Enhance the documentation for internal ARMv8-M MPU
function _mpu_buffer_validate().
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an explanatory comment in ARM __swap()
function, stressing when, exactly, context-switch is
expected to occur, when we pend the PendSV exception.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The ARM Cortex-M 321 application note is stressing that if
we disable interrupts by executing CPSID i(f), or by MSR
instructions (on PRIMASK, FAULTMASK registers), there is no
requirement to add barrier instructions after disabling
interupts. However, in ARMv7-M (and ARMv8-M Mainline) we use
BASEPRI, instead. Therefore, if we need the effect of disabling
interrupts to be recongnized immediately we should add barrier
instructions. This commit adds DSB and ISB barriers when
disabling interrupt using BASEPRI in the generic
arm _irq_lock() function as well as in the PendSV handler,
where we need to access kernel globals right after the interrups
are disabled.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The clang ARM assembler is a bit stricter than GNU as, make a few
changes so things build with both
Signed-off-by: Peter Smith <peter.smith@linaro.org>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
The commit adds an __ASSERT statement when configuring
the ARMv8-M build-in stack guard for supervisor thread
stack overflow protection, to catch the case when the
stack_info.start does not point to the beginning of the
thread stack allocated area, pointed by stack_obj.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit does the following:
- moves the reservation of the area for local thread data
inside the arch-specific _new_thread() function,
- aligns the end of the thread's stack with the granularity
of the MPU, already at thread's initialization, moving it
out of userspace_enter() function. In this way, the local
thread data are stored inside the thread stack area that
is, later, assigned unprivileged RW permissions (if thread
enters user mode).
- passes the right thread stack size information to function
_new_thread_init(), which stores it into stack_info.start.
As a result, the whole usable User Thread stack area (i.e.
excluding a possible guard area) falls inside the region
programmed as unprivileged RW, during context-switch.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Appears within a menu that already has 'depends on ARM_SECURE_FIRMWARE'.
'depends on FOO' on a menu will add 'depends on FOO' to each item within
it. 'if FOO' work similarly.
Tip: When adding a symbol, check its dependencies in the menuconfig
('ninja menuconfig', then / to jump to the symbol). The menuconfig also
shows how the file with the symbol got included, so if you see
duplicated dependencies, it's easy to hunt down where they come from.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
- The ARC CPU_HAS_MPU dependencies were added within the menu
menu "ARCH MPU Options"
depends on CPU_HAS_MPU
(arch/arc/core/mpu/Kconfig is source'd within it).
- The ARM CPU_HAS_MPU dependencies were redundantly added by
if CPU_HAS_MPU
source "arch/arm/core/cortex_m/mpu/Kconfig"
endif
and by some 'depends on CPU_HAS_MPU' within that file. Remove the
'depends on' and move the 'if' into the file instead.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Refactor internal ARM v7m and v8m MPU region re-programming
functions to take as argument a pointer to k_mem_partition
objects, instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor internal NXP MPU region re-programming functions
to take as argument a pointer to k_mem_partition objects,
instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the MPU region re-programming functions,
to take as argument an array of pointers to memory partition
structures, instead of the whole array of the partitions. In
this way the stack usage can be minimized, if the actual
partition information is kept in statically allocated memory.
instead of the map itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The "ARM Cortex-M options" menu is already within a 'if CPU_CORTEX_M',
so no need to put 'depends on CPU_CORTEX_M' on it.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Based on the definition of _ARCH_THREAD_STACK_DEFINE() macro
for ARM, the MPU Stack Guard region is placed inside the
allocated stack object, only if
CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT and CONFIG_USERSPACE
are both set. For ARM stack objects, allocated using the
_ARCH_THREAD_STACK_DEFINE() macro, such as the threads' stacks
and the interrupt stack, the above must be reflected on how we
set the initial start of the stacks.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On x86, if a supervisor thread belonging to a memory domain
adds a new partition to that domain, subsequent context switches
to another thread in the same domain, or dropping itself to user
mode, does not have the correct setup in the page tables.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit introduces a generic arch/arm function to evaluate
thread stack corruption. The function shall be used upon
occurrence of MemManage and Bus Faults.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an explanatory note in the places
where we manually adjust the PSP after stacking Bus
and MemManage errors, stressing that this is due to
the fact that interrupt tail-chaining cannot always
be guaranteed by the processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit removes a redundant check for imprecise bus fault,
when a precise bus fault has occurred, now that we have
re-worked the BusFault handler to iterate through all possible
bus errors.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon BusFault exceptions triggered
by the NXP MPU module. BusFaults rely on calling external
function to assess whether a thread stack corruption due to
overflow has occurred. Upon detection of stack corruption,
the current stack pointer is manually adjusted upwards, to
prevent un-stacking errors from firing up upon returning from
the exception.
Additionally, the commit allows to be checking for all different
types of BusFault occurrences that are reported through BFSR,
without stopping after having spotted the first BusFault type.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon MemManageFault exceptions.
Furthermore, it takes out all kernel-related logic and relies
on calling external function 'evaluate_thread_stack_corruption'
to assess whether a thread stack overflow has occurred. Upon
detection of stack corruption, the current stack pointer is
manually adjusted upwards, to prevent un-stacking errors from
firing up upon returning from the exception.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the debug message on UsageFaults
related to Stack overflow, stating that the context
area is not valid. An inline comment is added, with
more detailed explanation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the NXP MPU driver due to incompatible integer types.
Fixes#13836.
Fixes#13865.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes several essential inline comments in the
core assembly code for ARM, improving code readability.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit applies the same fixes, concering the Constant
Expression Result errors identified in the ARMv7-M and the
NXP MPU drivers, into the ARMv8-M MPU implementation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the ARMv7-M MPU driver due to incompatible integer types.
Fixes#13844.
Fixes#13854.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit aligns the implementation of arm_core_mpu_disable()
function in NXP MPU with the implementation in the ARM MPU
module, by introducing a Data Memory Barrier, (DMB) instead of
a DSB instruction. This is in accordance with the ARM guidelines
of using the memory protection unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This is an integral part of userspace and cannot be used
on its own. Fold into the main userspace configuration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Instead of having to enable ramfunc support manually, just make it
transparently available to users, keeping the MPU region disabled if not
used to not waste a MPU region. This however wastes 24 bytes of code
area when the MPU is disabled and 48 bytes when it is enabled, and
probably a dozen of CPU cycles during boot. I believe it is something
acceptable.
Note that when XIP is used, code is already in RAM, so the __ramfunc
keyword does nothing, but does not generate an error.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The linker file defines the __ramfunc_ram_size symbols to get the size
of the __ramfunc_ram section. Use that instead of computing the value at
runtime from the start and end symbols. This saves 16 bytes of code with
CONFIG_RAM_FUNCTION=y.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Using __ramfunc to places a function in RAM instead of Flash.
Code that for example reprograms flash at runtime can't execute
from flash, in that case must placing code into RAM.
This commit create a new section named '.ramfunc' in link scripts,
all functions has __ramfunc keyword saved in thats sections and
will load from flash to sram after the system booted.
Fixes: #10253
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
This commit fixes a bug that was always propagating the
default error reason (_NANO_ERR_HW_EXCEPTION) to the
system fatal error handler for (strictly) Secure and
for Non-Secure FW builds on ARMv8-M.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Include the EXC_RETURN payload flag macro definitions into
compilation when building for Non-Secure firmware, too.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug for ARM builds with no USERSPACE support
where the MPU stack guard had been erroneously placed, i.e. not
at the beginning of the stack object. This was eating 32-bytes
off of the thread stack. In addition to that, the commit adds a
usefull ASSERT statement for builds with USERSPACE, which checks
that the start of the guard matches the beginning of the entire
stack object.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Its possible that memcpy is marked to check that a NULL value is passed
to it. The instance of memcpy in relocate_vector_table its valid that
we're are copying to 0/NULL. So supress the possible warning generated
by gcc -Wnonnull.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
With this commit we clear the BusFault Status Register error
bits, after processing the fault, for all ARM architecture
variants and implementations (not only for ARMv8-M mainline).
