zeroing CNTHCTL_EL2 traps physical timer/counter access from EL1 to EL2,
but Zephyr has no hypervisor to handle those traps.
Enabling access is the standard EL2→EL1 drop behavior.
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Select ARCH_SUPPORTS_COREDUMP_THREADS (if !SMP) and
ARCH_SUPPORTS_COREDUMP_STACK_PTR for RISC-V, and implement
arch_coredump_stack_ptr_get().
This enables CONFIG_DEBUG_COREDUMP_MEMORY_DUMP_THREADS and
CONFIG_DEBUG_COREDUMP_THREAD_STACK_TOP.
For non-current threads, return thread->callee_saved.sp.
For the faulting current thread in stack-top mode, return the
exception-time SP from z_riscv_get_sp_before_exc() (cached during
arch_coredump_info_dump()) instead of thread->callee_saved.sp,
which reflects switch-time state.
Signed-off-by: Mirai SHINJO <oss@mshinjo.com>
Expand the RISC-V coredump register block to all 33 GDB registers
(x0-x31, pc) in register-number order.
Previously only 18 registers were serialized. Populate zero, sp, gp,
tp, s0, and s1-s11 (when available).
Bump ARCH_HDR_VER from 1 to 3 (RISC-V 32-bit layout) and from 2 to 4
(RISC-V 64-bit layout) for the new wire format.
Keep the RISC-V 32-bit block fixed at 33 fields on the RISC-V RV32E
profile; registers not implemented by RV32E remain zero-filled so
version 3 always has a stable size.
Signed-off-by: Mirai SHINJO <oss@mshinjo.com>
When handling an ISR (which does not have a context from which to
restore its own value of LCOUNT), we must clear LCOUNT to prevents
incorrect zero-overhead execution if calling a function such as
memmove() which could be implemented using zero-overhead loop.
A function such as memmove() implemented using zero-overhead loop
assumes LCOUNT to have properly been setup before being called; but
an ISR calling memmove() in assembly, will likely not know that.
Signed-off-by: William Tambe <williamt@cadence.com>
Add CONFIG_PMP_UNLOCK_ROM_FOR_DEBUG option to conditionally disable
the lock bit (L=0) for the ROM region PMP entry. This allows debuggers
running in machine mode to access ROM for setting breakpoints and
reading instructions while preserving userspace protection.
When PMP lock bits are set, they restrict access even in machine mode,
causing "unable to halt hart" errors with hardware debuggers like
OpenOCD. This option provides a surgical fix that only affects the ROM
region - NULL pointer guards and stack guards remain locked to catch
critical bugs during development.
The option integrates with existing PMP_NO_LOCK_GLOBAL configuration
using nested COND_CODE_1 macros and defaults to disabled for production
builds.
Fixes: zephyrproject-rtos/zephyr#82729
Signed-off-by: Alex Lyrakis <alex_gfd@hotmail.com>
This reverts commit 8c02dde437.
For some unknown reasons, xt-clang emits two copies of
z_xt_init_pc if xtensa_mmu_init_paging() is in the same file
as xtensa_mmu_init() and xtensa_mmu_reinit(). So had to
revert the change.
Fixes#103055
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When using LLEXT, instruction TLB multi-hit becomes a reality
as the same memory space can be occupied by different modules
with different permissions. The ITLB cache may still contain
entries of the unloaded module. So we need to manually
invalidate any cached ITLB corresponding to the exception
address so the TLB associated with the newly loaded module
can be used.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
There is no need to invalidate the whole auto-refilled data TLB
cache when DTLB multi-hit exception is raised. Now it only
invalidates the TLB entries corresponding to the one causing
the DTLB multi-hit. This allows other non-related TLB entries
to remain in the cache so they don't need to be reloaded.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
For both data TLB multi-hit and load/store ring error, we should
return to the interrupted thread immediately so that it can get
past the exception generated code. It is because both of these
exceptions are the result of having cached TLB entries not
aligning to the correct access pattern. So once we have handled
the exception, go back to the interrupted thread to continue
to minimize the chance of having another incompatible TLB being
cached.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
There is no need for an extra switch block to manipulate
the value of is_fatal_error, which defaults to false, and is set
according to the actual exception above. So remove that.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
BTI requires that the C library be compiled with -mbranch-protection to
include BTI landing pads. Newlib from toolchains lacks this support, so
only minimal libc or picolibc built from source (PICOLIBC_USE_MODULE) can
be used with BTI.
