory port for Zephyr to be run as a Jailhouse
hypervisor[1]'s "inmate cell", on x86 64-bit CPUs (running on 32-bit
mode). This was tested with their "tiny-demo" inmate demo cell
configuration, which takes one of the CPUs of the QEMU-VM root cell
config, along with some RAM and serial controller access (it will even
do nice things like reserving some L3 cache for it via Intel CAT) and
Zephyr samples:
- hello_world
- philosophers
- synchronization
The final binary receives an additional boot sequence preamble that
conforms to Jailhouse's expectations (starts at 0x0 in real mode). It
will put the processor in 32-bit protected mode and then proceed to
Zephyr's __start function.
Testing it is just a matter of:
$ mmake -C samples/<sample_dir> BOARD=x86_jailhouse JAILHOUSE_QEMU_IMG_FILE=<path_to_image.qcow2> run
$ sudo insmod <path to jailhouse.ko>
$ sudo jailhouse enable <path to configs/qemu-x86.cell>
$ sudo jailhouse cell create <path to configs/tiny-demo.cell>
$ sudo mount -t 9p -o trans/virtio host /mnt
$ sudo jailhouse cell load tiny-demo /mnt/zephyr.bin
$ sudo jailhouse cell start tiny-demo
$ sudo jailhouse cell destroy tiny-demo
$ sudo jailhouse disable
$ sudo rmmod jailhouse
For the hello_world demo case, one should then get QEMU's serial port
output similar to:
"""
Created cell "tiny-demo"
Page pool usage after cell creation: mem 275/1480, remap 65607/131072
Cell "tiny-demo" can be loaded
CPU 3 received SIPI, vector 100
Started cell "tiny-demo"
***** BOOTING ZEPHYR OS v1.9.0 - BUILD: Sep 12 2017 20:03:22 *****
Hello World! x86
"""
Note that the Jailhouse's root cell *has to be started in xAPIC
mode* (kernel command line argument 'nox2apic') in order for this to
work. x2APIC support and its reasoning will come on a separate commit.
As a reminder, the make run target introduced for x86_jailhouse board
involves a root cell image with Jailhouse in it, to be launched and then
partitioned (with >= 2 64-bit CPUs in it).
Inmate cell configs with no JAILHOUSE_CELL_PASSIVE_COMMREG flag
set (e.g. apic-demo one) would need extra code in Zephyr to deal with
cell shutdown command responses from the hypervisor.
You may want to fine tune CONFIG_SYS_CLOCK_HW_CYCLES_PER_SEC for your
specific CPU—there is no detection from Zephyr with regard to that.
Other config differences from pristine QEMU defaults worth of mention
are:
- there is no HPET when running as Jailhouse guest. We use the LOAPIC
timer, instead
- there is no PIC_DISABLE, because there is no 8259A PIC when running
as a Jailhouse guest
- XIP makes no sense also when running as Jailhouse guest, and both
PHYS_RAM_ADDR/PHYS_LOAD_ADD are set to zero, what tiny-demo cell
config is set to
This opens up new possibilities for Zephyr, so that usages beyond just
MCUs come to the table. I see special demand coming from
functional-safety related use cases on industry, automotive, etc.
[1] https://github.com/siemens/jailhouse
Reference to Jailhouse's booting preamble code:
Origin: Jailhouse
License: BSD 2-Clause
URL: https://github.com/siemens/jailhouse
commit: 607251b44397666a3cbbf859d784dccf20aba016
Purpose: Dual-licensing of inmate lib code
Maintained-by: Zephyr
Signed-off-by: Gustavo Lima Chaves <gustavo.lima.chaves@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
We were unnecessarily pulling in headers which resulted in kernel.h
being pulled in, which is undesirable since arch/cpu.h pulls in
these headers.
Added integral type headers since we do need those.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
kernel.h depends on arch.h, and reverse dependencies need to be
removed. Define k_tid_t as some opaque pointer type so that arch.h
doesn't have to pull in kernel.h.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This header needs Zephyr's specific type definitions. It also
needs struct k_mem_partition and struct k_mem_domain, but they
are defined opaquely here instead of pulling in kernel.h (which
would create nasty dependency loops)
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Created structures and unions needed to enable the software to
access these tables.
Also updated the helper macros to ease the usage of the MMU page
tables.
JIRA: ZEP-2511
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Some SOCs (e.g. STM32F0) can map the flash to address 0 and
the flash base address at the same time. Prevent writing to
duplicate flash address which stops the SOC.
Allow Cortex M SOCs to create their own vector table relocation
function.
Provide a relocation function for STM32F0x SOCs.