That is a fix, since the bits are sticky in the ARMv7-M
variants, as well. The commit fixes, additionally, a typo
in the spelling of BFSR.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds the logic to indicate that a Non-Secure fault
exception has been triggered due to a processor fault that has,
in fact, occurred in the Secure state.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes the way we determine where the stacked
frame lies for (strictly) ARMv8-M Non-Secure firmware. It
introduces no changes to the default ARMv8-M behavior (i.e.
ARMv7-M compatible).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This is needed, because an interrupt can happen after the main/static
MPU region is disabled and before it is re-enabled.
This region gets implicitly disabled inside the _region_init call, when
its configuration registers change:
SYSMPU->WORD[index][0] = region_base;
SYSMPU->WORD[index][1] = region_end;
SYSMPU->WORD[index][2] = region_attr;
SYSMPU->WORD[index][3] = SYSMPU_WORD_VLD_MASK;
The TRM says this about the WORD0, WORD1 and WORD2 registers:
Writes to this register clear the region descriptor’s valid bit
(RGDn_WORD3[VLD]).
And thus if an interrupt happens after writing to WORD0 and before
writing VLD to WORD3 again, the code executes with enabled and yet
misconfigured MPU.
Fixes#13482
Signed-off-by: Tomasz Gorochowik <tgorochowik@antmicro.com>
The linker file defines the __gcov_bss_size and _nocache_ram_size
symbols to get the size of the __gcov_bss and _nocache_ram section. Use
that instead of computing the value at runtime from the start and end
symbols.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
_arch_configure_dynamic_mpu_regions() may re-program the MPU
Stack Guard, to guard the privilege stack for overflows,
(if building with option CONFIG_MPU_STACK_GUARD). There is a
risk of actually overflowing the stack while doing the
re-programming. We minimize the risk by placing the
re-programming function immediately after we have switched to
the privileged stack so that the whole privilege stack area is
available for this critical operation.
Note that the risk for overflow is higher if using the normal
thread stack, since we do not control how much stack is actually
left, when user invokes _arm_userspace_enter().
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit moves the clearing of PSPLIM before determining the
privilege stack start and size. In this way the clearing can be
done without unnecessary pushing and popping r3 core register.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit provides two fixes for the ARMv8-M built-in stack
protection in userspace.S. First, it clears the PSPLIM register
before setting the PSP to the privileged stack. In the wake of
this, the privilege stack area can now be positioned enywhere,
i.e. does not have to be above the user stack area. Second, it
removes unncessary push/pop when clearing the PSPLIM register,
upon returning from the system call, since the r3 register is
not used anymore in this routine.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Fixing the documentation for ARM core __svc function, which was
outdated and present only for the ARMv7-M version.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Stacking r3 at this point is not required as the register value
is not used afterwards, therefore, it does not need to be
retained.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Due to code re-organization inside __pendSV(), the stacking
and unstacking of scratch registers around the invocation of
read_timer_end_of_swap() is no longer required.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Just like with _Swap(), we need two variants of these utilities which
can atomically release a lock and context switch. The naming shifts
(for byte count reasons) to _reschedule/_pend_curr, and both have an
_irqlock variant which takes the traditional locking.
Just refactoring. No logic changes.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
We want a _Swap() variant that can atomically release/restore a
spinlock state in addition to the legacy irqlock. The function as it
was is now named "_Swap_irqlock()", while _Swap() now refers to a
spinlock and takes two arguments. The former will be going away once
existing users (not that many! Swap() is an internal API, and the
long port away from legacy irqlocking is going to be happening mostly
in drivers) are ported to spinlocks.
Obviously on uniprocessor setups, these produce identical code. But
SMP requires that the correct API be used to maintain the global lock.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
This was never a long-term solution, more of a gross hack
to get test cases working until we could figure out a good
end-to-end solution for memory domains that generated
appropriate linker sections. Now that we have this with
the app shared memory feature, and have converted all tests
to remove it, delete this feature.
To date all userspace APIs have been tagged as 'experimental'
which sidesteps deprecation policies.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Replace Cortex-M3 with Cortex-M architecture family
in the header documentation of kernel_arch_data.h and
kernel_arch_func.h, which are generic header files for
the entire familty of ARM Cortex-M CPUs. The commit
adds some more minor style fixes in functions'
documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the documentation of Kconfig option:
STACK_ALIGN_DOUBLE_WORD for Cortex-M microprocessors, stating
that the option is used in ARMv7-M MCUs to enforce 8-byte
stack alignment upon exception entry.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The selection of the Cortex M systick driver to be used
as a system clock driver is controlled by
CONFIG_CORTEX_M_SYSTICK.
To replace it by another driver CONFIG_CORTEX_M_SYSTICK
must be set to 'n'. Unfortunately this also controls
the interrupt vector for the systick interrupt. It is
now routed to __reserved. More bad the interrupt vector
can not be set by IRQ_CONNECT as it is one of the hard
coded interrupts in the interrupt table.
Route the hard coded systick interrupt to z_clock_isr
and make z_clock_isr a weak symbol that can be overwritten
by an alternative systick system clock driver.
Signed-off-by: Bobby Noelte <b0661n0e17e@gmail.com>
This patch adjusts the way we are doing push/pop operations before
making function calls inside of assembly routines. ARM requires 8
byte aligned stack operations across public interfaces. This means
that we need to be sure to push multiples of 2 registers.
Fixes#2108
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This commit re-works the NXP MPU driver implementation so that
it aligns with the implementation for ARMv7-M and ARMv8-M MPU
architectures.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes obsolete ARM CORE MPU API definitions
and related implementation from arm_mpu.c, in the wake of
the transition to the new ARM MPU design.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit moves all internal implementation, relevant for
User mode, in a single place in the arm_mpu_v7_internal.h,
arm_mpu_v8_internal, and in arm_mpu.c. Additionally, the
commit cleans up internal function _get_region_attr() that
is not used any more.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the ARM Core MPU API for memory domains,
to align with the principle of de-coupling the partitioning
and the access attribution with the architecture-specific
MPU driver implementation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds the implementation of internal ARM MPU
function, arm_core_mpu_get_max_available_dyn_regions(),
required by _arch_mem_domain_max_partitions_get(),
according to the new architecture. The function returns
the number of the available partitions for memory domains
based on the total amount of HW regions and the
actual number of statically configured MPU regions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the internal (ARMv7-M and ARMv8-M)
API, which allows to user to (re)configure a memory partition
at run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contains the added functionality to program the
ARM8-M MPU so it can configure the dynamic memory regions at
run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contains the added functionality to program the
ARM7-M MPU so it can configure the dynamic memory regions at
run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces an ARM API that allows the user to
program a set of dynamic MPU regions at run-time. The API
function is invoked every time the memory map needs to be
re-programmed (for example at thread context-switch). The
functionality is implementated in arm_core_mpu.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the common ARMv7-M and ARMv8-M internal
shim for configuring dynamic memory regions at run-time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contains the added functionality to program the
ARM8-M MPU, so it can configure the static memory regions at
boot time, as well as mark the areas, inside which dynamic MPU
region configuration at run-time will be allowed.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contains the added functionality to program the
ARM7-M MPU, so it can configure the static memory regions at
boot time.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the initialization of static memory regions
from arm_mpu_init(), since they are now initialized, directly,
by the kernel. The programming of MPU regions configured in SOC
definition is kept here.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the common ARMv7-M and ARMv8-M internal
shim for configuring static memory regions at boot time. It also
adds LOG error messages, and ASSERTS, which fire if the static
MPU region configuration is not performed successfully.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the generic ARM (core) API, which allows
the user to program a set of static (fixed) MPU regions at boot
time. The API function is invoked upon initialization, in the
ARM-specific call of _arch_switch_to_main_thread(). The API
implementation is provided in arm_core_mpu.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces a new Kconfig option symbol,
MPU_REQUIRES_NON_OVERLAPPING_REGIONS, to signify the use of an
MPU architecture that requires the active MPU regions be
non-overlapping. This requirement concerns the standard
(unmodified) ARMv8-M MPU implementation. For that, we select
the option in the definition of ARM_MPU, if the CPU architecture
is ARMv8-M (Baseline or Mainline).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
cmsis provides intrinsic functions to configure processor special
function register like control, psp(process stack pointer). Let's use
these functions which are maintained in cmsis repository.
