Set PPN (Physical Page Number) in L2 entry in the region_map_update
function to ensure correct mapping for memory that was not previously
mapped based on xtensa_soc_mmu_ranges.
When a new memory domain is created, the arch_mem_domain_init function
allocates new ptables using the dup_table function. This function only
copies original L2 entries created from xtensa_soc_mmu_ranges with
OPTION_SAVE_ATTRS. Entries added later by arch_mem_map are replaced with
XTENSA_MMU_PTE_L2_ILLEGAL and have PPN (Physical Page Number) set to zero.
When adding a new partition to a memory domain, the update_region function
is used. It sets new access attributes in the L2 table without setting the
PPN value. As a result, it does not work correctly for memory that was not
previously mapped based on xtensa_soc_mmu_ranges.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Add macro PTE_PPN_SET to simplify setting the physical page
number assigned in the page table entry.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
Add macro PTE_PPN_GET to simplify retrieval of the physical page
number assigned to a page table entry.
Signed-off-by: Adrian Warecki <adrian.warecki@intel.com>
commit a763207962 ("arch: arm: dwt: use the cmsis_6 macro
unconditionally") use cmsis_6 macro unconditionally, we can use DCB
instead of CoreDebug macro unconditionally.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Make sure that arch.mode is set with appropriate flags before setting up
the privileged stack start.
Fixes#99895
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
Adds the Kconfig option PMP_NO_LOCK_GLOBAL to remove the PMP Lock bit
usage. The global entry is an internal detail of the driver
implementation and should not be reflected in the user interface. This
allows the application to dynamically reconfigure the PMP entries
without requiring hard reset. This is essential for firmware that
performs an RO-to-RW jump. By keeping these system entries unlocked,
higher-privileged M-mode code can dynamically reconfigure memory
permissions during the secure handover process, which is not possible if
the entries are permanently locked during early boot.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Make sure bindesc are placed right after the vector table and fix ci
failure with sample.bindesc for fvp_baser_aemv8r/fvp_aemv8r_aarch32.
Without this change the bindesc are placed at a location that is not
mapped leading to a data abort while running the sample.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
Move ARCH_HAS_STACKWALK under CPU_CORTEX_A section since only Cortex-A
implements arch_stack_walk(), while Cortex-R does not.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
xt-clang complains about l2_page_tables_counter_inc() being
unused but not GCC. So fix that by using it somewhere else.
Fixes#99753
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When CONFIG_MAX_XLAT_TABLES is too small and new_table() cannot allocate
a translation table, the system must halt rather than continue with
undefined behavior.
This change ensures k_panic() is called after reporting the error,
preventing the system from proceeding when it runs out of translation
tables. Additionally, adds printk() fallback for configurations where
CONFIG_LOG is disabled to ensure the error is always visible.
Signed-off-by: Appana Durga Kedareswara rao <appana.durga.kedareswara.rao@amd.com>
Allows you to relocate the vector table from Flash to ITCM/DTCM to
minimize interrupt latency. TCM offers single-cycle access compared to
multi-cycle SRAM reads and even slower flash reads. This improves exception
handling speed for real-time workloads.
Signed-off-by: Peter van der Perk <peter.vanderperk@nxp.com>
C99 has been the minimum required C standard version for Zephyr since
its inception. After multiple attempts and discussions, a decision has
been made to upgrade to C17 going forward.
This commits replaces the default C standard from C99 to C17 in the
configuration and build system, and deprecates support for the older
standards.
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>
Add a new Kconfig option CONFIG_XEN_SYSCTL_INTERFACE_VERSION that allows
to change the version of the Sysctl interface used by Zephyr to issue
sysctl hypercalls.
For now versions 0x15 is supported.
Signed-off-by: Mykyta Poturai <mykyta_poturai@epam.com>
Signed-off-by: Dmytro Firsov <dmytro_firsov@epam.com>
Add a new Kconfig option CONFIG_XEN_DOMCTL_INTERFACE_VERSION that allows
to change the version of the Domctl interface used by Zephyr to issue
domctl hypercalls. Add compile-time checks to enable or disable certain
Domctl operations based on the selected Domctl interface version.
