This commit does the following:
- moves the reservation of the area for local thread data
inside the arch-specific _new_thread() function,
- aligns the end of the thread's stack with the granularity
of the MPU, already at thread's initialization, moving it
out of userspace_enter() function. In this way, the local
thread data are stored inside the thread stack area that
is, later, assigned unprivileged RW permissions (if thread
enters user mode).
- passes the right thread stack size information to function
_new_thread_init(), which stores it into stack_info.start.
As a result, the whole usable User Thread stack area (i.e.
excluding a possible guard area) falls inside the region
programmed as unprivileged RW, during context-switch.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Appears within a menu that already has 'depends on ARM_SECURE_FIRMWARE'.
'depends on FOO' on a menu will add 'depends on FOO' to each item within
it. 'if FOO' work similarly.
Tip: When adding a symbol, check its dependencies in the menuconfig
('ninja menuconfig', then / to jump to the symbol). The menuconfig also
shows how the file with the symbol got included, so if you see
duplicated dependencies, it's easy to hunt down where they come from.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Appears within a menu that already has a 'depends on ARCH_POSIX'.
'depends on FOO' on a menu will add 'depends on FOO' to each item within
it. 'if FOO' work similarly.
Tip: When adding a symbol, check its dependencies in the menuconfig
('ninja menuconfig', then / to jump to the symbol). The menuconfig also
shows how the file with the symbol got included, so if you see
duplicated dependencies, it's easy to hunt down where they come from.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
- The ARC CPU_HAS_MPU dependencies were added within the menu
menu "ARCH MPU Options"
depends on CPU_HAS_MPU
(arch/arc/core/mpu/Kconfig is source'd within it).
- The ARM CPU_HAS_MPU dependencies were redundantly added by
if CPU_HAS_MPU
source "arch/arm/core/cortex_m/mpu/Kconfig"
endif
and by some 'depends on CPU_HAS_MPU' within that file. Remove the
'depends on' and move the 'if' into the file instead.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
The lowest level of the x86_64 bit port supports the full 64 bit ABI
just fine, but Zephyr does not (yet) and builds under the x32 ABI
instead. The xuk layer can be built with or without the -mx32 switch,
and it had a configurable in a header to tell it what it was. At some
point during development I swept through and turned all those tunables
into kconfigs, but this one wasn't used by zephyr and so it got the
CONFIG_* rename but never had an entry added to a Kconfig file to
match it, and eventually got picked up by Ulf's unused symbol
detector.
Rename back. It will probably become a kconfig again someday when we
need it. Fixes#14059.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Refactor internal ARM v7m and v8m MPU region re-programming
functions to take as argument a pointer to k_mem_partition
objects, instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor internal NXP MPU region re-programming functions
to take as argument a pointer to k_mem_partition objects,
instead of the object itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit refactors the MPU region re-programming functions,
to take as argument an array of pointers to memory partition
structures, instead of the whole array of the partitions. In
this way the stack usage can be minimized, if the actual
partition information is kept in statically allocated memory.
instead of the map itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The "ARM Cortex-M options" menu is already within a 'if CPU_CORTEX_M',
so no need to put 'depends on CPU_CORTEX_M' on it.
Tip: Jump to symbols with '/' in the menuconfig and press '?' to check
their dependencies. If there are duplicated dependencies, the
'included via ...' path can be handy to discover where they are added.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Based on the definition of _ARCH_THREAD_STACK_DEFINE() macro
for ARM, the MPU Stack Guard region is placed inside the
allocated stack object, only if
CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT and CONFIG_USERSPACE
are both set. For ARM stack objects, allocated using the
_ARCH_THREAD_STACK_DEFINE() macro, such as the threads' stacks
and the interrupt stack, the above must be reflected on how we
set the initial start of the stacks.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
On x86, if a supervisor thread belonging to a memory domain
adds a new partition to that domain, subsequent context switches
to another thread in the same domain, or dropping itself to user
mode, does not have the correct setup in the page tables.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We need a copy of the flags field for ever PTE we are
updating, we can't just keep OR-ing in the address
field.
Fixes issues seen when setting flags for memory regions
larger than a page.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
During speculative execution, non-present pages are treated
as valid, which may expose their contents through side
channels.
Any non-present PTE will now have its address bits zeroed,
such that any speculative reads to them will go to the NULL
page.
The expected hit on performance is so minor that this is
enabled at all times.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The SOC code can set whether it's known that the CPU
is immune, don't default to turning this off.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Retpolines were never completely implemented, even on x86.
Move this particular Kconfig to only concern itself with
the assembly code, and don't default it on ever since we
prefer SSBD instead.
We can restore the common kernel-wide CONFIG_RETPOLINE once
we have an end-to-end implementation.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
PAE page tables (the only kind we support) have 512
entries per page directory, not 1024.