Without this, the basic hello_world/ sample fails to execute.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Change the random number generator requirement for per-thread PAC keys
from a hard dependency to a more flexible approach:
- Use 'select CSPRNG_NEEDED' to automatically request cryptographic
RNG support rather than requiring specific RNG options to be
pre-enabled
- Use 'imply TEST_RANDOM_GENERATOR' as a fallback when no real CSPRNG
is available, enabling testing without hardware entropy
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Enable the ARM_PACBTI Kconfig choice for ARM64 architectures (ARMV8_A
and ARMV9_A) in addition to the existing ARM32 ARMV8_1_M_MAINLINE
support. Add the corresponding -mbranch-protection compiler flags to
both GCC and Clang target files for ARM64.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add support for ARMv8.5+ Branch Target Identification to protect against
Jump-Oriented Programming (JOP) attacks. This complements PAC to offer
complete protection against both ROP and JOP attacks, ensuring
comprehensive control flow integrity.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add support for ARMv8.3+ Pointer Authentication to protect against
Return-Oriented Programming (ROP) attacks. This implementation provides
PAC functionality with per-thread key isolation, secure key management,
and integration with Zephyr's thread model.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
The Xen events channel driver consume 72K of RAM, but may not be
required in all use cases.
Added a XEN_EVENTS Kconfig option so that Xen events can be gracefully
disabled if not required. Updated the relevant CMakeLists.txt and
Kconfig files to guard the inclusion of the Xen events driver and its
source files by this option.
Signed-off-by: Grygorii Strashko <grygorii_strashko@epam.com>
Signed-off-by: Svitlana Drozd <svitlana_drozd@epam.com>
Functions in assembler file pm_s2ram.S are declared with the usual:
SECTION_FUNC(TEXT, <function name>)
Note the first argument (section name) is `TEXT` in capital letters which
a define in `include/zephyr/linker/sections.h` should replace with `text`,
such that the functions are placed in section `.text.<function name>` which
matches the ".text.*" pattern in linker script. However, this file is not
included by pm_s2ram.S: as such, the substitution never happens and the
functions go in `.TEXT.<function name>` instead! This has not caused issues
thanks to a workaround in the Cortex-M linker script, which also has
".TEXT.*" as input section name pattern (unlike all other archs!), but is a
bug nonetheless.
Fix this issue by adding the missing include which ensures the functions
are placed in sections with the proper name.
Signed-off-by: Mathieu Choplain <mathieu.choplain-ext@st.com>
The eponymous function in __aeabi_read_tp.S is declared using:
SECTION_FUNC(TEXT, __aeabi_read_tp)
Note the first argument (section name) is `TEXT` in capital letters which
a define in `include/zephyr/linker/sections.h` should replace with `text`,
such that the function is placed in section `.text.__aeabi_read_tp` which
matches the ".text.*" pattern in linker script. However, this file is not
included by __aeabi_read_tp.S: as such, the substitution never happens and
the function goes in `.TEXT.__aeabi_read_tp` instead! This has not caused
issues thanks to a workaround in the Cortex-M linker script, which also
has ".TEXT.*" as input section name pattern (unlike all other archs!), but
is a bug nonetheless.
Fix this issue by adding the missing include which ensures the function
is placed in a section with the proper name.
Signed-off-by: Mathieu Choplain <mathieu.choplain-ext@st.com>
The Zephyr kernel's generic `z_fatal_error()` function, which is
invoked by architecture-specific fatal error handlers, is not
guaranteed to be non-returning. For instance, it can return if an
essential thread aborts itself.
The RISC-V port's `z_riscv_fatal_error` function was previously
inconsistently marked as `FUNC_NORETURN`. This commit removes this
attribute to align with the core kernel behavior, allowing the
function to return if `z_fatal_error()` returns.
Specific changes include:
- Removed `FUNC_NORETURN` from `z_riscv_fatal_error` declarations
in `fatal.c` and `kernel_arch_func.h`.
- Removed `CODE_UNREACHABLE` after the call to `z_fatal_error`
within `z_riscv_fatal_error` as it can now return.
- In `isr.S`, changed `tail z_riscv_fatal_error` to
`call z_riscv_fatal_error` in the exception entry, followed by
a jump to `check_reschedule` to handle the return path.
- Added `CODE_UNREACHABLE` at call sites of `z_riscv_fatal_error`
(e.g., in `z_riscv_fault`, `z_check_user_fault`,
`arch_irq_spurious`) where the context ensures the call is
effectively terminal.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Cortex-R5F Technical Reference Manual by Arm says DMINLINE is the Log2 of
the minimum number of words (one word = four bytes) in a cache line.
