Specifying undefined symbol on linker invocation requests the linker to
search and include the symbol.
This ensures the symbol will be present in final output.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Use the privileged stack when starting K_USER threads in arch_new_thread().
Threads entering user mode with k_thread_user_mode_enter() keep their
existing flow. To support both cases, z_arm_userspace_enter() now takes an
internal ABI flag (sp_is_priv) indicating whether PSP already points to
the privileged stack.
Also fix calculation of the privileged stack top: use priv_stack_end
directly instead of priv_stack_start + CONFIG_PRIVILEGED_STACK_SIZE, which
failed to account for guard/FPU offsets applied to priv_stack_start.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
The arrays used for M-mode Physical Memory Protection (PMP),
specifically for the stack guard feature (CONFIG_PMP_STACK_GUARD),
were previously sized using the hardcoded PMP_M_MODE_SLOTS macro,
defined as 8. This affected arrays in both the _thread_arch
struct (m_mode_pmpaddr_regs, m_mode_pmpcfg_regs) and local
variables within the z_riscv_pmp_stackguard_disable function.
This commit changes the array sizing to use the Kconfig option
CONFIG_PMP_SLOTS. This option reflects the total number of PMP
slots available and configured for the target hardware.
Using CONFIG_PMP_SLOTS ensures these arrays are dimensioned
according to the system's actual capabilities, providing better
flexibility and correctness over a fixed size.
The PMP_M_MODE_SLOTS macro definition has been removed from
thread.h as it is no longer used.
Signed-off-by: Firas Sammoura <fsammoura@google.com>
Introduce hook for customize reset.S code even before stack is
initialized or RAM is accessed. Hook can be enabled using
CONFIG_SOC_EARLY_RESET_HOOK=y.
Hook implementation is by soc_early_reset_hook() function which should
be provided by custom code.
Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Currently, CORTEX_M_DWT option does not refresh its value when
TIMING_FUNCTIONS, on which it depends, is selected via menuconfig.
This occurs because during the early west build steps the
aarch32-specific Kconfig file is parsed with TIMING_FUNCTIONS=n,
resulting in CORTEX_M_DWT being set to 'n' (not set) in .config.
Later, when the user runs west with -t menuconfig and sets
TIMING_FUNCTIONS=y using the menus or any other option that selects
TIMING_FUNCTIONS=y indirectly, CORTEX_M_DWT is already set to 'n' and
remains set as such. That is inconvenient, and, moreoever, since
CORTEX_M_DWT gets set if TIMING_FUNCTIONS is set in prj.conf, the
current behavior is not consistent, i.e. via the menuconfig setting
TIMING_FUNCTIONS=y doesn't imply selecting CORTEX_M_DWT automatically.
This commit addresses this issue by selecting CORTEX_M_DWT=y if
TIMING_FUNCTIONS becomes set to 'y', otherwise allowing it to be set via
the prompt. This is possible by making the CORTEX_M_DWT prompt
conditional. Hence, in menuconfig, if TIMING_FUNCTIONS gets set
CORTEX_M_DWT is set automatically. If TIMING_FUNCTIONS is not set, a
prompt is presented to allow selecting CORTEX_M_DWT manually.
Signed-off-by: Gustavo Romero <gustavo.romero@linaro.org>
- add NXP_BOARD_SPECIFIC_MPU_SETTINGS kconfig to provide a switch
for developer if they want to use private mpu settings
CONFIG_NXP_BOARD_SPECIFIC_MPU_SETTINGS==1 | NXP default setting
CONFIG_NXP_BOARD_SPECIFIC_MPU_SETTINGS==0 | User specific
- Use DT function to get memory base address and region size for cm7
- CM33 use dts to set mpu settings
- Add REGION_CUSTOMED_MEMORY_SIZE macro provide a common mapping ways
to map actual memory_size_kb to "region_size"
- The settings of the unified memory on cm33/cm7 cores:
ocram1/flexspi2 -> REGION_RAM_NOCACHE_ATTR
ocram2/dtcm -> REGION_RAM_NOCACHE_ATTR
flexspi/itcm -> REGION_FLASH_ATTR
Signed-off-by: Lucien Zhao <lucien.zhao@nxp.com>
The config PM_S2RAM_CUSTOM_MARKING is not an optional config for a
user to select, it is required by some soc implementations of S2RAM,
in which case it must be selected by the soc.
Refactor the configuration to be HAS_PM_S2RAM_CUSTOM_MARKING, and
make the currently only soc which needs it select it. Then update
samples which previously had to select this option for this soc.
Signed-off-by: Bjarki Arge Andreasen <bjarki.andreasen@nordicsemi.no>
Several static functions in ptables.c always return 0, make them void
to improve readability.
Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com>
Combine the load and noload cache regions for a single MPU aligned block.
This is required to have an MPU region with a size that is a power of 2.
Signed-off-by: Pieter De Gendt <pieter.degendt@basalte.be>
A warning was promoted to error in twister runs due to implicit
declaration of the function `z_arm64_safe_exception_stack_init()`.
Include `kernel_arch_func.h` in `prep_c.c` to mitigate the warning.
Signed-off-by: Chris Friedt <cfriedt@tenstorrent.com>
- Add calls to sys_trace_idle_exit before leaving idle state
to track CPU load
- Extend CPU_LOAD to CPU_CORTEX_A in Kconfig
Signed-off-by: Hoang Nguyen <hoang.nguyen.jx@bp.renesas.com>
Signed-off-by: Nhut Nguyen <nhut.nguyen.kc@renesas.com>
Initialize the privilege stack and switch PSP to it early in the SVC
handler to ensure `z_arm_do_syscall` does not start on a user-accessible
stack frame.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
Improve FPU trap debugging by showing the program counter (PC) of
instructions that trigger FPU access traps instead of potentially
stale saved FPU context data.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
CONFIG_FLASH_SIZE and CONFIG_FLASH_BASE_ADDRESS symbols were not defined in
native_sim even though it has a flash controller and flash defined.
Signed-off-by: Flavio Ceolin <flavio@hubble.com>
Select ARCH_SUPPORTS_COREDUMP_STACK_PTR on xtensa, and provide an
implementation for the arch_coredump_stack_ptr_get function.
Signed-off-by: Mark Holden <mholden@meta.com>
Do not directly include and use APIs from ksched.h outside of the
kernel. For now do this using more suitable (ipi.h and
kernel_internal.h) internal APIs until more cleanup is done.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
To support unprivileged mode (CONFIG_USERSPACE):
- Set unprivileged PAC key registers when system is in unprivileged
mode.
- Add `bti` after each svc call, to make sure that the indirect jumps on
`lr` while returning from an `svc` don't result in a usage fault.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
Add a config option to set unique PAC keys per thread and
make sure to retain them during context switch.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
As part of enabling PACBTI support:
- Add config options to enforce PAC and BTI features
- Enable these config options based on the branch protection choice
selected for `ARM_PACBTI`
- Enforce PACBTI, based on the new config options, by enabling
corresponding PACBTI bits in CONTROL register and in FVP.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
Rename and move PACBTI config options to common Kconfig so that
they could be re-used for arm64 in the future.
Signed-off-by: Sudan Landge <sudan.landge@arm.com>
z_prep_c does not return, mark it as such consistently across
architectures. We had some arches do that, others not. This resolves a
few coding guideline violations in arch code.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Do not use private API prefix and move to architecture interface as
those functions are primarily used across arches and can be defined by
the architecture.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Do not use private API prefix and move to architecture interface as
those functions are primarily used across arches and can be defined by
the architecture.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Do not use private API prefix and move to architecture interface as
those functions are primarily used across arches and can be defined by
the architecture.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Do not use private API prefix and move to architecture interface as
those functions are primarily used across arches and can be defined by
the architecture.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Cleanup init.c code and move early boot code into arch/ and make it
accessible outside of the boot process/kernel.
All of this code is not related to the 'kernel' and is mostly used
within the architecture boot / setup process.
The way it was done, some soc code was including kernel_internal.h
directly, which shouldn't be done.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Move under arch, as this is not a kernel feature really. arch also
matches the test idcentifier in place.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Not really a kernel feature, more for architecture, which is reflected
in how XIP is enabled and tested. Move it to architecture code to keep
which much of the 'implementation' and usage is.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Introduce a new Kconfig option CPU_CORTEX_A78 to enable support for the
Arm Cortex-A78 CPU architecture within Zephyr. This configuration can be
selected by boards or SoCs that utilize the Cortex-A78 core, enabling
architecture-specific features and optimizations as needed.
Signed-off-by: Appana Durga Kedareswara rao <appana.durga.kedareswara.rao@amd.com>
- No more need for special IRQ shadow stacks - just reuse the one
created for z_interrupt_stacks;
- Add the linker sections for the pairs of stack/shadow stack;
- Support shadow stack arrays.
Last item was a bit challenging: shadow stacks need to be initialised
before use, and this is done statically for normal shadow stacks. To
initialise the shadow stacks in the array, one needs how many entries it
has. While a simple approach would use `LISTIFY` to them do the
initialization on all entries, that is not possible as many stack arrays
are created using expressions instead of literals, such as
`CONFIG_MP_MAX_NUM_CPUS - 1`, which won't work with `LISTIFY`.