Fixes#3923
Signed-off-by: Bobby Noelte <b0661n0e17e@gmail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
arg6 is treated as a memory constraint. If that memory
address was expressed as an operand to 'mov' in the generated
code as an offset from the stack pointer, then the 'push'
instruction immediately before it could end up causing memory 4
bytes off from what was intended being passed in as the 6th
argument.
Add ESP register to the clobber list to fix this issue.
Fixes issues observed with k_thread_create() passing in a
NULL argument list with CONFIG_DEBUG=y.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We need to track permission on stack memory regions like we do
with other kernel objects. We want stacks to live in a memory
area that is outside the scope of memory domain permission
management. We need to be able track what stacks are in use,
and what stacks may be used by user threads trying to call
k_thread_create().
Some special handling is needed because thread stacks appear as
variously-sized arrays of struct _k_thread_stack_element which is
just a char. We need the entire array to be considered an object,
but also properly handle arrays of stacks.
Validation of stacks also requires that the bounds of the stack
are not exceeded. Various approaches were considered. Storing
the size in some header region of the stack itself would not allow
the stack to live in 'noinit'. Having a stack object be a data
structure that points to the stack buffer would confound our
current APIs for declaring stacks as arrays or struct members.
In the end, the struct _k_object was extended to store this size.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
These needed "memory" clobbers otherwise the compiler would do
unnecessary optimizations for parameters passed in as pointer
values.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
The compiler was complaining about impossible constraints since register
constraint was provided, but there are no general purpose registers left
available.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This wasn't working properly with CONFIG_APPLICATION_MEMORY enabled as
the sections weren't handled in the linker script.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
A quick look at "man syscall" shows that in Linux, all architectures
support at least 6 argument system calls, with a few supporting 7. We
can at least do 6 in Zephyr.
x86 port modified to use EBP register to carry the 6th system call
argument.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
* Instead of a common system call entry function, we instead create a
table mapping system call ids to handler skeleton functions which are
invoked directly by the architecture code which receives the system
call.
* system call handler prototype specified. All but the most trivial
system calls will implement one of these. They validate all the
arguments, including verifying kernel/device object pointers, ensuring
that the calling thread has appropriate access to any memory buffers
passed in, and performing other parameter checks that the base system
call implementation does not check, or only checks with __ASSERT().
It's only possible to install a system call implementation directly
inside this table if the implementation has a return value and requires
no validation of any of its arguments.
A sample handler implementation for k_mutex_unlock() might look like:
u32_t _syscall_k_mutex_unlock(u32_t mutex_arg, u32_t arg2, u32_t arg3,
u32_t arg4, u32_t arg5, void *ssf)
{
struct k_mutex *mutex = (struct k_mutex *)mutex_arg;
_SYSCALL_ARG1;
_SYSCALL_IS_OBJ(mutex, K_OBJ_MUTEX, 0, ssf);
_SYSCALL_VERIFY(mutex->lock_count > 0, ssf);
_SYSCALL_VERIFY(mutex->owner == _current, ssf);
k_mutex_unlock(mutex);
return 0;
}
* the x86 port modified to work with the system call table instead of
calling a common handler function. fixed an issue where registers being
changed could confuse the compiler has been fixed; all registers, even
ones used for parameters, must be preserved across the system call.
* a new arch API for producing a kernel oops when validating system call
arguments added. The debug information reported will be from the system
call site and not inside the handler function.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
- _arch_user_mode_enter() implemented
- _arch_is_user_context() implemented
- _new_thread() will honor K_USER option if passed in
- System call triggering macros implemented
- _thread_entry_wrapper moved and now looks for the next function to
call in EDI
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
- There's no point in building up "validity" (declared volatile for some
strange reason), just exit with false return value if any of the page
directory or page table checks don't come out as expected
- The function was returning the opposite value as its documentation
(0 on success, -EPERM on failure). Documentation updated.
- This function will only be used to verify buffers from user-space.
There's no need for a flags parameter, the only option that needs to
be passed in is whether the buffer has write permissions or not.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The byte ones are required for ns16550 uart driver which is
present on some arm socs. Add half-word ones for completeness.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This was felt to be necessary at one point but actually isn't.
- When a thread is initialized to use a particular stack, calls will be
made to the MMU/MPU to restrict access to that stack to only that
thread. Once a stack is in use, it will not be generally readable even
if the buffer exists in application memory space.
- If a user thread wants to create a thread, we will need to have some
way to ensure that whatever stack buffer passed in is unused and
appropriate. Since unused stacks in application memory will be generally
accessible, we can just check that the calling thread to
k_thread_create() has access to the stack buffer passed in, it won't if
the stack is in use.