For now versions 0x15, 0x16, and 0x17 are supported.
Also it required to correctly guard domctl call that were not supported
prior to specified version.
Signed-off-by: Mykyta Poturai <mykyta_poturai@epam.com>
Signed-off-by: Dmytro Firsov <dmytro_firsov@epam.com>
This hypercall can be used get some information about physical machine
and running guests:
- sysctl hypercall "xen_sysctl_getphysinfo" allows read information about
physical machine: number CPUs, memory sizes, hardware capabilities, etc.
- sysctl hypercall "xen_sysctl_getdomaininfolist" returns array of domain
info structures that provide information about particular domain(s).
Signed-off-by: Dmytro Semenets <dmytro_semenets@epam.com>
Signed-off-by: Mykyta Poturai <mykyta_poturai@epam.com>
Signed-off-by: Dmytro Firsov <dmytro_firsov@epam.com>
Xen API contains hypercall, which allows domains to identify Xen
version, that is currently used on the system. It can be used to check
if current version is supported by Zephyr or to change behavior of the
drivers or services.
Signed-off-by: Dmytro Semenets <dmytro_semenets@epam.com>
Signed-off-by: Dmytro Firsov <dmytro_firsov@epam.com>
Add wrappers for following XEN_DMOP_* hypercalls.
These enables Xen device model control path:
dm_op provides operations to create/manage the ioreq server
so guest MMIO accesses are trapped and handled by the hypervisor.
These are guarded by CONFIG_XEN_DMOP.
- dmop
- dmop_create_ioreq_server
XEN_DMOP_create_ioreq_server
- dmop_map_io_range_to_ioreq_server
XEN_DMOP_map_io_range_to_ioreq_server
- dmop_set_ioreq_server_state
XEN_DMOP_set_ioreq_server_state
- dmop_nr_vcpus
XEN_DMOP_nr_vcpus
- dmop_set_irq_level:
XEN_DMOP_set_irq_level
Signed-off-by: TOKITA Hiroshi <tokita.hiroshi@gmail.com>
Due to slight differences in the way that LLVM and GNU linkers work,
the call to `z_stack_space_get()` is not dead-stripped when linking
with `lld` but it is dead-stripped when linking with GNU `ld`.
The `z_stack_space_get()` function is only available when
`CONFIG_INIT_STACKS` and `CONFIG_THREAD_STACK_INFO` are defined.
The issue is reproducible (although requires building LLVM and
setting up some environment variables) and goes away with the proposed
workaround.
Signed-off-by: Robin Kastberg <robin.kastberg@iar.com>
Signed-off-by: Chris Friedt <cfriedt@tenstorrent.com>
Memory protection and userspace tests require more MMU translation
tables than the default. Without this increase, tests fail with:
E: CONFIG_MAX_XLAT_TABLES too small
ASSERTION FAIL [ret == 0] @ arch/arm64/core/mmu.c:1244
privatize_page_range() returned -12
Increase defaults when both USERSPACE and TEST are enabled:
- 32 tables for SMP configurations
- 24 tables for non-SMP configurations
This fixes:
- sample.kernel.memory_protection.shared_mem (all platforms)
- rtio.api.userspace (v8a, v9a)
- rtio.api.userspace.submit_sem (v8a, v9a)
- portability.posix.common.userspace
Consequently the demand paging test needed adjustment to its
qemu_cortex_a53 configs to keep working as this test is highly
sensitive to the amount of available free memory.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Increase ARM64 stack sizes to accommodate deeper call stacks in
userspace and SMP configurations when FPU_SHARING is enabled:
- PRIVILEGED_STACK_SIZE: 1024 → 4096 bytes (with FPU_SHARING)
- TEST_EXTRA_STACK_SIZE: 2048 → 4096 bytes (with FPU_SHARING)
The default 1KB privileged stack is insufficient for ARM64 userspace
syscalls when FPU context switching is enabled.
Symptom: Userspace tests crash with Data Abort (EC 0x24) near stack
boundaries during syscalls, particularly on SMP configurations where
multiple threads exercise FPU lazy switching.