Instead, this patch uses a script, `gen_static_shstk_array.py` that
gathers all needed information and patches the ELF to initialize the
stack arrays. Note that this needs to be done before any other operation
on the ELF file that creates new representations, such as the .bin
output.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
It seems that, at least on tests, it's common to call k_thread_create()
on a thread multiple times. This trips a check for the CET shadow stack
- namely, set a shadow stack on a thread which already has a shadow
stack.
This patch adds a Kconfig option to allow that, iff the base address and
size of the new shadow stack are the same as before. This will trigger a
reset of the shadow stack, so it can be reused.
It may be the case that this behaviour (reusing threads) is more common
than only for tests, in which case it could make sense to change the
default - in this patch, is only true if ZTEST.
Even if being enabled by default becomes the reality, it would still
make sense to keep this option - more conscious apps could avoid the
need for the shadow stack reset code altogether.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
So that kernel created threads can use shadow stacks. Note that
CONFIG_X86_CET_SHADOW_STACK is abandoned in favour of
CONFIG_HW_SHADOW_STACK.
This means change some types, functions and macro throughout shadow
stack code.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
In order to allow kernel created threads (such as main and idle threads)
to make use of hardware shadow stack implementation, add an interface
for them.
This patch basically provides an infra that architectures need to
implement to provide hardware shadow stack.
Also, main and idle threads are updated to make use of this interface
(if hardware shadow stacks are enabled).
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Some SoCs may need to do some preparatory work before changing the
current shadow stack pointer (and thus, currently used shadow stack).
This patch adds a way for that, shielded by a Kconfig
(CONFIG_X86_CET_SOC_PREPARE_SHADOW_STACK_SWITCH).
As currently only 32 bit SoC may use this, support is only added to the
32 bit code.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Most notable difference on base support is the need to keep the shadow
stack tokens, which are 8 bytes, 8 bytes aligned. Some helper macros are
used for that.
Also, an `ssp` entry is added to the task state segment (TSS).
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Currently, it's permitted to have threads that don't have a shadow
stack. When those are run, shadow stack is disabled on the CPU. To
identify those, the thread `shstk_addr` member is checked.
This patch adds an optional check, behind
CONFIG_X86_CET_VERIFY_KERNEL_SHADOW_STACK, that checks if an outgoing
thread has this pointer NULL with shadow stack currently enabled on
the CPU, meaning a 1) bug or 2) some attempt to tamper with the pointer.
If the check fails, k_panic() is called. Note that this verification is
not enough to guarantee `shstk_addr` can't be tampered with. For
instance, it only works on a running thread. Ideally, all threads should
be shadow stack capable, so a missing `shstk_addr` would simply be a
hard fault, but that is still to come.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Main peculiarity is that if an exception results in current thread being
aborted, we need to clear the busy bit on the shadow stack on the swap
to the new thread, otherwise future exceptions will fail when trying to
use a busy shadow stack.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Nested interrupts are supported, on the normal stack, by creating a
stack whose size is a multiple of CONFIG_ISR_DEPTH, and updating the
pointer used by Interrupt Stack Table (IST) to point to a new base,
inside the "oversized" stack.
The same approach is used for the shadow stack: shadow stack size is
multiplied by CONFIG_ISR_DEPTH, and the pointer to the stack on the
shadow stack pointer table is update to point to the next base.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
For IRQs, shadow stack support a mechanism similar to the Interrupt
Stack Table (IST) for x86_64: a table, indexed by the IST index, pointing
to a 64 byte table in memory containing the address of seven shadow stacks
to be used by the interrupt service routines.
This patch adds support to this mechanism. It is worth noting that, as
Zephyr may exit from an interrupt by going to a different thread than
the one that was interrupted, some housekeeping is done to ensure that
the necessary shadow stack tokens are on the right shadow stack before
return from the interrupt.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
Shadow Stack is one of the capabilities provided by Intel Control-flow
Enforcement Technology (CET), aimed at defending against Return Oriented
Programming.
This patch enables it for x86_64 (32-bit support coming in future
patches):
- Add relevant Kconfigs;
- Shadow stacks should live in specially defined memory pages, so
gen_mmu.py was updated to allow that;
- A new macro, Z_X86_SHADOW_STACK_DEFINE, added to define the area
for a shadow stack;
- A new function, z_x86_thread_attach_shadow_stack(), added to
attach a shadow stack to a never started thread;
- locore.S changed to enable/disable shadow stack when a thread
using it comes in/out of execution.
As not all threads are currently shadow stack capable, threads that do
not use it will still run with shadow stack disabled. Ideally, at some
point in the future, all threads would use the shadow stack, so no need
to disable it at all.
Signed-off-by: Ederson de Souza <ederson.desouza@intel.com>