For instance, say DMINLINE is 3, which means the cache line size is
2^3=8 words or 32 bytes, however with the current calculation, it comes
out to be 16 bytes. Therefore, we fix this calculation by correctly
calculating the number of bytes for the cache line size.
Signed-off-by: Amneesh Singh <amneesh@ti.com>
The arch_float_disable() function was not clearing the K_FP_REGS flag
from thread->base.user_options after disabling FPU access. This caused
the float_disable test to fail as it verifies the flag is properly
cleared after FPU disable.
Signed-off-by: Appana Durga Kedareswara rao <appana.durga.kedareswara.rao@amd.com>
Since we have split source files for page table related stuff
and MMU related stuff, move the MMU initialization functions
from the page table source file into MMU source file.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This adds doxygen doc to the page table source file as
we are missing quite a bit of documentation there.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This changes the existing comments for functions into doxygen
style documentation for functions. Also adds missing doxygen
doc for functions.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
1. it reguires that there are floating point registers,
so the extention f is required. (zfinx uses the int regs instead)
2. RV32E doesn't supports hardware floating-point calling convention.
Signed-off-by: Fin Maaß <f.maass@vogl-electronic.com>
Introduce the missing flag to compile code with Zbkb extension,
which has already been supported by the GCC 12 in current SDK.
Signed-off-by: Andy Lin <andylinpersonal@gmail.com>
Upgrades the thread user_options to 16 bits from an 8-bit value to
provide more space for future values.
Also, as the size of this field has changed, the values for the
existing architecture specific thread options have also shifted
from the upper end of the old 8-bit field, to the upper end of
the new 16-bit field.
Fixes#101034
Signed-off-by: Peter Mitsis <peter.mitsis@intel.com>
If there are not enough free L2 tables to map all predefined
memory regions at boot, halt the system in case assertion is
not enabled. Without all the needed memory regions mapped,
it is very unlikely that anything will run properly.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Adds some debug logs when we are allocating page tables.
This provides a more visible way of seeing whether
we need to have more free tables.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Add an assertions to halt the system if L2 table allocation
fails when we need to duplicate an existing L2 table, as it is
a must-have and must-success operation.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
As per Zephyr guidelines re: inclusive language, the term
"master" is replaced with "primary".
Signed-off-by: Benjamin Cabé <benjamin@zephyrproject.org>
Preserve EXCCAUSE and EXCVADDR values on entry to _Level1Vector.
Restore EXCCAUSE when exiting TLB miss exception handling in the double
exception handler.
During first-level exception handling, a LoadStoreTLBMissException may
occur during the initial register dump to BSA. It modifies EXCCAUSE and
EXCVADDR registers before they are saved in BSA. Therefore, these values
must be captured as early as possible.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Remove saving EXCCAUSE register in BSA through the _Level1Vector handler.
These value are later overwritten by the ODD_REG_SAVE macro called by
EXCINT_HANDLER, so saving it here is pointless.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Add infrastructure for SoCs to define additional PMP regions
that need protection beyond the standard ROM region. This uses
iterable sections to collect region definitions at link time.
The PMP_SOC_REGION_DEFINE macro allows SoCs to register memory
regions with specific permissions. These regions become global
PMP entries shared between M-mode and U-mode.
Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>
After commit 02770ad963 ("debug: EXCEPTION_STACK_TRACE should depend
on arch Kconfigs"), the ARM64_EXCEPTION_STACK_TRACE isn't used any more,
remove it.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
soc_per_core_init_hook() is usually called from arch_kernel_init() and
arch_secondary_cpu_init() which are C functions. As such, there is no need
to check for CONFIG_SOC_PER_CORE_INIT_HOOK since platform/hooks.h provides
a no-op function-like macro implementation if the Kconfig option is not
enabled.
Remove the Kconfig option check from all files.
Signed-off-by: Mathieu Choplain <mathieu.choplain-ext@st.com>
Ensure callee registers included in coredump.
Push callee registers onto stack for
CONFIG_ARMV6_M_ARMV8_M_BASELINE as well
when CONFIG_EXTRA_EXCEPTION_INFO enabled.
Effectively a complement to df6b8c3 by mholden.
Signed-off-by: Andy Lin <andylinpersonal@gmail.com>
Minor improvements in this cmake:
Add a comment to clarify why we set one option, and move an if
into an else with a comment of what is doing.
Signed-off-by: Alberto Escolar Piedras <alberto.escolar.piedras@nordicsemi.no>