Fixes previously failing CI test on fvp_base_revc_2xaem SMP variants:
- kernel.threads.dynamic
- Multiple userspace tests with FPU_SHARING enabled
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Implement Scalable Vector Extension (SVE) context switching support,
enabling threads to use SVE and SVE2 instructions with lazy context
preservation across task switches.
The implementation is incremental: if only FPU instructions are used
then only the NEON access is granted and preserved to minimize context
switching overhead. If SVE is used then the NEON context is upgraded to
SVE and then full SVE access is granted and preserved from that point
onwards.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add Cortex-A320 support to the unified FVP board structure with ARMv9.2-A
specific configuration parameters.
New board target:
- fvp_base_revc_2xaem/a320
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add ARMv9-A architecture support with Cortex-A510 CPU as the default
processor for generic ARMv9-A targets.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Add support for stacktrace in dummy thread which is used to run
the early system initialization code before the kernel switches
to the main thread.
On RISC-V, the dummy thread will be running temporarily on the
interrupt stack, but currently we do not initialize the stack
info for the dummy thread, hence check the address against the
interrupt stack.
Signed-off-by: Yong Cong Sin <ycsin@meta.com>
Signed-off-by: Yong Cong Sin <yongcong.sin@gmail.com>
This commit implements a new unit test suite to validate the
integration of Device Tree memory attributes (`zephyr,memory-attr`)
with the RISC-V Physical Memory Protection (PMP) hardware.
The test suite includes:
1. **`test_pmp_devicetree_memattr_config`**: Verifies that the PMP
Control and Status Registers (CSRs) are programmed correctly based
on the memory regions defined with `zephyr,memory-attr` in the
Device Tree. It iterates through the active PMP entries and
asserts a match against the expected DT-defined regions.
2. **`test_riscv_mprv_mpp_config`**: Checks the initial state of the
Machine Privilege Register Virtualization (MPRV) bit and Machine
Previous Privilege (MPP) field in the `mstatus` CSR to ensure PMP
is configured for correct privilege level switching during boot.
3. **`test_dt_pmp_perm_conversion`**: Validates the
`DT_MEM_RISCV_TO_PMP_PERM` macro to ensure the conversion from
Device Tree memory attribute flags to RISC-V PMP permission bits
(R/W/X) is correct.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
The logic to decode PMP addressing modes (**TOR**, **NA4**, **NAPOT**) into
physical start and end addresses was previously embedded in
`print_pmp_entries()`.
Extract this calculation into a new static helper function,
`pmp_decode_region()`, to significantly improve the readability and
modularity of the PMP debug printing code.
The new helper function is fully self-contained and exposes a defined API
for the PMP address decoding logic. This enables **direct reuse** in
**unit tests** (e.g., using **Ztest**) to verify the core address
calculation accuracy for all PMP modes and boundary conditions, independent
of the main PMP initialization or logging path.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
The Physical Memory Protection (PMP) initialization is updated to support
custom entries defined in the Device Tree (DT) using the `zephyr,memattr`
property, contingent on `CONFIG_MEM_ATTR` being enabled. A new function,
`set_pmp_mem_attr()`, iterates over DT-defined regions and programs PMP
entries in `z_riscv_pmp_init()`, allowing for early, flexible, and
hardware-specific R/W/X protection for critical memory areas. DT-based
entries are also installed in `z_riscv_pmp_kernelmode_prepare()` for
thread-specific configuration. The logic for the temporary PMP "catch-all"
entry is adjusted to account for new DT entries. Furthermore, the PMP
domain resync logic now masks user partition permissions against DT-defined
region permissions, preventing privilege escalation. `CONFIG_RISCV_PMP` is
updated to select `PMP_KERNEL_MODE_DYNAMIC` if `MEM_ATTR`. Finally, the
`pmp_cfg` array in `z_riscv_pmp_init()` is initialized to zero to prevent
writing uninitialized stack data to unused PMP entries.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
When CONFIG_SMP is enabled, per-CPU IRQ stack guards are added. To prevent
unintended TOR (Top of Range) entry sharing, the PMP address entry
preceding each guard region in `pmp_addr` is marked with -1L.