Fixes: #13838
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit introduces a generic arch/arm function to evaluate
thread stack corruption. The function shall be used upon
occurrence of MemManage and Bus Faults.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds an explanatory note in the places
where we manually adjust the PSP after stacking Bus
and MemManage errors, stressing that this is due to
the fact that interrupt tail-chaining cannot always
be guaranteed by the processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit removes a redundant check for imprecise bus fault,
when a precise bus fault has occurred, now that we have
re-worked the BusFault handler to iterate through all possible
bus errors.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon BusFault exceptions triggered
by the NXP MPU module. BusFaults rely on calling external
function to assess whether a thread stack corruption due to
overflow has occurred. Upon detection of stack corruption,
the current stack pointer is manually adjusted upwards, to
prevent un-stacking errors from firing up upon returning from
the exception.
Additionally, the commit allows to be checking for all different
types of BusFault occurrences that are reported through BFSR,
without stopping after having spotted the first BusFault type.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the logic, based on which we assess
thread stack corruptions upon MemManageFault exceptions.
Furthermore, it takes out all kernel-related logic and relies
on calling external function 'evaluate_thread_stack_corruption'
to assess whether a thread stack overflow has occurred. Upon
detection of stack corruption, the current stack pointer is
manually adjusted upwards, to prevent un-stacking errors from
firing up upon returning from the exception.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit improves the debug message on UsageFaults
related to Stack overflow, stating that the context
area is not valid. An inline comment is added, with
more detailed explanation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the NXP MPU driver due to incompatible integer types.
Fixes#13836.
Fixes#13865.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes several essential inline comments in the
core assembly code for ARM, improving code readability.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit applies the same fixes, concering the Constant
Expression Result errors identified in the ARMv7-M and the
NXP MPU drivers, into the ARMv8-M MPU implementation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes two Constant Expression Result errors,
in the ARMv7-M MPU driver due to incompatible integer types.
Fixes#13844.
Fixes#13854.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit aligns the implementation of arm_core_mpu_disable()
function in NXP MPU with the implementation in the ARM MPU
module, by introducing a Data Memory Barrier, (DMB) instead of
a DSB instruction. This is in accordance with the ARM guidelines
of using the memory protection unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Some more were added since the cleanup pass in June 2018. See e.g.
commit 2d50da70a1 ("drivers: ipm: Kconfig: Remove redundant 'default n'
properties") for a motivation. It also avoids people wondering whether
or not they need to put in 'default n'.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
CPU_LPS_n name used to indicate a low power state is cryptic and
incorrect. The low power states act on the whole SoC and not exclusively
on the CPU. This patch renames CPU_LPS_n states to LOW_POWER_n. Also
HAS_ pattern for Kconfig options is used in favor of a non standard
_SUPPORTED. Naming of deep sleep states was adjusted accordingly.
Following is a detailed list of string replacements used:
s/SYS_POWER_STATE_CPU_LPS_(\d)_SUPPORTED/HAS_STATE_LOW_POWER_$1/
s/SYS_POWER_STATE_CPU_LPS_(\d)/SYS_POWER_STATE_LOW_POWER_$1/
s/SYS_POWER_STATE_DEEP_SLEEP_(\d)_SUPPORTED/HAS_STATE_DEEP_SLEEP_$1/
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
This commit removes dependency on SYS_POWER_LOW_POWER_STATES_SUPPORTED,
SYS_POWER_DEEP_SLEEP_STATES_SUPPORTED Kconfig options. Power management
SYS_POWER_LOW_POWER_STATES, SYS_POWER_DEEP_SLEEP_STATES options depend
now directly on specific power states supported by the given SoC. This
simplifies maintenance of SoC Kconfig files.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
We don't need the build system to pull out the mmu
region specifiers from the kernel binary when the
script can just as easily do this itself.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is an integral part of userspace and cannot be used
on its own. Fold into the main userspace configuration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Instead of having to enable ramfunc support manually, just make it
transparently available to users, keeping the MPU region disabled if not
used to not waste a MPU region. This however wastes 24 bytes of code
area when the MPU is disabled and 48 bytes when it is enabled, and
probably a dozen of CPU cycles during boot. I believe it is something
acceptable.
Note that when XIP is used, code is already in RAM, so the __ramfunc
keyword does nothing, but does not generate an error.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The linker file defines the __ramfunc_ram_size symbols to get the size
of the __ramfunc_ram section. Use that instead of computing the value at
runtime from the start and end symbols. This saves 16 bytes of code with
CONFIG_RAM_FUNCTION=y.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Using __ramfunc to places a function in RAM instead of Flash.
Code that for example reprograms flash at runtime can't execute
from flash, in that case must placing code into RAM.
This commit create a new section named '.ramfunc' in link scripts,
all functions has __ramfunc keyword saved in thats sections and
will load from flash to sram after the system booted.
Fixes: #10253
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
This commit fixes a bug that was always propagating the
default error reason (_NANO_ERR_HW_EXCEPTION) to the
system fatal error handler for (strictly) Secure and
for Non-Secure FW builds on ARMv8-M.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Include the EXC_RETURN payload flag macro definitions into
compilation when building for Non-Secure firmware, too.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug for ARM builds with no USERSPACE support
where the MPU stack guard had been erroneously placed, i.e. not
at the beginning of the stack object. This was eating 32-bytes
off of the thread stack. In addition to that, the commit adds a
usefull ASSERT statement for builds with USERSPACE, which checks
that the start of the guard matches the beginning of the entire
stack object.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
