Introduce CONFIG_RISCV_S_MODE to select Supervisor-mode execution.
Add depends on !RISCV_S_MODE to RISCV_PMP since PMP CSRs are
inaccessible from S-mode.
Add an M-mode SBI shim (reset.S + sbi.S) that configures exception
delegation, PMP, and counter access before dropping to S-mode via mret.
The shim handles SBI_SET_TIMER ecalls from S-mode and forwards MTIP to
STIP so the supervisor timer driver works without a full SBI firmware.
Introduce privilege-level abstractions in isr.S (RV_CAUSE, RV_EPC,
RV_STATUS, RV_TVAL, etc.) and update all runtime code that previously
accessed M-mode-only CSRs (mcause, mtval, mstatus, mie, mip) to use the
S-mode equivalents when CONFIG_RISCV_S_MODE is set.
ARCH_EXCEPT in kernel context uses ebreak (cause=3, Breakpoint) instead
of a direct z_riscv_fatal_error() call. In S-mode, ecall (cause=9) is
kept in M-mode for SBI and never reaches the S-mode exception handler;
a direct call with NULL esf caused the stack unwinder to crash into an
infinite fault loop. ebreak is delegated to S-mode by our medeleg
configuration; isr.S treats ebreak with t0=RV_ECALL_RUNTIME_EXCEPT the
same way M-mode treats ecall-based ARCH_EXCEPT.
Signed-off-by: Alexios Lyrakis <alexios.lyrakis@gmail.com>
Add architecture-level support for a custom stack guard on RISC-V,
preventing stack overflow at the hardware level.
This framework allows vendors to implement the custom stack guard
using their own vendor-specific stack protection hardware, providing
flexibility for different RISC-V cores.
A new config option, CUTOM_STACK_GUARD, allows users to enable this
stack guard on supported RISC-V cores.
Signed-off-by: Rick Tsao <rick592@andestech.com>
This option was formerly enabled by sy1xx, but all supported socs now
appear to use the standard behavior so this support can be removed.
Signed-off-by: Peter Marheine <pmarheine@chromium.org>
Add CONFIG_PMP_UNLOCK_ROM_FOR_DEBUG option to conditionally disable
the lock bit (L=0) for the ROM region PMP entry. This allows debuggers
running in machine mode to access ROM for setting breakpoints and
reading instructions while preserving userspace protection.
When PMP lock bits are set, they restrict access even in machine mode,
causing "unable to halt hart" errors with hardware debuggers like
OpenOCD. This option provides a surgical fix that only affects the ROM
region - NULL pointer guards and stack guards remain locked to catch
critical bugs during development.
The option integrates with existing PMP_NO_LOCK_GLOBAL configuration
using nested COND_CODE_1 macros and defaults to disabled for production
builds.
Fixes: zephyrproject-rtos/zephyr#82729
Signed-off-by: Alex Lyrakis <alex_gfd@hotmail.com>
1. it reguires that there are floating point registers,
so the extention f is required. (zfinx uses the int regs instead)
2. RV32E doesn't supports hardware floating-point calling convention.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
Adds the Kconfig option PMP_NO_LOCK_GLOBAL to remove the PMP Lock bit
usage. The global entry is an internal detail of the driver
implementation and should not be reflected in the user interface. This
allows the application to dynamically reconfigure the PMP entries
without requiring hard reset. This is essential for firmware that
performs an RO-to-RW jump. By keeping these system entries unlocked,
higher-privileged M-mode code can dynamically reconfigure memory
permissions during the secure handover process, which is not possible if
the entries are permanently locked during early boot.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
The Physical Memory Protection (PMP) initialization is updated to support
custom entries defined in the Device Tree (DT) using the `zephyr,memattr`
property, contingent on `CONFIG_MEM_ATTR` being enabled. A new function,
`set_pmp_mem_attr()`, iterates over DT-defined regions and programs PMP
entries in `z_riscv_pmp_init()`, allowing for early, flexible, and
hardware-specific R/W/X protection for critical memory areas. DT-based
entries are also installed in `z_riscv_pmp_kernelmode_prepare()` for
thread-specific configuration. The logic for the temporary PMP "catch-all"
entry is adjusted to account for new DT entries. Furthermore, the PMP
domain resync logic now masks user partition permissions against DT-defined
region permissions, preventing privilege escalation. `CONFIG_RISCV_PMP` is
updated to select `PMP_KERNEL_MODE_DYNAMIC` if `MEM_ATTR`. Finally, the
`pmp_cfg` array in `z_riscv_pmp_init()` is initialized to zero to prevent
writing uninitialized stack data to unused PMP entries.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Introduce `CONFIG_PMP_KERNEL_MODE_DYNAMIC` to enable dynamic
configuration and activation of Machine mode PMP entries. This allows
PMP settings to be managed efficiently during transitions between
kernel and thread contexts.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Add option to enable NMI delivery on boot for SMRNMI hardware.