On ARM we had a linker definition for .stacks, but currently stacks are
just tagged with __noinit (which is fine).
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Previously, this was only done if an essential thread self-exited,
and was a runtime check that generated a kernel panic.
Now if any thread has k_thread_abort() called on it, and that thread
is essential to the system operation, this check is made. It is now
an assertion.
_NANO_ERR_INVALID_TASK_EXIT checks and printouts removed since this
is now an assertion.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
All system calls made from userspace which involve pointers to kernel
objects (including device drivers) will need to have those pointers
validated; userspace should never be able to crash the kernel by passing
it garbage.
The actual validation with _k_object_validate() will be in the system
call receiver code, which doesn't exist yet.
- CONFIG_USERSPACE introduced. We are somewhat far away from having an
end-to-end implementation, but at least need a Kconfig symbol to
guard the incoming code with. Formal documentation doesn't exist yet
either, but will appear later down the road once the implementation is
mostly finalized.
- In the memory region for RAM, the data section has been moved last,
past bss and noinit. This ensures that inserting generated tables
with addresses of kernel objects does not change the addresses of
those objects (which would make the table invalid)
- The DWARF debug information in the generated ELF binary is parsed to
fetch the locations of all kernel objects and pass this to gperf to
create a perfect hash table of their memory addresses.
- The generated gperf code doesn't know that we are exclusively working
with memory addresses and uses memory inefficently. A post-processing
script process_gperf.py adjusts the generated code before it is
compiled to work with pointer values directly and not strings
containing them.
- _k_object_init() calls inserted into the init functions for the set of
kernel object types we are going to support so far
Issue: ZEP-2187
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch fixes a couple of issues with the stack guard size and
properly constructs the STACK_ALIGN and STACK_ALIGN_SIZE definitions.
The ARM AAPCS requires that the stack pointers be 8 byte aligned. The
STACK_ALIGN_SIZE definition is meant to contain the stack pointer
alignment requirements. This is the required alignment at public API
boundaries (ie stack frames).
The STACK_ALIGN definition is the required alignment for the start
address for stack buffer storage. STACK_ALIGN is used to validate
the allocation sizes for stack buffers.
The MPU_GUARD_ALIGN_AND_SIZE definition is the minimum alignment and
size for the MPU. The minimum size and alignment just so happen to be
32 bytes for vanilla ARM MPU implementations.
When defining stack buffers, the stack guard alignment requirements
must be taken into consideration when allocating the stack memory.
The __align() must be filled in with either STACK_ALIGN_SIZE or the
align/size of the MPU stack guard. The align/size for the guard region
will be 0 when CONFIG_MPU_STACK_GUARD is not set, and 32 bytes when it
is.
The _ARCH_THREAD_STACK_XXXXXX APIs need to know the minimum alignment
requirements for the stack buffer memory and the stack guard size to
correctly allocate and reference the stack memory. This is reflected
in the macros with the use of the STACK_ALIGN definition and the
MPU_GUARD_ALIGN_AND_SIZE definition.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
* apply STACK_GUARD_SIZE, no extra space will be added if
MPU_STACK_GUARD is disabled
* When ARC_STACK_CHECKING is enabled, MPU_STACK_GUARD will be
disabled
* add two new api: arc_core_mpu_default and arc_core_mpu_region
to configure mpu regions
* improve arc_core_mpu_enable and arc_core_mpu_disable
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
* add arc mpu driver
* modify the corresponding kconfig and kbuild
* currently only em_starterkit 2.2's em7d configuration
has mpu feature (mpu version 2)
* as the minimum region size of arc mpu version 2 is 2048 bytes and
region size should be power of 2, the stack size of threads
(including main thread and idle thread) should be at least
2048 bytes and power of 2
* for mpu stack guard feature, a stack guard region of 2048 bytes
is generated. This brings more memory footprint
* For arc mpu version 3, the minimum region size is 32 bytes.
* the codes are tested by the mpu_stack_guard_test and stackprot
Signed-off-by: Wayne Ren <wei.ren@synopsys.com>
Fix misspellings in .h files missed during code reviews
and affecting generated API documentation
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
An abnormal crash was encountered in ARMv6-M SoCs that don't have flash
starting at 0. With Zephyr OS the reason for this crash is that, on
ARMv6-M the system requires an exception vector table at the 0 address.
We implement the relocate_vector_table function to move the vector table
code to address 0 on systems which don't have the start of code already
at 0.