This patch uses cmsis function to:
- set process stack pointer(PSP)
- switch SP to PSP
- disable interrupts
It also moves stack initialization from assembly to C
Signed-off-by: Vikas Manocha <vikas.manocha@st.com>
This commit removes the local state variable nxp_mpu_enabled,
defined and used in NXP MPU driver, as it is not useful.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch adds all the required hooks needed in the kernel to
get the coverage reports from ARM SoCs.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This patch adds a required cast for the size calculation utilizing
pointer arithmetic. The stack_obj needs a cast to u32_t. This was
caught using a newer compiler.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
On ARM, _Swap() isn't atomic and a hardware interrupt can land after
the (irq_locked) caller has entered _Swap() but before the context
switch actually happens. This will require some platform-specific
workarounds in a few places in the scheduler.
This commit is just the Kconfig and selection on ARM.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Fix misspellings in documentation (.rst, Kconfig help text, and .h
doxygen API comments), missed during regular reviews.
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
According with MISRA-C the value returned by a non-void function has
to be used. As memcpy return is almost useless, we are explicitly
ignoring it.
MISRA-C rule 17.7
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit removes the priv_stack_size field from the _thread_arch
on arm architecture as there is no code using value stored in this
variable.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
arm_core_mpu.h and arm_core_mpu.c defined and implement kernel
APIs for memory protection, respectively. Therefore, they do not
need to directly include ARM CMSIS headers, or arm_mpu.h (or
nxp_mpu.h) which are supposed to define MPU-related kernel types
and convenience macros for the specific MPU architecture. These
headers are indirectly included by including kernel.h.
Similarly, arm_mpu.h shall not need to include internal/external
headers of memory protection APIs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit does the following:
- it introduces additional convenience macros for representing
MPU attributions for no-cacheability, in both ARMv7-M and
ARMv8-M MPU architectures,
- it adds documentation in K_MEM_PARTITION_IS_WRITABLE/CACHEABLE
macros in all macro definitions in the different MPU variants
- it moves the type definition of k_mem_partition_attr_t inside
the architecture-specific MPU headers, so it can be defined
per-architecture. It generalizes app_mem_domain.h, to be able
to work with _any_ (struct) type of k_mem_partition_attr_t.
- it refactors the type of k_mem_partition_attr_t for ARMv8-M
to comply with the MPU register API.
- for NXP MPU, the commit moves the macros for region access
permissions' attributes inside nxp_mpu.h, to align with what
we do for ARM MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit exposes k_mem_partition_attr_t outside User Mode, so
we can use struct k_mem_partition for defining memory partitions
outside the scope of user space (for example, to describe thread
stack guards or no-cacheable MPU regions). A requirement is that
the Zephyr build supports Memory protection. To signify this, a
new hidden, all-architecture Kconfig symbol is defined (MPU). In
the wake of exposing k_mem_partition_attr_t, the commit exposes
the MPU architecture-specific access permission attribute macros
outside the User space context (for all ARCHs), so they can be
used in a more generic way.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add a "nocache" read-write memory section that is configured to
not be cached. This memory section can be used to perform DMA
transfers when cache coherence issues are not optimal or can not
be solved using cache maintenance operations.
This is currently only supported on ARM Cortex M7 with MPU.
Fixes#2927
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The commit enforces the use of ARM_MPU_REGION_MIN_ALIGN_AND_SIZE
in include/arch/arm/arch.h, instead of using 32 as a hard-coded
value. The symbol is also used in arm/thread.c to truncate the
thread stack size to satisfy MPU granularity. The commit does
not introduce behavioral changes.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit introduces a Kconfig option to define the minimum MPU
region size and alignment for ARM Cortex-M MCU architecture. The
hidden option is used by the linker to properly align linker
sections respecting the MPU requirements. Additionally, it is
used to define MPU Guard size and minimum stack alignment for
ARM Cortex-M MCUs in include/arch/arm/arch.h .
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
There were many platforms where this function was doing nothing. Just
merging its functionality with _PrepC function.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Declare and define arm_mpu_config and arm_mpu_regions
structs as const, as they are not modified in run-time.
Fixes#10320
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
These changes were obtained by running a script created by
Ulf Magnusson <Ulf.Magnusson@nordicsemi.no> for the following
specification:
1. Read the contents of all dts_fixup.h files in Zephyr
2. Check the left-hand side of the #define macros (i.e. the X in
#define X Y)
3. Check if that name is also the name of a Kconfig option
3.a If it is, then do nothing
3.b If it is not, then replace CONFIG_ with DT_ or add DT_ if it
has neither of these two prefixes
4. Replace the use of the changed #define in the code itself
(.c, .h, .ld)
Additionally, some tweaks had to be added to this script to catch some
of the macros used in the code in a parameterized form, e.g.:
- CONFIG_GPIO_STM32_GPIO##__SUFFIX##_BASE_ADDRESS
- CONFIG_UART_##idx##_TX_PIN
- I2C_SBCON_##_num##_BASE_ADDR
and to prevent adding DT_ prefix to the following symbols:
- FLASH_START
- FLASH_SIZE
- SRAM_START
- SRAM_SIZE
- _ROM_ADDR
- _ROM_SIZE
- _RAM_ADDR
- _RAM_SIZE
which are surprisingly also defined in some dts_fixup.h files.
Finally, some manual corrections had to be done as well:
- name##_IRQ -> DT_##name##_IRQ in uart_stm32.c
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
The ARMv8-M Memory Protection Unit document indicates that a DMB
instruction must be used before disabling the MPU in order to force
outstanding memory transactions.
The ARMv7-M documentation is less clear about that, and only specifies
that a DSB instruction followed by a ISB instruction must be used
before enabling the MPU, which is already the case. The ARMv7-M and
ARMv8-M MPU are relatively similar to believe the same sequence should
be used for disabling it.
This patch therefore adds a DMB instruction before disabling the MPU.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
In Zephyr on Cortex-M SoCs with both the ARM MPU and the cache enabled,
there are 3 possible states and associated configuration for the RAM
cache attributes:
- MPU disabled WBWA non-shareable
- MPU enabled, background RAM region WBWA non-shareable
- MPU enabled, thread RAM region WBWA shareable
In practice this means than the thread RAM region toggles from
shareable to non-shareable on each context change.
However the Cortex-M7 SoC does not support the WBWA shareable
configuration and fallback to simpler caching configuration. The
Technical Reference Manual states:
"By default, only Normal, Non-shareable memory regions can be cached
in the RAMs. Caching only takes place if the appropriate cache is
enabled and the memory type is cacheable. Shared cacheable memory
regions can be cached if CACR.SIWT is set to 1."
Similar indications can be found in the documentation from various
vendors: ST (AN4838), NXP (AN12042) and Atmel (AN15679).
It means that the thread RAM regions are either not cached (CACR.SIWT=0,
default) or WBWT cached (CACR.SIWT=1). This causes a performance issue.
In addition before switching a region from cached to non-cached and
vice-versa, the existing MPU code does not perform cache clean and/or
invalidate operations. This might cause data loss or corruption.
