This commit aligns the implementation of arm_core_mpu_disable()
function in NXP MPU with the implementation in the ARM MPU
module, by introducing a Data Memory Barrier, (DMB) instead of
a DSB instruction. This is in accordance with the ARM guidelines
of using the memory protection unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Some more were added since the cleanup pass in June 2018. See e.g.
commit 2d50da70a1 ("drivers: ipm: Kconfig: Remove redundant 'default n'
properties") for a motivation. It also avoids people wondering whether
or not they need to put in 'default n'.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
CPU_LPS_n name used to indicate a low power state is cryptic and
incorrect. The low power states act on the whole SoC and not exclusively
on the CPU. This patch renames CPU_LPS_n states to LOW_POWER_n. Also
HAS_ pattern for Kconfig options is used in favor of a non standard
_SUPPORTED. Naming of deep sleep states was adjusted accordingly.
Following is a detailed list of string replacements used:
s/SYS_POWER_STATE_CPU_LPS_(\d)_SUPPORTED/HAS_STATE_LOW_POWER_$1/
s/SYS_POWER_STATE_CPU_LPS_(\d)/SYS_POWER_STATE_LOW_POWER_$1/
s/SYS_POWER_STATE_DEEP_SLEEP_(\d)_SUPPORTED/HAS_STATE_DEEP_SLEEP_$1/
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
This commit removes dependency on SYS_POWER_LOW_POWER_STATES_SUPPORTED,
SYS_POWER_DEEP_SLEEP_STATES_SUPPORTED Kconfig options. Power management
SYS_POWER_LOW_POWER_STATES, SYS_POWER_DEEP_SLEEP_STATES options depend
now directly on specific power states supported by the given SoC. This
simplifies maintenance of SoC Kconfig files.
Signed-off-by: Piotr Mienkowski <piotr.mienkowski@gmail.com>
We don't need the build system to pull out the mmu
region specifiers from the kernel binary when the
script can just as easily do this itself.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This is an integral part of userspace and cannot be used
on its own. Fold into the main userspace configuration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Instead of having to enable ramfunc support manually, just make it
transparently available to users, keeping the MPU region disabled if not
used to not waste a MPU region. This however wastes 24 bytes of code
area when the MPU is disabled and 48 bytes when it is enabled, and
probably a dozen of CPU cycles during boot. I believe it is something
acceptable.
Note that when XIP is used, code is already in RAM, so the __ramfunc
keyword does nothing, but does not generate an error.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
The linker file defines the __ramfunc_ram_size symbols to get the size
of the __ramfunc_ram section. Use that instead of computing the value at
runtime from the start and end symbols. This saves 16 bytes of code with
CONFIG_RAM_FUNCTION=y.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Using __ramfunc to places a function in RAM instead of Flash.
Code that for example reprograms flash at runtime can't execute
from flash, in that case must placing code into RAM.
This commit create a new section named '.ramfunc' in link scripts,
all functions has __ramfunc keyword saved in thats sections and
will load from flash to sram after the system booted.
Fixes: #10253
Signed-off-by: qianfan Zhao <qianfanguijin@163.com>
This commit fixes a bug that was always propagating the
default error reason (_NANO_ERR_HW_EXCEPTION) to the
system fatal error handler for (strictly) Secure and
for Non-Secure FW builds on ARMv8-M.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Include the EXC_RETURN payload flag macro definitions into
compilation when building for Non-Secure firmware, too.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes a bug for ARM builds with no USERSPACE support
where the MPU stack guard had been erroneously placed, i.e. not
at the beginning of the stack object. This was eating 32-bytes
off of the thread stack. In addition to that, the commit adds a
usefull ASSERT statement for builds with USERSPACE, which checks
that the start of the guard matches the beginning of the entire
stack object.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Its possible that memcpy is marked to check that a NULL value is passed
to it. The instance of memcpy in relocate_vector_table its valid that
we're are copying to 0/NULL. So supress the possible warning generated
by gcc -Wnonnull.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
With this commit we clear the BusFault Status Register error
bits, after processing the fault, for all ARM architecture
variants and implementations (not only for ARMv8-M mainline).
That is a fix, since the bits are sticky in the ARMv7-M
variants, as well. The commit fixes, additionally, a typo
in the spelling of BFSR.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
128 already gets exceeded in a lot of cases, and the binaries
with the new SDK are very slightly larger. Just kick this up
to 256 and get rid of all the exceptions.