[kumar.gala: reworderd commit message, tweaked how we check if we need
to copy vector table]
Signed-off-by: Xiaorui Hu <xiaorui.hu@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
The Xtensa port was the only one remaining to be converted to the new
way of connecting interrupts in Zephyr. Some things are still
unconverted, mainly the exception table, and this will be performed
another time.
Of note: _irq_priority_set() isn't called on _ARCH_IRQ_CONNECT(), since
IRQs can't change priority on Xtensa: while the architecture has the
concept of interrupt priority levels, each line has a fixed level and
can't be changed.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This patch adjusts the ARM MPU implementation to be compliant to the
recent changes that introduced the opaque kernel data types.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch always defines the ARCH_THREAD_STACK_XXX macros/functions
regardless of the MPU_STACK_GUARD usage. Only use MPU_STACK_GUARD when
determining the minimum stack alignment.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The mimimum mpu size is 32 bytes, but requires mpu base address to be
aligned on 32 bytes to work. Define architecture thread macro when
MPU_STACK_GUARD config to allocate stack with 32 more bytes.
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
This patch adds the allow flash write CONFIG option to the ARM MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This patch adds the allow flash write CONFIG option to the NXP MPU
configuration in privileged mode.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: David Brown <david.brown@linaro.org>
This is a simpler memory arrangement; RAM will start with
app data, and everything after it is either kernel data or
unclaimed memory reserved for the kernel's use.
New linker variables are also implemented here.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Kernel data size shifts in between linker passes due to the addition
of the page tables. We would like application memory bounds to
remain fixed so that we can program the MMU permissions for it
at build time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Page faults will additionally dump out some interesting
page directory and page table flags for the faulting
memory address.
Intended to help determine whether the page tables have been
configured incorrectly as we enable memory protection features.
This only happens if CONFIG_EXCEPTION_DEBUG is turned on.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Subsequent patches will set this guard page as unmapped,
triggering a page fault on access. If this is due to
stack overflow, a double fault will be triggered,
which we are now capable of handling with a switch to
a know good stack.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now create a special IA hardware task for handling
double faults. This has a known good stack so that if
the kernel tries to push stack data onto an unmapped page,
we don't triple-fault and reset the system.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We will need this for stack memory protection scenarios
where a writable GDT with Task State Segment descriptors
will be used. The addresses of the TSS segments cannot be
put in the GDT via preprocessor magic due to architecture
requirments that the address be split up into different
fields in the segment descriptor.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This has one use-case: configuring the double-fault #DF
exception handler to do an IA task switch to a special
IA task with a known good stack, such that we can dump
diagnostic information and then panic.
Will be used for stack overflow detection in kernel mode,
as otherwise the CPU will triple-fault and reset.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
A user space buffer must be validated before required operation
can proceed. This API will check the current MMU
configuration to determine if the buffer held by the user is valid.
Jira: ZEP-2326
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This needs to be in <arch/cpu.h> so that it can be called
from the k_panic()/k_oops() macros in kernel.h.
Fixes build errors on these arches when using k_panic() or
k_oops().
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Different areas of memory will need to have different access
policies programmed into the MMU. We introduce MMU page alignment
to the following areas:
- The boundaries of the image "ROM" area
- The beginning of RAM representing kernel datas/bss/nonit
- The beginning of RAM representing app datas/bss/noinit
Some old alignment directives that are no longer necessary have
been removed.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch splits out the application data and bss from the
rest of the kernel. Choosing CONFIG_APPLICATION_MEMORY will
result in the application and kernel being split.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Implements CONFIG_APPLICATION_MEMORY for x86. Working in
XIP and non-XIP configurations.
This patch does *not* implement any alignment constraints
imposed by the x86 MMU, such enabling will be done later.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
patch adds necessary files and does the modification to the existing
files to add device support for x86 based intel quark microcontroller
Signed-off-by: Savinay Dharmappa <savinay.dharmappa@intel.com>
This is unmaintained and currently has no known users. It was
added to support a Wind River project. If in the future we need it
again, we should re-introduce it with an exception-based mechanism
for catching out-of-bounds memory queries from the debugger.
The mem_safe subsystem is also removed, it is only used by the
GDB server. If its functionality is needed in the future, it
shoudl be replaced with an exception-based mechanism.
The _image_{ram, rom, text}_{start, end} linker variables have
been left in place, they will be re-purposed and expanded to
support memory protection.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The porting of the TI CC2650 SoC introduces the need to
write a specific configuration area (CCFG) at the end of the
flash. It is read by the bootloader ROM of the SoC.
For now, this is a quick hack and not a generic solution;
similar needs may arise with other hardware.