We should therefore change the RAM cache attributes to make them always
consistent. This patches change the thread/application RAM region from
WBWA shareable to WBWA non-shareable. This is done for all ARMv7-M SoCs
with an ARM MPU, however other SoCs (M0+, M3, M4) do not have cache, so
their behaviour should be unchanged.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
'b' can't jump very far on Cortex-M0 and will cause linker issues when
isr_wrapper and _IntExit are placed far away from each other.
To resolve this we use the 'bx' instruction, as it can jump much
further. Using 'bx' is not dangerous because we are jumping to thumb
mode code.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Remove either duplicate settings between arch & board, or just set
HAS_DTS at the arch level since all the boards for a given arch support
DTS now.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This commit moves the block of the early return before
the derivation of the stack size, to avoid unnecessary
operations if this is not a user thread.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In user mode a thread stack will include the optional
stack guard area (present if MPU_STACK_GUARD is defined.
The guard area has been originally take out of the thread
stack size calculation. For MPUs with no power-of-two size
requirement, we need to increase the size of the MPU region
for user-mode, to account for the additional guard region.
MPUs with power-of-two size requirement will, anyway, round
up the region size to the next power of two.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces and implements an internal ARM
TrustZone-M API to allow the Non-Secure firmware to use
the Floating Point Unit (FPU).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes a Kconfig symbol hierarchy which allows
the user to build Zephyr Secure and Non-Secure images on ARMv8-M
MCUs with support for Trusted Execution. However, the high-level
configuration structure is generic, thus, can be potentially
used for any platform that supports Trusted Execution.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit extends the support of built-in thread stack
protection (i.e. based on the stack pointer limit registers)
in ARMv8-M, so that it works with user mode. The commit
does the following:
- enables and disables the stack limit checking on the
privileged stack, inside thread system calls, and upon
entering user mode,
- does not enable stack limit checking in context switch,
if the thread is in user mode.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Instead of checking every time we hit the low-level context switch
path to see if the new thread has a "partner" with which it needs to
share time, just run the slice timer always and reset it from the
scheduler at the points where it has already decided a switch needs to
happen. In TICKLESS_KERNEL situations, we pay the cost of extra timer
interrupts at ~10Hz or whatever, which is low (note also that this
kind of regular wakeup architecture is required on SMP anyway so the
scheduler can "notice" threads scheduled by other CPUs). Advantages:
1. Much simpler logic. Significantly smaller code. No variance or
dependence on tickless modes or timer driver (beyond setting a
simple timeout).
2. No arch-specific assembly integration with _Swap() needed
3. Better performance on many workloads, as the accounting now happens
at most once per timer interrupt (~5 Hz) and true rescheduling and
not on every unrelated context switch and interrupt return.
4. It's SMP-safe. The previous scheme kept the slice ticks as a
global variable, which was an unnoticed bug.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Before entering userspace, the MPU stack guard is
configured to guard the default (i.e. afterwards, the "user")
thread stack, as the privileged stack has not yet been set. Upon
entering userspace the MPU stack guard needs to be re-programmed
to the privileged stack, otherwise, there is a risk that the
first system call might be serviced without privileged stack
protection, if it occurs before any context-switch. This commit
fixes this issue, by calling configure_mpu_stack_guard(..) upon
userspace entering.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
MISRA-C requires that all declarations of a specific function, or
object, use the same names and type qualifiers.
MISRA-C rule 8.3
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Added LOG_PANIC to fault handlers to ensure that log is flush and
logger processes messages in a blocking way in fault handler.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Remove the inclusion of <string.h>, if CONFIG_INIT_STACKS
is defined, because it is not required anywhere in thread.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Several style and typo fixes in inline comments of arm kernel
files and thread.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an inline explanatory comment in the API
for setting the non-secure stack-pointer limit registers, to
stress that the API is only applicable to Mainline ARMv8-M MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a minor bug by setting the error reason
(to, default, _NANO_ERR_HW_EXCEPTION) for errors detected
during Secure/Non-Secure stack inspection. Applicable only
to Secure firmware.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes all MPU-related (ARM_CORE_MPU and NXP_MPU)
options exept ARM_MPU, which becomes master switch controlling
MPU support on ARM.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
This commit introduces CPU_HAS_ARM_MPU and CPU_HAS_NXP_MPU options,
which indicate which flavour of MPU is supported by given SoC family.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
The __reset vector is using the 'b' instruction to jump to _PrepC. 'b'
can only jump 2KB on Cortex-M0 platforms so this causes build failures
when _PrepC happens to be too far away from __reset.
To resolve this we use 'bl' instead as it can jump two thousand times
further[0].
This can also be resolved by porting the reset vector to C or by
placing the _PrepC function in a dedicated section that the linker
places next to __reset.
[0] http://infocenter.arm.com/help/topic/com.arm.doc.dui0489e/Cihfddaf.html
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Any word started with underscore followed by and uppercase letter or a
second underscore is a reserved word according with C99.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
The ARMv8-m Memory Protection Unit does not require MPU regions
to be power-of-two aligned and sized. This commit removes this
requirement when building for ARMv8-m MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
__swap function was returning -EAGAIN in some case, though its return
value was declared as unsigned int.
This commit changes this function to return int since it can return a
negative value and its return was already been propagate as int.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
As far as possible SoC-specific code should be contained to it's
directory and core systems should not be referencing specific
SoCs. This keeps the common code clean and makes it easier to maintain
out-of-tree SoCs.
To this end we move CONFIG_SOC_TI_LM3S6965_QEMU's soft-reset related
code out of arch/arm/core/cortex_m and into arch/arm/soc/ti_lm3s6965.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
_k_syscall_table is an array of function pointers and is declared as
such in C sources, this makes it an STT_OBJECT[0] in the symbol
table. But when the same symbol is declared in assembly, it is
declared to be a function, which would make the symbol an STT_FUNC.
When linking with LTO this type inconsistency results in the warning:
real-ld: Warning: type of symbol `_k_syscall_table' changed from 2 to
1 in /tmp/cc84ofK0.ltrans8.ltrans.o
To fix this warning we declare the table with GDATA instead of GTEXT,
which will change the type from 'function' to 'object'.
[0]
https://docs.oracle.com/cd/E19455-01/816-0559/chapter6-79797/index.html
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Move to more generic tracing hooks that can be implemented in different
ways and do not interfere with the kernel.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Define generic interface and hooks for tracing to replace
kernel_event_logger and existing tracing facilities with something more
common.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This commit adds an __ASSERT line in _get_region_attr_by_type,
to signal an error if the supplied MPU region type is not valid.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds a UL suffix after numerical digits to ensure
the correctness of certain shift operations.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements and integrates the ARMv8-M MPU driver
into the memory protection system for ARM.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors arm_mpu.c by moving all internal function
implementation that is specific to ARMv7-M architecture to a
separate internal header file. This allows to easily extend
arm_mpu.c to support ARMv8-M by including all ARMv8-M-specific
implementation in a similar internal header.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the _get_region_attr_by_conf(.) function,
so it does the following:
- it is renamed to _get_ram_region_attr_by_conf(), to reflect
that it is only used to configure RAM MPU regions.
- it gets an arm_mpu_region_attr_t object structure pointer
to fill-in with the derived region attributes.
- it takes an additional argument (the region base address),
which allows the function to have a common signature with the
ARMv8-M version of it (where the attribute derivation needs
the base address).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the _get_region_attr_by_type(.) function,
so it does the following:
- it takes an arm_mpu_region_attr_t object pointer and use it
to fill-in the derived region attributes.
- it performs only the distinguishing between the different MPU
region types, hiding the actual MPU-specific implementation
in internal functions.
- it takes an additional argument (the region base address),
which allows the function to have a common signature with the
ARMv8-M version of it (where the attribute derivation needs
the base address).