The previously used index to access `pmp_addr` could become stale, as
additional PMP entries may be allocated after its initial calculation
but before the SMP loop for IRQ guards.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Split global PMP state variables (index and last address) into
mode-specific counterparts to correctly track the end of global PMP
ranges for both M-mode (kernel) and U-mode (userspace).
This ensures correct per-thread PMP initialization when configuring
mode-specific dynamic PMP entries.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Introduce `CONFIG_PMP_KERNEL_MODE_DYNAMIC` to enable dynamic
configuration and activation of Machine mode PMP entries. This allows
PMP settings to be managed efficiently during transitions between
kernel and thread contexts.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Rename the `z_riscv_pmp_stackguard_*` functions to
`z_riscv_pmp_kernelmode_*`. This change better reflects that
these functions are used for general kernel mode PMP configuration,
not strictly limited to stack guard purposes.
Call sites in fatal.c, isr.S, and switch.S have been updated accordingly.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Add option to enable NMI delivery on boot for SMRNMI hardware.
Changes:
- Add CONFIG_RISCV_SMRNMI_ENABLE_NMI_DELIVERY Kconfig option
- Define SMRNMI CSRs in arch/riscv/include/csr.h
- Set NMIE bit during boot to enable NMI delivery
SMRNMI hardware generates but doesn't deliver NMIs when NMIE=0 (default).
This causes twister test failures and prevents handling of critical
hardware events like watchdog NMIs and ECC errors.
Setting NMIE=1 enables NMI delivery, but note that this implementation
only sets the enable bit - it does not provide full SMRNMI support
(no mnret instruction handling, no RNMI handlers). Users must implement
proper RNMI handlers in SoC-specific code to avoid undefined behavior.
Signed-off-by: Afonso Oliveira <afonsoo@synopsys.com>
Adds function for app to obtain page table usage statistics,
allowing fine tuning of numbers of L1 and L2 page table
array.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
When adding new memory domains, we need to start from kernel
page tables by duplicating them. However, there is no need to
duplicate all in-use page tables as some memory regions remain
unchanged. Fror example, hardware register region where only
kernel has access does not need to be duplicated across all
memory domains. The same L2 table can be used among them.
This changes the L2 page table allocation to be copy-on-write
where we only need to duplicate a L2 table if changes need to
be made on it.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
If the page tables are not cached, there is no need to do any
cache ops to flush or invalidate the data in cache. So skip them
if the page tables are not cached. Saves a few CPU cycles.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
In l2_page_table_unmap(), invalidating TLBs should be limited to
the address and not the whole auto-refill TLBs. Also fix a bug
where the EXEC bit should be determined from the L2 PTE and not
the L1 PTE.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Some macros for the page tables array are local to the file so
there is no need to prefix them with XTENSA_. Simplify by
removing the XTENSA_ prefix, and clairfy if needed.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Almost all page table entry (PTE) related macros are only used
in one source file. These macros are considered the internal
working of MMU. There is no need to expose them in header file
for other to reference. So move them into the source file where
it is only place they are used. Bonus is that we can shorten
the macro names as they are now local to the file. Makes it
easier to read, and few keystrokes to input.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
This skips the redirection of backup attributes and ring via
some SW field macros, and use the PTE bits directly. Should
make it easier to decode what's going on.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
The fields in macro should be done with both shift and mask
values to make it clear. So amend some macros so that
the presentation are unified for them.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Add support for the RISC-V Smcsrind extension, which provides
indirect access to CSRs through the MISELECT and MIREG registers.
Changes:
- Added CONFIG_RISCV_ISA_EXT_SMCSRIND Kconfig option
- Implemented 4 helper functions for indirect CSR access:
* icsr_read/write - basic access
* icsr_read_set/clear - bit manipulation
- Defined 7 CSR registers (MISELECT, MIREG, MIREG2-6)
This is a CSR-only extension that does not require any compiler
support or march flags. The helper functions compile to standard
CSR instructions and work with any toolchain that supports Zicsr.
Primary use case: RISC-V AIA (Advanced Interrupt Architecture)
uses indirect CSRs to access IMSIC (Incoming MSI Controller)
registers.
Signed-off-by: Afonso Oliveira <afonsoo@synopsys.com>