Signed-off-by: Geoffrey Le Gourriérec <geoffrey.legourrierec@smile.fr>
Clearing fields in the region descriptor attributes doesn't always have
the expected effect of revoking permissions. In the case of bus master
supervisor mode fields (MxSM), setting to zero actually enables read,
write, and execute access.
When we reworked handling of region descriptor 0, we inadvertently
enabled execution from RAM by clearing the MxSM fields and enabling the
descriptor. This caused samples/mpu_test run to throw a usage fault
instead of an MPU-triggered bus fault.
Fix this by setting all the MxSM fields to 2'b11, which gives supervisor
mode the same access as user mode.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
We need to make sure that __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS
are set to the same value. Add a simple build time check to ensure
this is the case. This is to catch future cases of issues like
ZEP-2243. This is a stop gap til we resolve ZEP-2262, which covers use
of both __NVIC_PRIO_BITS & CONFIG_NUM_IRQ_PRIO_BITS.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Macro is used to create a structure to specify the boot time
page table configuration. Needed by the gen_mmu.py script to generate
the actual page tables.
Linker script is needed for the following:
1. To place the MMU page tables at 4KByte boundary.
2. To keep the configuration structure created by
the Macro(mentioned above).
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Fixes an issue where if a thread calls k_panic() or k_oops()
with interrupts locked, control would return to the thread
and it would only be aborted after interrupts were unlocked
again.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The REGION bits (bit[3:0]) of MPU_RBAR register can specify the number
of the region to update if the VALID bit (bit[4]) is also set.
If the bit[3:0] of "region_addr" are not zero, might cause to update
unexpected region. This could happen since we might not declare stack
memory with specific alignment.
This patch will mask the bit[4:0] of "region_addr" to prevent updating
unexpected region.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Inserting the IDT results in any data afterwards being shifted.
We want the memory addresses between the zephyr_prebuilt.elf
and zephyr.elf to be as close as possible. Insert some dummy
data in the linker script the same size as the gen_idt data
structures. Needed for forthcoming patches which generate MMU
page tables at build time.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Calling 'svc' on ARMv6 causes a hard fault if interrups are locked.
Force them unlocked before making the svc call.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ethernet on K64F is connected via Logical Bus Master 3.
Section 19.3.8 of K64F reference manual establishes bits 20-18
(M3UM) on page 427 as "Bus Master 3 User Mode Access Control".
To fix RWX user mode access via Bus Master 3 when MPU is enabled,
we need to add these bits to the MPU region descriptors.
This fixes ETH0 on K64F when MPU is enabled.
Fix recommended by Maureen Helm <maureen.helm@nxp.com>
Signed-off-by: Michael Scott <michael.scott@linaro.org>
Let's clarify what bits are being set by removing magic numbers in the
MPU READ/WRITE/EXECUTE User Mode and Supervisor Mode defines.
Signed-off-by: Michael Scott <michael.scott@linaro.org>
This patch add arm core MPU support to NXP MPU driver.
With this feature it is now possible to enable stack guarding on NXP
MPUs.
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Here are the main changes:
* board: Update EMSK onboard resources such as Button, Switch and LEDs
+ update soc.h for em7d, em9d, em11d
+ update board.h for em_starterkit board
* arc: Add floating point support and code density support
+ add kconfig configuration
+ add compiler options
+ add register definitions, marcos, assembly codes
+ fixes in existing codes and configurations.
* arc: Update detailed board configurations for cores of emsk 2.3
* script: Provide arc_debugger.sh for debugging em_starterkit board
+ make BOARD=em_starterkit debug
This will start openocd server for emsk, and arc gdb will connect
to this debug server, user can run `continue` command if user just
want to run the application, or other commands if debugging needed.
+ make BOARD=em_starterkit debugserver
This will start an openocd debugger server for emsk, and user can
connect to this debugserver using arc gdb and do what they want to.
+ make BOARD=em_starterkit flash
This will download the zephyr application elf file to emsk,
and run it.
Signed-off-by: Huaqi Fang <huaqi.fang@synopsys.com>
This patch add arm core MPU support to ARM MPU driver.
Change-Id: I5a61da4615ae687bf42f1c9947e291ebfd2d2c1d
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds the arm core MPU interface, a common way to access the
pu functionalities by the arm zephyr kernel.
The interface can be divided in two parts:
- a core part that will be implemented by the arm_core_mpu driver and
used directly by the kernel
- a driver part that will be implemented by the mpu drivers and used by
the arm_core_mpu driver
Change-Id: I590bd284abc40d98b06fdf1efb5800903313aa00
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
This patch adds initial MPU support to NXP K6x family.