- it returs 0 or succes and a negative non-zero integer
to indicate an error.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adapts the _region_init(.) function so it can use
the rasr field of the arm_mpu_region_attr structure, when it
configures the RASR register.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The choice that contains FP_HARDAPI and FP_SOFTAPI already depends on
FLOAT, so the choice symbols don't have to.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
irq_lock returns an unsigned int, though, several places was using
signed int. This commit fix this behaviour.
In order to avoid this error happens again, a coccinelle script was
added and can be used to check violations.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
There exist two symbols that became equivalent when PR #9383 was
merged; _SYSCALL_LIMIT and K_SYSCALL_LIMIT. This patch deprecates the
redundant _SYSCALL_LIMIT symbol.
_SYSCALL_LIMIT was initally introduced because before PR #9383 was
merged K_SYSCALL_LIMIT was an enum, which couldn't be included into
assembly files. PR #9383 converted it into a define, which can be
included into assembly files, making _SYSCALL_LIMIT redundant.
Likewise for _SYSCALL_BAD.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
Consistently use
config FOO
bool/int/hex/string "Prompt text"
instead of
config FOO
bool/int/hex/string
prompt "Prompt text"
(...and a bunch of other variations that e.g. swapped the order of the
type and the 'prompt', or put other properties between them).
The shorthand is fully equivalent to using 'prompt'. It saves lines and
avoids tricking people into thinking there is some semantic difference.
Most of the grunt work was done by a modified version of
https://unix.stackexchange.com/questions/26284/how-can-i-use-sed-to-replace-a-multi-line-string/26290#26290, but some
of the rarer variations had to be converted manually.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
This commit removes the depreciated "default n" entries from
boolean K-config options in arch/arm.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
When building a Secure firmware image, instruct the linker to
generate a symbol table with the entry veneers, to allow a Non
Secure firmware image to access Secure Entry functions via the
entry veneers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds K-config options that allow the user to
signify an ARM Secure Firmware that contains Secure Entry
functions and to define the starting address of the linker
section that will contain the Secure Entry functions. It
also instructs the linker to append the NSC section if
instructed so by the user.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contribute an internal ARM API that enables the
user to confgure an ARM Security Attribution Unit region. It
also defines ARM_SAU as a K-config option to indicate that
an MCU implements the ARM SAU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes a simple API to allow the TrustZone
user to block or permit Non-Secure System Reset requests.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Make GCC compile with the -mcmse compile option, if we are
building a Secure firmware. The option will make Security
Extensions for secure executables available, and will set
the corresponding compile-time indicator flag, accordingly:
(i.e. __ARM_FEATURE_CMSE=3).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define and implement a function to read the number of
SAU regions configued for the MCU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M TrustZone
API to allow the user to select whether Secure exceptions will
have priority boosting over Non-Secure exceptions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M TrustZone
API to allow the user to configure the target state of fault
exceptions that are not banked between security states.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds and implements an ARM internal API function
to configure the Non-Secure instance of MSPLIM or PSPLIM.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements the internal ARM TrustZone
API to enable or disable the Security Attribution Unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define and implement an API to configure the Non-Secure instances
of core registers in ARM Cortex-M23 and Cortex-M33.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit optimizes _size_to_mpu_rasr_size(.) in the ARMv7-M
MPU driver, so it makes use of a single _builtin_clz() function
call, instead of two.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Uses fixup infrastructure to safely abort if we get an MPU
fault when examining a string passed in from user mode.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In some kernel configurations, the offset can be greater
than the maximum of 124 for ldr/str immediate offsets.
Fixes: #9113
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit adds the implementation that allows the ARM CPU
to recover from (otherwise fatal) MPU faults. A new error
reason, _NANO_ERR_RECOVERABLE, is introduced. The error
reason is used to suppress fault dump information, if the
error is actually recoverable.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit does several things:
- It unifies the way the fault inspection is implemented,
irrespective of the selected fault dumping level.
- It removes the dumping of the Thread ID and faulting
instruction address, as these are now displayed by
_NanoFatalErrorHandler.
- It introduces a new debug print directive, to be used
for the highest dumping level (2).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements two changes.
- It splits out the dumping of the Secure stack information to a
separate function. Dumping will only occur if the highest dump
level has been selected.
- Forces _Fault() to invoke _NanoFatalErrorHandler, instead of
_SysFatalErrorHandler. In addition, early return statemets are
implemented in _Fault(), so the fatal error handler is only
invoked once.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the documentation of function _Fault(.),
in order to better describe the actual implementation and the
use of the function arguments.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit forces arm_mpu_init() to use the provided API
functions to enable and disable the MPU. Besides the clean-up
the commit enforces the MPU driver to use data and instruction
synchronization barriers every time the MPU is enabled. This
is aligned with the programming recommendations by ARM.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug in _get_region_ap(.) by adding
parentheses to enforce the correct operator precedence.
Fixes#8864.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Update _get_region_attr_by_type used to set up the user regions
on a per thread basis to match the REGION_USER_RAM_ATTR macro. Caching
attributes were set "Outer and inner write-through. No write allocate.",
this patch changes it to "Outer and inner write-back. Write and read
allocate.".
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The NXP MPU triggers a bus fault when a memory access error occurs. Add
support in the bus fault handler to dump error details from the NXP MPU,
including the port number, mode (supervisor or user), address, bus
master number, and regions.
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
This commit refactors internal functions in arm_mpu.c to use
bitsets and functions taken directly from ARM CMSIS instead of
hardcoded arithmetic literals. In several internal functions
some part of the implementation is abstracted further in inline
functions or convenience macros, to facilitate extending the
arm_mpu.c for ARMv8-M. In addition, the commit adds minor
improvements in internal function documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit abstracts the attribution generation for an MPU
region, determined based on a supplied configuration and the
given size, from the actual implementation, which is placed
in a separate inline function. This allows to have multiple
implementations of attribution generation for different ARM
MPU drivers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the _region_init(..) internal MPU driver
function so it gets the region index and a struct arm_mpu_region
as aruments. The latter holds the MPU region configuration that
is to be applied to the region determined by the index argument.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the redundant HAL definition for the ARM
Cortex-M MPU registers, and modifies the ARM MPU driver
implementation to directly use the provided HAL from CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors arm_core_mpu_configure_user_context() so
it can use directly arm_core_mpu_configure().
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit places all the implementation in arm_mpu.c within
build-time guards, ensuring that it is compiled-in only if the
kernel features requiring MPU are present (i.e. USERSPACE,
APPLICATION_MEMORY, or MPU_STACK_GUARDS). An exception to that
is the code required for MPU initialization, which is left out,
as MPU initialization occurs always if MPU is present.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit updates the compile options in cmake to distinguish
between ARMv8-M Mainline MCUs with or withouth the optional DSP
extension. A new Kconfig option: ARMV8_M_DSP, is introduced, to
signify the use of an ARMv8-M MCU with DSP support.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
* We are now *much* better at not reserving unnecessary
system MPU regions based on configuration. The #defines
for intent are now an enumerated type. As a bonus, the
implementation of _get_region_index_by_type() is much
simpler. Previously we were wasting regions for stack guard
and application memory if they were not configured.
* NXP MPU doesn't reserve the last region if HW stack
protection isn't enabled.
* Certain parts of the MPU code are now properly ifdef'd
based on configuration.
* THREAD_STACK_REGION and THREAD_STACK_USER_REGION was a
confusing construction and has now been replaced with
just THREAD_STACK_REGION, which represents the MPU region
for a user mode thread stack. Supervisor mode stacks
do not require an MPU region.
* The bounds of CONFIG_APPLICATION_MEMORY never changes
and we just do it once during initialization instead of
every context switch.
* Assertions have been added to catch out-of-bounds cases.
Fixes: #7384
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Bool symbols implicitly default to 'n'.