Changes:
- Add CONFIG_RISCV_SMRNMI_ENABLE_NMI_DELIVERY Kconfig option
- Define SMRNMI CSRs in arch/riscv/include/csr.h
- Set NMIE bit during boot to enable NMI delivery
SMRNMI hardware generates but doesn't deliver NMIs when NMIE=0 (default).
This causes twister test failures and prevents handling of critical
hardware events like watchdog NMIs and ECC errors.
Setting NMIE=1 enables NMI delivery, but note that this implementation
only sets the enable bit - it does not provide full SMRNMI support
(no mnret instruction handling, no RNMI handlers). Users must implement
proper RNMI handlers in SoC-specific code to avoid undefined behavior.
Signed-off-by: Afonso Oliveira <afonsoo@synopsys.com>
`CONFIG_EXTRA_EXCEPTION_INFO` that was added in #78065 doesn't
seem necessary, as we were already storing and printing the
callee-saved-registers before that. All `CONFIG_EXTRA_EXCEPTION_INFO`
does in RISCV is to add an additional `_callee_saved_t *csf` in the
`struct arch_esf`, which overhead is negligible to what's being enabled
by `CONFIG_EXCEPTION_DEBUG`.
Let's remove `CONFIG_EXTRA_EXCEPTION_INFO`, and have that extra
`_callee_saved_t *csf` in the `struct arch_esf` as long as
`CONFIG_EXCEPTION_DEBUG` is enabled.
TL;DR: it doesn't make sense to not enable `CONFIG_EXTRA_EXCEPTION_INFO`
when `CONFIG_EXCEPTION_DEBUG` is enabled, so let's merge them.
Then, since `*csf` is always available in the `struct arch_esf` when
`CONFIG_EXCEPTION_DEBUG=y`, we can simply rely on that pointer in
`z_riscv_fatal_error()` instead of an additional argument in
`z_riscv_fatal_error_csf()`, rendering the latter redundant and thus
can be removed.
Additionally, save the callee-saved registers before jumping to
to `z_riscv_fault()`, so that callee-saved-registers are printed on
generic CPU exception as well.
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Move Xuantie supprot from arch/riscv/core/xuantie to the custom common
layer arch/riscv/custom/thead, with the following changes:
1. Rename Kconfig name
CACHE_XTHEADCMO -> RISCV_CUSTOM_CSR_THEAD_CMO
2. Split the original arch/riscv/core/xuantie/Kconfig to
a. arch/riscv/custom/thead/Kconfig: for T-Head extension
b. arch/riscv/custom/thead/Kconfig.core: for T-Head CPU series
(e.g. Xuantie E907)
3. Move cache line size defaults to SoC devicetree
Signed-off-by: Jimmy Zheng <jimmyzhe@andestech.com>
Rework Andes-specific CSR to use RISC-V custom CSR common code.