The boot configuration prevents the following security issues:
* Prevent to read at an address that is reserved in the memory map.
* Prevent to write into the boot Flash/ROM.
* Prevent from running code located in SRAM.
This driver has been tested on FRDM-K64F.
Change-Id: I907168fff0c6028f1c665f1d3c224cbeec31be32
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
For various reasons its often necessary to generate certain
complex data structures at build-time by separate tools outside
of the C compiler. Data is populated to these tools by way of
special binary sections not intended to be included in the final
binary. We currently do this to generate interrupt tables, forthcoming
work will also use this to generate MMU page tables.
The way we have been doing this is to generatea "kernel_prebuilt.elf",
extract the metadata sections with objcopy, run the tool, and then
re-link the kernel with the extra data *and* use objcopy to pull
out the unwanted sections.
This doesn't scale well if multiple post-build steps are needed.
Now this is much simpler; in any Makefile, a special
GENERATED_KERNEL_OBJECT_FILES variable may be appended to containing
the filenames to the generated object files, which will be generated
by Make in the usual fashion.
Instead of using objcopy to pull out, we now create a linker-pass2.cmd
which additionally defines LINKER_PASS2. The source linker script
can #ifdef around this to use the special /DISCARD/ section target
to not include metadata sections in the final binary.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
These are macros that are expected to be defined at all times by
the compiler. We need them at the very beginning of kernel.h for
the k_thread definition, before it's possible to include arch.h.
Make a special toolchain header for XCC compiler and place these
defines in there. Otherwise inherit all the other GCC defines.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We don't use __scs or __scp anymore so we can remove the related linker
script and various defines and such associated with them.
Change-Id: Ibbbe27c23a3f2b816b992dfdeb4f80cf798e0d40
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
CC3220SF_LAUNCHXL effectively replaces the CC3200_LAUNCHXL,
with support for the CC3220SF SoC, which is an update for
the CC3200 SoC.
This is supported by the Texas Instruments CC3220 SDK.
Jira: ZEP-1958
Change-Id: I2484d3ee87b7f909c783597d95128f2b45db36f2
Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
Historically, space for struct k_thread was always carved out of the
thread's stack region. However, we want more control on where this data
will reside; in memory protection scenarios the stack may only be used
for actual stack data and nothing else.
On some platforms (particularly ARM), including kernel_arch_data.h from
the toplevel kernel.h exposes intractable circular dependency issues.
We create a new per-arch header "kernel_arch_thread.h" with very limited
scope; it only defines the three data structures necessary to instantiate
the arch-specific bits of a struct k_thread.
Change-Id: I3a55b4ed4270512e58cf671f327bb033ad7f4a4f
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch add the Memory Protection Unit parameter to the arm core
configuration.
Change-Id: Ifee8cdd5738391a6f182e8d0382d27eeb8c546ba
Signed-off-by: Vincenzo Frascino <vincenzo.frascino@linaro.org>
Signed-off-by: Marc Moreno <marc.morenoberengue@linaro.org>
Put the reason code in r0 and make a SVC #2 call, which will be
propagated to _fatal_error_handler as an exception.
The _is_in_isr() implementation had to be tweaked a bit. User-generated
SVC exception no longer just used for irq_offload(); just because we are
in it does not mean we are in interrupt context. Instead, have the
irq_offload code set and clear the offload_routine global; it will be
non-NULL only if it's in use. Upcoming changes to support memory
protection (which will require system calls) will need this too.
We free up some small amount of ROM deleting _default_esf struct as it's
no longer needed.
Issue: ZEP-843
Change-Id: Ie82bd708575934cffe41e64f5c128c8704ca4e48
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We reserve a specific vector in the IDT to trigger when we want to
enter a fatal exception state from software.
Disabled for drivers/build_all tests as we were up to the ROM limit
on Quark D2000.
Issue: ZEP-843
Change-Id: I4de7f025fba0691d07bcc3b3f0925973834496a0
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Unlike assertions, these APIs are active at all times. The kernel will
treat these errors in the same way as fatal CPU exceptions. Ultimately,
the policy of what to do with these errors is implemented in
_SysFatalErrorHandler.
If the archtecture supports it, a real CPU exception can be triggered
which will provide a complete register dump and PC value when the
problem occurs. This will provide more helpful information than a fake
exception stack frame (_default_esf) passed to the arch-specific exception
handling code.
Issue: ZEP-843
Change-Id: I8f136905c05bb84772e1c5ed53b8e920d24eb6fd
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
For exceptions where we are just going to abort the current thread, we
need to exit handler mode properly so that PendSV can run and perform a
context switch. For ARM architecture this means that the fatal error
handling code path can indeed return if we were 1) in handler mode and
2) only wish to abort the current thread.