A 'default n' can make sense e.g. in a Kconfig.defconfig file, if you
want to override a 'default y' on the base definition of the symbol. It
isn't used like that on any of these symbols though.
Also simplify the definition of CC3220SF_DEBUG. 'default's can be other
symbols too, not just literal values. The condition for the symbol to be
visible (user-configurable) can be put directly on the prompt as well.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Set Zero Latency IRQ to priority level zero and SVCs to priority level
one when Zero Latency IRQ is enabled.
This makes Zero Zatency truly zero latency when the kernel has been
configured with userspace enabled, or when IRQ offloading is used.
Exceptions can still delay Zero Latency IRQ, but this is considered
ok since exceptions indicate a serious error, and the system needs to
recover.
Fixes: #7869
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
This commit removes the macro definitions for MPU_RASR register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macro definitions for MPU_RBAR register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macro definitions for MPU_CTRL register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the definition and the implementation
of an API for ARM MCUs to configure and get the configuration
of the security state targeted by a given external IRQ line.
The API is only available in Secure ARM Firmware.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the CMSE
address range permission checks based on the ARMv8-M
address range check intrinsics exlusicely for Secure state.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor arm_cmse_mpu_region_get(.) function, so its signature,
documentation, and implementation align with the rest of functions
for obtaining MPU, SAU and IDAU region numbers via the TT instruction.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M API
that allows the user to evaluate access permissions of memory
locations, based on the ARMv8-M Tests Target (TT, TTA)
instruction support (for Secure requests).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces additional dependencies and selection
scheme for CPU_CORTEX_M_HAS_SPLIM, for Zephyr Non-Secure builds
on ARMv8-M MCUs with Security Extensions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the ARMV8_M_SE K-config option
to signify the use of an ARMv8-M MCU with support for
Security Extensions. It also introduces dependences of
ARM_(NON)SECURE_FIRMWARE on ARMV8_M_SE.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the K-config option
ARM_NONSECURE_FIRMWARE, to indicate a Zephyr firmware image
that is intended to execute in Non-Secure state.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the help text description for K-config
option: ARM_SECURE_FIRMWARE.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On Cortex-M7 CPU (at least on STM32F723), the dummy move FPU instruction
is executed before the FPU lazy state preservation is disabled. Add an
instruction synchronization barrier before it to avoid that.
At the same time, remove the data synchronization barrier after the
dummy move as it does not have any effect on RAM or registers.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
This commit sets VECTOR_ADDRESS in prep_c.c directly to the
value of _vector_start for XIP images for MCUs which have the
VTOR register.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The PendSV handler sits below the priority of other OS interrupts, but
it was inspecting kernel state before masking those interrupts out!
Move the locking to the top.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
This commit removes the arm_mpu_enabled status flag in the ARM
MPU driver. This flag is not needed, because the value of the
MPU_CTRL register stays the same while the MPU is enabled, and
is cleared to 0 when the MPU is disabled. Therefore, we do not
need to prevent from having the enable or the disable operation
to be called multiple times.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In _arm_mpu_config provide a more detailed description of the
effect of MPU PRIVDEFENA flag when enabling the ARM MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
ARM Cortex-M0+, M3, and M4 MCUs have a fixed number of 8 MPU
regions, if MPU support is implemented. Therefore, we can
implement _get_num_regions() to return a constant, if CPU
is one of the above Cortex variants. _get_num_regions() is
invoked often in the code, so this solution increases processing
efficiency. A sanity check is implemented in arm_mpu_init(), to
ASSERT if the number of regions provided by hardware does not
match the expected (default) value.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commits adds a dependency for ARM_MPU on !CPU_CORTEX_M0,
so an accidental selection or ARM_MPU in ARM Cortex-M0 MCUs
will signal a K-config warning.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The original implementation of CONFIG_THREAD_MONITOR would
try to leverage a thread's initial stack layout to provide
the entry function with arguments for any given thread.
This is problematic:
- Some arches do not have a initial stack layout suitable for
this
- Some arches never enabled this at all (riscv32, nios2)
- Some arches did not enable this properly
- Dropping to user mode would erase or provide incorrect
information.
Just spend a few extra bytes to store this stuff directly
in the k_thread struct and get rid of all the arch-specific
code for this.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
On ARM, the __thread_entry struct pointer used when
CONFIG_THREAD_MONITOR is enabled was pointing to the initial exception
stack frame. That's not right: even though this contains all the same
info, it's not layout-compatible with the API struct. And once the
thread starts running, the ESF gets unwound and the memory recliamed
for the stack frame of the entry function!
Stuff the __thread_entry struct into its own memory at the bottom of
the stack like the other architectures do. Fixes#7541
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The r7 register is used as a frame pointer on ARM Thumb. As result, it
cannot be modified by the assembly code in functions using stack frame.
This commit replaces r7 by r8, which is a general purpose register.
Also it fixes#7704.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
This commit fixes some minor function documentation issues
and comments' style in the NXP_MPU driver.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit inserts sanity checks every time we are performing
a (re)-configuration of one or multiple MPU regions, ensuring
that we do not attempt to configure an invalid region number.
Particulary for arm_mpu_config(), called during pre-kernel
initialization phase, we add a system ASSERT if we attempt
to initialize more regions that what is supported by hardware.
We do this to ensure the misconfiguration is detected early and
the system boot is aborted.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an internal function to disable an MPU region.
The function includes an assert that the requested MPU region
number is a valid one. arm_mpu.c is refactor to use this
function in all cases where an MPU region needs to be disabled.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit enhaces the documentation of internal functions
in arm_mpu.c by explicitly stating that the caller needs to
ensure the validity of the supplied MPU region index. The
warning is required as these functions modify the ARM MPU_RNR
register, without checking themselves the validity of the
provided region number.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes some minor issues with coding style
and comment syntax in arm_mpu.c
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Change the zero latency interrupt priority level from 2 to 1.
This is the priority level that the kernel has reserved for the
zero latency IRQ feature by the _IRQ_PRIO_OFFSET constant.
The zero latency IRQ will now not be masked by the irq_lock function.
Update comments to reflect the priority levels reserved by the kernel.
Fixes: #8073
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Upon MemManage Exception, multiple status bits of MMFSR may be
set. This commit modifies the MPU Fault Handler, so that it can
inspect and display information from all error conditions,
instead of just the first error condition that is true.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Make MPU stack guard checks use the previously stored value
of the MemManage Fault Address Register, to ensure that the
address-under-check is valid.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Previously the directory core/cortex/mpu/ was getting included
on a hidden kconfig. Now this has been replaced with the Kconfig
CONFIG_ARM_CORE_MPU.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This commit fixes a compilation bug for an undefined variable
(mmfar), which is only conditionally defined. Instead of mmfar
we use the ARM register value directly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The metairq feature exposed the fact that all of our arch code (and a
few mistaken spots in the scheduler too) was trying to interpret
"preemptible" threads independently.
As of the scheduler rewrite, that logic is entirely within sched.c and
doing it externally is redundant. And now that "cooperative" threads
can be preempted, it's wrong and produces test failures when used with
metairq threads.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Refactor the _FaultDump of the default debug-level (2) to
provide the error code that indicates the fatal error reason.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor FAULT_DUMP macro to obtain and store the fatal error
reason. Make non-default version of FAULT_DUMP (i.e. with
CONFIG_FAULT_DUMP level 1) to retrieve the default reason
for fatal errors (_NANO_ERR_HW_EXCEPTION).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Document that execution does not return from
_NanoFatalErrorHandler and _SysFatalErrorHandler.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Remove unused context switch code from the helper assembly file that
manages the SuperVisor Call invocations (SVCs). This is no longer in use
in the code, since all calls to __swap() now go through PendSV directly.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
The initial user stack pointer gets rounded to STACK_ALIGN_SIZE,
which can be much finer granularity than MPU regions. With
certain stack size values passed to k_thread_create(), the stack
pointer can be set past the defined region for the user thread's
stack, causing an immediate MPU fault.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upon return from a syscall handlers, the r1, r2, and r3 registers
could contain random kernel data that should not be leaked to user
mode. Zero these out before returning from _arm_do_syscall().