Move these stuff to 'arch/riscv/custom/andes':
1. Rename 'soc_v5.h' to 'andes_csr.h' for CSR definitions.
2. Replace '_start' with '__reset' hook for low-level CSR initialization.
3. Move CSR context to common macro '__custom_csr_save/restore_context'.
4. Move 'EXECIT' CSR support to common code.
5. Move PMA CSR driver to common code.
6. Use RISC-V common linker.ld instead of SoC-specific linker.ld.
Signed-off-by: Jimmy Zheng <jimmyzhe@andestech.com>
Added helper Kcoinfig option USE_ISR_WRAPPER which can be used to
include isr_wrapper even if GEN_SW_ISR_TABLE is not enabled. This
is needed to enable configurations where only IRQ vector table is
used with multithreading (only direct isr used). This change is
backward compatibible with previous config.
Signed-off-by: Łukasz Stępnicki <lukasz.stepnicki@nordicsemi.no>
Introduce CONFIG_RISCV_NO_MTVAL_ON_FP_TRAP to handle implementations
where the mtval CSR does not provide useful information during
floating-point illegal instruction exceptions.
The RISC-V specification states that mtval is "either set to zero or
written with exception-specific information" on traps. Some
implementations, including QEMU, do not populate mtval with the
faulting instruction value during FP-related illegal instruction
exceptions, making it unusable for FP exception handling.
Previously, this behavior was hardcoded for QEMU targets only, but
other CPU implementations may also lack useful mtval content for FP
traps. Decoupling this from CONFIG_QEMU_TARGET and allows other
platforms to properly declare this limitation.
The new Kconfig option defaults to enabled for QEMU targets to
maintain backward compatibility.
Signed-off-by: Afonso Oliveira <afonsoo@synopsys.com>
This commit introduces a new Kconfig choice for configuring the code model
used for compilation.
All three code models specified by the RISC-V ELF psABI specification are
supported: medlow, medany and large.
For RV32, the `medlow` code model is always selected.
For RV64, the `large` code model is selected if the SRAM or kernel VM base
address is greater than or equal to 4 GiB; otherwise, the `medany` code
model is selected.
Signed-off-by: Stephanos Ioannidis <root@stephanos.io>
Utilize a code spell-checking tool to scan for and correct spelling errors
in `Kconfig` files within the `arch`, `boards`, `kernel`, `modules`,
`samples`, and `share` directory.
Additionally, incorporates a fix recommended by the reviewer.
Signed-off-by: Pisit Sawangvonganan <pisit@ndrsolution.com>
Initializing the C++ stack unwinding data structures takes quite a bit
of stack space. Increase the TEST_EXTRA_STACK_SIZE when using these.
Signed-off-by: Keith Packard <keithp@keithp.com>
CLIC supports mintstatus.MIL (RO) and mcause.MPIL (RW) for the current
interrupt level and the previous interrut level before a trap. Each ISR
must execute MRET to set mcause.MPIL back to mintstatus.MIL.
This commit introduces CONFIG_CLIC_SUPPORT_INTERRUPT_LEVEL to handle
mcause.MPIL for interrupt preemption in nested ISR, and uses
CONFIG_RISCV_ALWAYS_SWITCH_THROUGH_ECALL to ensure ISR always switch out
with MRET.
e.g.
With CONFIG_RISCV_ALWAYS_SWITCH_THROUGH_ECALL=n, a context-switch in
ISR may skip MRET in this flow:
IRQ -> _isr_wrapper -> z_riscv_switch() -> retrun to arch_switch()
Signed-off-by: Jimmy Zheng <jimmyzhe@andestech.com>
When RISCV_SOC_HAS_ISR_STACKING is used, it may
be needed to initialize custom hw stacked esf members.
Some initial values may need to be aligned with
hw stacking mechanism to avoid any side effects.
Signed-off-by: Łukasz Stępnicki <lukasz.stepnicki@nordicsemi.no>
Mostly a revert of commit b1def7145f ("arch: deprecate `_current`").
This commit was part of PR #80716 whose initial purpose was about providing
an architecture specific optimization for _current. The actual deprecation
was sneaked in later on without proper discussion.
The Zephyr core always used _current before and that was fine. It is quite
prevalent as well and the alternative is proving rather verbose.
Furthermore, as a concept, the "current thread" is not something that is
necessarily architecture specific. Therefore the primary abstraction
should not carry the arch_ prefix.