Fixes a very long-standing bug where a thread that generates an
exception, and should only abort the thread, instead takes down the
entire system.
Issue: ZEP-2052
Change-Id: Ib356a34a6fda2e0f8aff39c4b3270efceb81e54d
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Convert code to use u{8,16,32,64}_t and s{8,16,32,64}_t instead of C99
integer types. This handles the remaining includes and kernel, plus
touching up various points that we skipped because of include
dependancies. We also convert the PRI printf formatters in the arch
code over to normal formatters.
Jira: ZEP-2051
Change-Id: Iecbb12601a3ee4ea936fd7ddea37788a645b08b0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This is a start to move away from the C99 {u}int{8,16,32,64}_t types to
Zephyr defined u{8,16,32,64}_t and s{8,16,32,64}_t. This allows Zephyr
to define the sized types in a consistent manor across all the
architectures we support and not conflict with what various compilers
and libc might do with regards to the C99 types.
We introduce <zephyr/types.h> as part of this and have it include
<stdint.h> for now until we transition all the code away from the C99
types.
We go with u{8,16,32,64}_t and s{8,16,32,64}_t as there are some
existing variables defined u8 & u16 as well as to be consistent with
Zephyr naming conventions.
Jira: ZEP-2051
Change-Id: I451fed0623b029d65866622e478225dfab2c0ca8
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Scanning for typos in comments and strings.
Change-Id: I3d4db89e0824959252c79c19baa50028354247bd
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
The CONFIG_FLASH_LOAD_OFFSET allows the zephyr image to be placed at
an offset from the start of flash. This is useful for situations,
such as with a bootloader, to allow the image to not occupy the very
beginning of flash.
Complement this by adding a CONFIG_FLASH_LOAD_SIZE config, that can
constrain the size of the flash image. With the default of zero, the
behavior is as before, with the image allowed to occupy the rest of
the flash. It can also be defined to a non-zero value which will
constrain the image to occupy that many bytes of flash.
Although this is defined generally, it is currently only supported on
cortex-m targets.
Change-Id: I6e4a0e79c8459f931cd4757c932d20dac740f5f6
Signed-off-by: David Brown <david.brown@linaro.org>
__BYTE_ORDER__, __ORDER_BIG_ENDIAN__ and __ORDER_LITTLE_ENDIAN__ are not
defined when building with xcc, but are defined when building with gcc.
Define them conditionally.
Change-Id: Ib205ffee28360aa240d61731b7a3d6f45401b4c1
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
The SiFive Freedom E310 SOC follows the riscv privilege
architecture specification and hence is declared within
the riscv privilege SOC family.
It also provides support for a riscv
Platform Level Interrupt Controller (PLIC)
Change-Id: I19ff0997eacc248f48444fc96566a105c6c02663
Signed-off-by: Jean-Paul Etienne <fractalclone@gmail.com>
Updated the riscv-privilege SOC family to account for SOCs supporting
a Platform-level Interrupt Controller (PLIC) as specified by the
riscv privilege architecture.
riscv-privilege SOCs supporting a PLIC have to implement the following
list of APIs:
void riscv_plic_irq_enable(uint32_t irq);
void riscv_plic_irq_disable(uint32_t irq);
int riscv_plic_irq_is_enabled(uint32_t irq);
void riscv_plic_set_priority(uint32_t irq, uint32_t priority);
int riscv_plic_get_irq(void);
Change-Id: I0228574967348d572afc98a79257c697efc4309e
Signed-off-by: Jean-Paul Etienne <fractalclone@gmail.com>
Current users of sys_bitfield*() are bending over backwards to cast
what is most of the times a pointer into an integer.
Bitfields can be better described with an void *, so
uint{8,16,32,64}_t or any other container can be used. Most
sys_bitfield*() operations, by extension, can do the same. Note void *
has byte arithmetic, like char *.
This change will also make it implicit, for any future split of the
address space between virtual (what the SW is seeing) and physical
(what the HW is seeing) way clearer, as the functions dealing with
physical, non directly referentiable/mappeable addreses to use an
integer type, like mem_addr_t.
- include/arch/ARCH/*asm_inline*:
- sys_bitfield*() all modified to take 'void *'
Note 'void *' arihtmethic is byte based, which makes some things
easier.