Fixes#7753.
The invocation macros need a clobber if r1, r2, or r3 are not used
to carry syscall arguments. This is a partial fix for #7754 but
there appear to be other issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit contributes the implementation of the
CMSE address range permission checks based on the
ARMv8-M address range check intrinsics.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Select CPU_CORTEX_M_HAS_CMSE in ARMV8_M arhitectures.
Option ARMV8_M_BASELINE is introduced for this purpose,
so that CMSE API is enabled for both Cortex-M23 and
Cortex-M33 MCUs.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M API
that allows the user to evaluate access permissions of memory
locations, based on the ARMv8-M Test Target (TT) instruction
support.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Add the ability to call platform specific code as the first thing we do.
This is needed because on some platforms we might have to figure out how
to deal with starting up secondary cores and need to do that as the
first thing we do.
Signed-off-by: Stanislav Poboril <stanislav.poboril@nxp.com>
Normally a syscall would check the current privilege level and then
decide to go to _impl_<syscall> directly or go through a
_handler_<syscall>.
__ZEPHYR_SUPERVISOR__ is a compiler optimization flag which will
make all the system calls from the arch files directly link
to the _impl_<syscall>. Thereby reducing the overhead of checking the
privileges.
In the previous implementation all the source files would be compiled
by zephyr_source() rule. This means that zephyr_* is a catchall CMake
library for source files that can be built purely with the include
paths, defines, and other compiler flags that all zephyr source
files uses. This states that adding one extra compiler flag for only
one complete directory would fail.
This limitation can be overcome by using zephyr_libray* APIs. This
creates a library for the required directories and it also supports
directory level properties.
Hence we use zephyr_library* to create a new library with
macro _ZEPHYR_SUPERVISOR_ for the optimization.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Distinguish between the integrity signatures depending on whether the
ARM MCU implements the Floating-Point Extension or not.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit partially reworks the fault dump implementation
of faults in non-secure state that target Secure state. In
particular, the return address to secure state is logged along
with the non-secure address which caused the non-secure fault
(that targets the Secure state).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements consistency checks for the core registers
in ARMv6-M, ARMv7-M, and ARMv8-M architectures, ensuring that
the user cannot accidentally select registers that are not
implemented by the selected Cortex-M processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit improves the help text of the ARMV7_M_ARMV8_M_MAINLINE
K-config option.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds a Context Synchronization Point immediately
after the reset handler switches to use the Process Stack
Pointer, during initialization.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The loop that checks the MPU region permissions incorrectly
iterates from (num_region + 1) to 1. This should be
(num_region - 1) to 0. This results in the wrong regions
being checked and possible overflow for any implementation
that uses the max region value of 0xFF.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit activates the built-in stack guard on the main_thread
before jumping to it upon system initialization. Stack guard is
activated if BUILTIN_STACK_GUARD is enabled by the user. The
commit also activates built-in thread stack guards at every
context switch, if BUILTIN_STACK_GUARD enabled by the user.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Ignore stack pointer limit checking during a HardFault or NMI
exception, to allow for the Fault handling function to execute
properly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the build-in interrupt stack protection
via the native MSPLIM register in ARMv8-M MCUs that support the
Main Extension. Main stack pointer overflows will cause Stack
Overflow UsageFaults. In addition, the commit introduces a new
config option, BUILTIN_STACK_GUARD, allowing the user to enable
and use the built-in stack protection in ARMv8-M firmware.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Improve the help text of ARM k-config option
CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Now that other work has eliminated the two cases where we had to do a
reschedule "but yield even if we are cooperative", we can squash both
down to a single _reschedule() function which does almost exactly what
legacy _Swap() did, but wrapped as a proper scheduler API.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
There was a somewhat promiscuous pattern in the kernel where IPC
mechanisms would do something that might effect the current thread
choice, then check _must_switch_threads() (or occasionally
__must_switch_threads -- don't ask, the distinction is being replaced
by real English words), sometimes _is_in_isr() (but not always, even
in contexts where that looks like it would be a mistake), and then
call _Swap() if everything is OK, otherwise releasing the irq_lock().
Sometimes this was done directly, sometimes via the inverted test,
sometimes (poll, heh) by doing the test when the thread state was
modified and then needlessly passing the result up the call stack to
the point of the _Swap().
And some places were just calling _reschedule_threads(), which did all
this already.
Unify all this madness. The old _reschedule_threads() function has
split into two variants: _reschedule_yield() and
_reschedule_noyield(). The latter is the "normal" one that respects
the cooperative priority of the current thread (i.e. it won't switch
out even if there is a higher priority thread ready -- the current
thread has to pend itself first), the former is used in the handful of
places where code was doing a swap unconditionally, just to preserve
precise behavior across the refactor. I'm not at all convinced it
should exist...
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Contrary to ARMv7-M, in ARMv8-M MCUs with the Main Extension,
BusFault Status Register bits are sticky and must be cleared.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch changes the ARM system calls to use registers for passing
or arguments. This removes the possibility of stack issues when
callers do not adhere to the AAPCS.
Fixes#6802
Signed-off-by: Andy Gross <andy.gross@linaro.org>
During the transition of privilege levels while performing syscalls,
the ARM documentation recommends flushing the pipeline to avoid
pre-fetched instructions from being executed with the previous
privilege level.
The manual says:
4.16 CONTROL register
(...) after programming the CONTROL register, an ISB instruction
should be used.
(...) This is not implemented in the Cortex M0 processor.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
srd bits start at bit 8, not bit 5.
To date we are not using sub-regions so this problem was
undetected.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upcoming Nordic ICs that share many of the peripherals and architecture
with the currently supported nRF5x ones are no longer part of the nRF5
family. In order to accomodate that, rename the SoC family from nrf5 to
nrf, so that it can contain all of the members of the wider Nordic
family.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This commit introduces the ARM_SECURE_FIRMWARE k-option,
which indicates that we are building an ARM Secure application.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the SecureFault
handling for ARMv8-M-based Cortex-M33. The implementation is
compiled conditionally with compile-time directive
CONFIG_ARM_SECURE_FIRMWARE, which is to signify the intention to
build a Secure image on ARMv8-M with Security Extensions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit conditionally selects the ARMV7_M_ARMV8_M_FP option
in ARMv7-M/ARMv8-M Mainline processors, when the Floating Point
Extension is implemented (CPU_HAS_FPU is selected).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the Stack Overflow UsageFault dumping
for ARMv8-M implementations that support the Main Extension.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces the ARMV8_M_MAINLINE K-config option. The
option signifies the use of an ARMv8-M CPU supporting the Main
Extension. ARMv8-M Main Extension includes additional features
that are not present in the ARMv7-M architecture.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit forces CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS to
depend on ARMV7_M_ARMV8_M_MAINLINE. This allows the user to get
a build warning if he manually selects
CPU_CORTEX_M_HAS_PROGRAMMABLE_FAULT_PRIOS for a CPU that does
not implement either ARMv7-M or ARMv8-M Mainline.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Clean up Kconfig so each SoC just selects the specific Cortex-M
implementaiton rather than having to select both CORTEX_M and
CORTEX_{M0, M3, M4, etc.}.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This commit adds the missing fault dumping for MemManage or Bus
fault occuring during floating-point lazy state preservation. In
addition, it introduces a Kconfig option for the ARMv7-M/ARMv8-M
Floating Point Extension.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the macros for ARM fault flags from
include/arch/arm/cortex_m/cmsis.h header, since they are
defined in the respective core_cmXX.h header files. It also
modifies fault.c to use the updated fault macros taken directly
from ARM CMSIS headers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch reworks the current ARM __swap() function into a C function.