Hence this revert.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Introduce `CONFIG_RISCV_GP_PURPOSE` choice to make sure that only
one of `CONFIG_RISCV_GP` or `CONFIG_RISCV_CURRENT_VIA_GP` can be
enabled, instead of relying of dependencies.
To do that, introduce a new
`CONFIG_RISCV_SOC_HAS_GP_RELATIVE_ADDRESSING` that can be selected
by SoC when it implemented global pointer (GP) initialization for
relative addressing in its linker.
`CONFIG_RISCV_GP` will be the default choice when
`CONFIG_RISCV_SOC_HAS_GP_RELATIVE_ADDRESSING=y`
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
Reset the the `gp` register to `_kernel->cpus[i].current` when
`CONFIG_USERSPACE` is enabled on exception to keep it sane.
Updated the testcase to test both `CONFIG_RISCV_GP` and
`CONFIG_RISCV_CURRENT_VIA_GP`.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
`_current` is now functionally equals to `arch_curr_thread()`, remove
its usage in-tree and deprecate it instead of removing it outright,
as it has been with us since forever.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
Implement `arch_curr_thread()` & `arch_set_curr_thread()`
with the global pointer (GP) register.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
Without multithreading only two stacks present: ISR and main.
As any stack they also could overflow, so it make sense to add stack
guard for them also.
Remove stack guard dependency on multithreading and mark
`Z_RISCV_STACK_GUARD_SIZE` bytes at the beginning of stack as read-only
region with PMP entry.
Signed-off-by: Volodymyr Fialko <vfialko@marvell.com>
According to the RISC-V Instruction Set Manual: Volume II, Version 20240411
(Section 3.1.6.6), some implementations may choose to track the dirtiness
of the floating-point register state imprecisely by reporting the state to
be dirty even when it has not been modified. This option reflects that.
Also add a filter in `tests/arch/riscv/fpu_sharing/` based on imprecise
FPU state tracking
Signed-off-by: Jakub Wasilewski <jwasilewski@internships.antmicro.com>
Signed-off-by: Filip Kokosinski <fkokosinski@antmicro.com>
The currently IPI implementation assumes that CLINT exists in the
system, however, that might not be the case as IPI can be implemented
with PLIC that supports software-triggering as well, such as the Andes
NCEPLIC100.
Refactor the CLINT-based IPI implementations into `ipi_clint.c`, and
create Kconfig that selects the CLINT implementation when
`sifive-clint0` exists and enabled, otherwise default to
`RISCV_SMP_IPI_CUSTOM` which allows OOT implementation. This also
makes way for the upstreaming of non-clint IPI implementation later.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
The callee-saved-registers can be helpful to debug the state of
a core upon an exception, however, currently there's no way to
access that information in user-implemented
`k_sys_fatal_error_handler()`, even though the csf is already stored
in the stack.
This patch conditionally add a `csf` member in the `arch_esf` when
`CONFIG_EXTRA_EXCEPTION_INFO=y`*, which the `_isr_wrapper` would update
when a fatal error occurs before invoking `z_riscv_fatal_error_csf()`.
Functions such as `k_sys_fatal_error_handler()` would then be able
to access the callee-saved-registers at the time of exception via
`esf->csf`.
* For SoCs that select `RISCV_SOC_HAS_ISR_STACKING`, the
`SOC_ISR_STACKING_ESF_DECLARE` has to include the `csf` member,
otherwise the build would fail.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
This commit introduces a new ARCH_STACKWALK Kconfig which
determines if the `arch_stack_walk()` is available should the
arch supports it.
Starting from RISCV, this will be able to converge the exception
stack trace implementation & stack walking features. Existing
exception stack trace implementation will be updated later.
Eventually we will end up with the following:
1. If an arch implements `arch_stack_walk()`
`ARCH_HAS_STACKWALK` should be selected.
2. If the above is enabled, `ARCH_SUPPORTS_STACKWALK` indicates
if the dependencies are met for arch to enable stack walking.
This Kconfig replaces `<arch>_EXCEPTION_STACK_TRACE`
2. If the above is enabled, then, `ARCH_STACKWALK` determines
if `arch_stack_walk()` should be compiled.