- include/sys_io.h:
- introduces DEFINE_BITFIELD
- update docs
- tests/kernel/bitfield: remove all the cast contortions, use DEFINE_BITFIELD
PENDING: update other TCs
- include/arch/nios/nios2.h, drivers/interrupt_controller/ioapic_intr.c:
remove cast contortions
Change-Id: I901e62c76af46f26ff0d29cdc37099597f884511
Jira: ZEP-1347
Signed-off-by: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
It's not entirely clear where the '%P' came from, but the proper,
documented operand modifier for inserting an immediate value without
punctuation is '%c'.
Change-Id: I17346a6c70183ce79e91faa2fbe61e7761dfd513
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Currently, ARM Cortex-M image ROMs are linked starting at the flash
device's base address (CONFIG_FLASH_BASE_ADDRESS). This prevents XIP
Zephyr applications from being linked to run from elsewhere on the
flash device. Linking Zephyr applications to run from elsewhere can be
necessary when running under a bootloader (i.e., booting into a Zephyr
application from a bootloader, not using Zephyr as a bootloader).
To enable this use case, add a new config option: FLASH_LOAD_OFFSET.
This option directs the linker to treat ROM as if it started that many
bytes from the base of flash on Cortex-M targets. The option defaults
to zero to preserve backwards compatibility.
Change-Id: I64f82aee257c19c2451f9789b0ab56999775b761
Signed-off-by: Marti Bolivar <marti.bolivar@linaro.org>
Some arches may want to define this as an inline function, or
define in core arch code instead of timer driver code.
Unfortunately, this means we need to remove from the footprint
tests, but this is not typically a large function.
Issue: ZEP-1546
Change-Id: Ic0d7a33507da855995838f4703d872cd613a2ca2
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This implementation of _tsc_read returns a 64-bit value that
is derived from the 64-bit tick count multiplied by hwcycles per tick,
and then it adds the current value from the 32-bit timer.
This produces a 64-bit time. There is a bunch of math here, which
could be avoided if the CPU is built with Real-Time-Clock option.
EM Starter Kit SOCs don't have this. I don't think Arduino 101 does
either.
See ZEP-1559
Change-Id: I9f846d170246556ac40fe2f45809e457c6375d8c
Signed-off-by: Chuck Jordan <cjordan@synopsys.com>
Its current placement was splitting the vector table in half.
Move to rodata, a better place for it. There's no requirement for
it to be in the text section.
Change-Id: I67724b2a26a9cb62c2ccd473cb54c53e4f74dc32
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The BSS section needs to use AT> in XIP systems otherwise the LMA
addresses in the ELF binary are wrong, leading to issues if we
try to manipulate the binary with objcopy. The GROUP_DATA_LINK_IN
macro does the right thing here.
This was already done on other arches but ARC was missed.
Change-Id: I93748e919e0b68c1ff2dfb4b85b7064a8d980f3a
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
XCC does neither define __BYTE_ORDER__ nor __ORDER_LITTLE/BIG_ENDIAN__ macros.
This resulted in field preempt of thread.base not correctly built from other
union fields prio and sched_locked, which caused wrong scheduling.
Change-Id: I8566ef4a5cf555906c012c4adc488f9afb26c053
Signed-off-by: Mazen NEIFER <mazen@nestwave.com>
1) Fatal errors now all go through _SysFatalErrorHandler. When the
simulator is used, only the death of 'essential' threads will result
in the simulator exiting; some test cases that test exceptions may
actually expect a thread to terminate abnormally.
2) The human readability of the exception errors is improved.
Change-Id: I77f57ea0eae15b0c55237681b959cd21e3fe8c1c
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
find_msb_set logic was wrong. find_lsb_set() is now an inline function.
Change-Id: I2c19540907723589298b2f6af2ce1d68704bf1d7
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Master branch changed requirements for license headers while this
branch has been in development.
Change-Id: I9bce16ff275057a4bb664019628fc9b6de7aef7c
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In order for OpenOCD to have a high-level view of an RTOS, it uses the
GDB protocol to obtain symbols from the system.
The GDB protocol, however, does not allow obtaining fields from
structures directly, and hardcoding offsets is not only brittle (due to
possibly different architectures or changes in the code), it's also
infeasible considering Zephyr is highly-configurable and parts of key
structs can be compiled in or out.
Export an array with offsets for these key structs. Also add a version
element in that array to allow changes in those structs.
Change-Id: I83bcfa0a7bd57d85582e5ec6efe70e1cceb1fc51
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
This replaces the hard-coded vector table, as well as the
software ISR table created by the linker. Now both are generated
in build via script.
Issue: ZEP-1038, ZEP-1165
Change-Id: Ie6faaf8f7ea3a7a25ecb542f6cf7740836ad7da3
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>