Due to some issues with using svc calls withing fault handlers, we
needed to change the way we initiate a swap by removing the dependence
on svc #0.
Before __swap() is called, the system has already done an irq_lock().
Upon return from __swap(), the equivalent of an irq_lock() is done due
to restoration of the key value from the irq_lock preceeding the call.
For ARM V6M (M0/M0+), the pendsv bit is toggled and the irqs are
enabled. There is no priority masking in v6m, so it's just a global
enable. For ARM V7M, the priority mask has to be set to 0x0 to allow
for the pendsv IRQ to be taken. This is done for both via a call to
irq_unlock(0).
After this unlock, a pendsv irq will be taken, either at the tail end
of the current irq handling if we are in handler mode, or immediately
due to the pendsv being asserted (no other outstanding irqs). The next
thread will be scheduled.
Upon return from the context switch to the original
thread, the priority mask will already be correct due to the pendsv
processing.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
MPU_STACK_GUARD option has a direct dependence on ARM_CORE_MPU.
Therefore, it is not required to have a conditional selection
of the option (if ARM_CORE_MPU) in ARM_STACK_PROTECTION.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
In ARMv7-M (and ARMv8-M) architecture it is
implementation defined whether separate MMFAR and BFAR are
implemented. This commit ensures that we always get the true
faulting address displayed in case of MemManage- or BusFault.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The xtensa-asm2 work included a patch that added nano_internal.h
includes in lots of places that needed to have _Swap defined, because
it had to break a cycle and this no longer got pulled in from the arch
headers.
Unfortunately those new includes created new and more amusing cycles
elsewhere which led to breakage on other platforms.
Break out the _Swap definition (only) into a separate header and use
that instead. Cleaner. Seems not to have any more hidden gotchas.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
The old ARMV6_M Kconfig option has been removed, and so to correctly set
the dependencies for SW_VECTOR_RELAY we need to use the new
ARMV6_M_ARMV8_M_BASELINE.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This patch adds support for userspace on ARM architectures. Arch
specific calls for transitioning threads to user mode, system calls,
and associated handlers.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds a configure_mpu_user_context API and implements
the required function placeholders in the NXP and ARM MPU files.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This commit defines the Kconfig options for
ARM Cortex-M23 and Cortex-M33 CPUs. It also
udpates the generic memory map for M23 and M33
implementations.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This PR includes the required changes in order to support
conditional compilation for Armv8-M architecture. Two
variants of the Armv8-M architecture are defined:
- the Armv8-M Baseline (backwards compatible with ARMv6-M),
- the Armv8-M Mainline (backwards compatible with ARMv7-M).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Whenever a Cortex-M0+ supports the VTOR register it makes no sense to
use the software vector relay mechanism. Therefore change the logic so
that SW_VECTOR_RELAY does not get enabled whenever a VTOR register is
present, but enable it if an M0+ has no VTOR.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
This patch adds the generation and incorporation of privileged stack
regions that are used by ARM user mode threads. This patch adds the
infrastructure for privileged stacks. Later patches will utilize the
generated stacks and helper functions.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Some ARMv6-M Cortex-M0+-based SOCs have VTOR register
and can relocate vector table just as ARMv7-M ones.
Vector table relocation path should be choosed
by VTOR presence, not by arch.
Signed-off-by: Ilya Tagunov <tagunil@gmail.com>
Rename the nano_internal.h to kernel_internal.h and modify the
header file name accordingly wherever it is used.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
Currently in zephyr the support for the arm userspace has not be
merged. But the Kconfig always sets the userspace flag and causes a
build failure. This is blocking the test cases for userspace.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Add a new Kconfig option, BOOTLOADER_MCUBOOT, that automatically sets
the required options necessary to make the resulting image bootable by
the MCUboot open source bootloader. This includes the text section
offset and the vector relay table for Cortex-M0, and in the future it
might also add the DTS overlay required to link at slot0 offset in
flash.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
For SoCs that don't support vector table relocation in hardware, may not
support bootloader like mcuboot.
We introduce a way to relocate vector table in software by forwarding
the control of incoming IRQs to a new vector table which address is save
at fixed SRAM address.
User can change the data in that fixed SRAM address in order to relocate
vector table in software way.
Signed-off-by: Ding Tao <miyatsu@qq.com>
Cortex-M0 do not have the Vector Table Base Address Offset Register, so
Cortex-M0 vector table address can not be changed.
But in some Cortex-M0 SoCs like STM32F0 series, they have some mechanism
that can remap the vector table address to the start address of SRAM.
Use this flag to indicates whether current Cortex-M0 SoC support such a
remap or not.
Signed-off-by: Ding Tao <miyatsu@qq.com>
When asserts are enabled we run into an issue with newlib and types of
printf style formatters not matching. The easy fix to this is to cast
the uint32_t to u32_t to make things consistent with or without newlib
enabled.
This fixes#5645
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Was ARM specific and could not be used by other architectures.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
Add an architecure specfic code for the memory domain
configuration. This is needed to support a memory domain API
k_mem_domain_add_thread.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Implement API to validate user buffer. This API will iterate
all MPU regions to check if the given buffer is user accessible
or not. For #3832.
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Unlike other NXP SoCs currently in Zephyr, the mimxrt1052 has the ARM
MPU rather than the NXP MPU. Start out by enabling it with a simple set
of memory regions for "flash" (ITCM), "ram" (DTCM), and the peripheral
buses. More regions will need to be added when we implement support for
external memories.
Tested with:
- samples/mpu/mpu_stack_guard_test
- tests/kernel/mem_protect/protection
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
Introducing CMake is an important step in a larger effort to make
Zephyr easy to use for application developers working on different
platforms with different development environment needs.
Simplified, this change retains Kconfig as-is, and replaces all
Makefiles with CMakeLists.txt. The DSL-like Make language that KBuild
offers is replaced by a set of CMake extentions. These extentions have
either provided simple one-to-one translations of KBuild features or
introduced new concepts that replace KBuild concepts.
This is a breaking change for existing test infrastructure and build
scripts that are maintained out-of-tree. But for FW itself, no porting
should be necessary.
For users that just want to continue their work with minimal
disruption the following should suffice:
Install CMake 3.8.2+
Port any out-of-tree Makefiles to CMake.
Learn the absolute minimum about the new command line interface:
$ cd samples/hello_world
$ mkdir build && cd build
$ cmake -DBOARD=nrf52_pca10040 ..
$ cd build
$ make
PR: zephyrproject-rtos#4692
docs: http://docs.zephyrproject.org/getting_started/getting_started.html
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Some SOCs (e.g. STM32F0) can map the flash to address 0 and
the flash base address at the same time. Prevent writing to
duplicate flash address which stops the SOC.
Allow Cortex M SOCs to create their own vector table relocation
function.
Provide a relocation function for STM32F0x SOCs.
Fixes#3923
Signed-off-by: Bobby Noelte <b0661n0e17e@gmail.com>
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Currently this is defined as a k_thread_stack_t pointer.
However this isn't correct, stacks are defined as arrays. Extern
references to k_thread_stack_t doesn't work properly as the compiler
treats it as a pointer to the stack array and not the array itself.
Declaring as an unsized array of k_thread_stack_t doesn't work
well either. The least amount of confusion is to leave out the
pointer/array status completely, use pointers for function prototypes,
and define K_THREAD_STACK_EXTERN() to properly create an extern
reference.
The definitions for all functions and struct that use
k_thread_stack_t need to be updated, but code that uses them should
be unchanged.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
In various places, a private _thread_entry_t, or the full prototype
were being used. Be consistent and use the same typedef everywhere.
Signen-off-by: Andrew Boie <andrew.p.boie@intel.com>