3. `EXCEPTION_STACK_TRACE` should build on top of the
`ARCH_STACKWALK`, stack traces will be printed when it
is enabled.
4. `ARCH_STACKWALK_MAX_FRAMES` will be removed as it is
replaced by `ARCH_STACKWALK_MAX_FRAMES`
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
Before this, stack protection would be effective only after switching to
the first thread.
Even before the first thread is created, the kernel init code uses the
IRQ stack to set things up. Let's make sure this is safeguarded as well.
This also fixes the incompatibility between CONFIG_RISCV_PMP and
CONFIG_RISCV_ALWAYS_SWITCH_THROUGH_ECALL, the later needing an exception
call to switch to the first thread and exception code assuming stack
guard is already set up in the PMP.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Update the description of the `INCLUDE_RESET_VECTOR` Kconfig so
that it is more clear to the user what it does.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
The CLIC requires that mtvec.base is aligned to 64 bytes.
_isr_wrapper is used as mtvec.base, so align it to 64 bytes.
Signed-off-by: Piotr Wojnarowski <pwojnarowski@antmicro.com>
Fix the dependencies of `CONFIG_EXCEPTION_STACK_TRACE`:
- Architecture-specific Kconfig, i.e.
`X86_EXCEPTION_STACK_TRACE`, will be enabled automatically
when all the dependencies are met.
- `EXCEPTION_STACK_TRACE` depends on architecture-specific
Kconfig to be enabled.
- The stack trace implementations should be compiled only if
user enables `CONFIG_EXCEPTION_STACK_TRACE`.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
RISC-V PMP implementation supports isolating thread stacks
within the same memory domain, and also is the only
supported operating mode. So select the corresponding
kconfig by default.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Influenced heavily by the RISCV64 stack unwinding
implementation in the Linux kernel.
`CONFIG_RISCV_EXCEPTION_STACK_TRACE` can be enabled by
configuring the following Kconfigs:
```prj.conf
CONFIG_DEBUG_INFO=y
CONFIG_EXCEPTION_STACK_TRACE=y
CONFIG_OVERRIDE_FRAME_POINTER_DEFAULT=y
CONFIG_OMIT_FRAME_POINTER=n
```
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
This commit removes the `Kconfig.core` file. It's been largely unused, and
the only symbol it provides (`RISCV_CORE_E31`) overlaps with the SoC-layer
provided `SOC_SERIES_SIFIVE_FREEDOM_FE300`.
As of date, the only SoC that uses the E31 core in Zephyr is the FE310 SoC.
Signed-off-by: Filip Kokosinski <fkokosinski@antmicro.com>
Configure a new Kconfig (`CONFIG_RISCV_HART_MASK`) so that it
is possible to mask the `mhartid` of a processor. This is
helpful in the cases when the hart id starts from non-zero
value.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Because the riscv32/riscv64 is redundant, one can get the same
information combining CONFIG_ARCH + CONFIG_64BIT.
Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
It looks like all SoCs in tree check if an exception comes from an IRQ
the same way, so let's provide a common logic by default, still
customizable if the SoC selects RISCV_SOC_ISR_CHECK.
Signed-off-by: Gerard Marull-Paretas <gerard@teslabs.com>
According to the clic specification
(https://github.com/riscv/riscv-fast-interrupt), the mnxti register has
be written, in order to clear the pending bit for non-vectored
interrupts. For vectored interrupts, this is automatically done.
From the spec:
"If the pending interrupt is edge-triggered, hardware will automatically
clear the corresponding pending bit when the CSR instruction that
accesses xnxti includes a write."
I added a kconfig `RISCV_SOC_HAS_CUSTOM_IRQ_HANDLING` to allow custom
irq handling. If enabled, `__soc_handle_all_irqs` has to be implemented.
For clic, non-vectored mode, I added a `__soc_handle_all_irqs`, that
handles the pending interrupts according to the pseudo code in the spec.
Signed-off-by: Greter Raffael <rgreter@baumer.com>