Fixes: #13594
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Incremental builds have been broken in x86 due to a misconfigured
dependency. mmu_tables.bin is always generated, even for "nothing to
do" builds.
We fix this by removing the stray dependency on user_mmu_tables.bin
when not CONFIG_X86_KPTI.
Steps to reproduce:
Build any sample twice with qemu_x86 and observe that the second build
regenerates mmu_tables.bin.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
This commit adds the logic to indicate that a Non-Secure fault
exception has been triggered due to a processor fault that has,
in fact, occurred in the Secure state.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes the way we determine where the stacked
frame lies for (strictly) ARMv8-M Non-Secure firmware. It
introduces no changes to the default ARMv8-M behavior (i.e.
ARMv7-M compatible).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Some of power states used numerical suffix while otthers not.
This commit adds proper suffix to all power state names.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
f
The same pattern is used five times In the x86 build scripts and the
same code has been copied and modified the same amount of times. This
has resulted in a system that is difficult to make changes to.
To enforce consistency and improve maintainability we refactor the
code into a function.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
In general, to have correct dependencies, one must not only depend on
files, but also a wrapper target for the file. This is done for some
of the files in arch/x86/CMakeLists.txt, but not all.
To be consistent with how dependency management is done we add wrapper
targets and add dependencies to them.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames irq_vectors_alloc_data.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames gdt.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames user_mmu_tables.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
The arch/x86/CMakeLists.txt build scripts names five sections that are
generated from .bin files. Two of them are named the same as the .bin
file, and the other three are named inconsistently.
To be consistent, we will rename the three that are named inconistenly
to align with the two that are named as the .bin file.
Being consistent simplifies the system and fosters code-reuse.
This patch renames mmu_tables.
Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
This is needed, because an interrupt can happen after the main/static
MPU region is disabled and before it is re-enabled.
This region gets implicitly disabled inside the _region_init call, when
its configuration registers change:
SYSMPU->WORD[index][0] = region_base;
SYSMPU->WORD[index][1] = region_end;
SYSMPU->WORD[index][2] = region_attr;
SYSMPU->WORD[index][3] = SYSMPU_WORD_VLD_MASK;
The TRM says this about the WORD0, WORD1 and WORD2 registers:
Writes to this register clear the region descriptor’s valid bit
(RGDn_WORD3[VLD]).
And thus if an interrupt happens after writing to WORD0 and before
writing VLD to WORD3 again, the code executes with enabled and yet
misconfigured MPU.
Fixes#13482
Signed-off-by: Tomasz Gorochowik <tgorochowik@antmicro.com>
This reverts commit c9ace83c89 which
bypasses setting cache attributes.
The previous cache attributes actually set the text/data/etc.
sections to be inaccessible. So fix it.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
If the faulting context is in user mode, then we are
not on the same stack due to HW-level stack switching
on privilege elevation, and the faulting ESP is on
the stack itself.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The code did not consider privilege level stack switches.
We have the original stack pointer in the NANO_ESF,
just use that.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We now have a dedicated function to test whether
a memory region is withing the boundary of the
faulting context's stack buffer.
We use this to determine whether a page or double fault
was due to ESP being outside the bounds of the stack,
as well as when unwinding stack frames to print debug
output.
Fixes two issues:
- Stack overflows in user mode being incorrectly reported
as just page fault exceptions
- Exceptions that occur when unwinding corrupted stacks
The type of fault which triggered the stack overflow
logic (double or page fault) is now always shown.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The thread switching tracing calls are done by the kernel,
and not by the archs. So, remove the redundant trace call.
Related to #13357
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
The code wasn't checking if the memory address to check
corresponded to a non-present page directory pointer
table entry.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Upon hard/soft irq or exception entry/exit, handle transitions
off or onto the trampoline stack, which is the only stack that
can be used on the kernel side when the shadow page table
is active. We swap page tables when on this stack.
Adjustments to page tables are now as follows:
- Any adjustments for stack memory access now are always done
to the user page tables
- Any adjustments for memory domains are now always done to
the user page tables
- With KPTI, resetting a page now clears the present bit
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If kernel page table isolation is enabled, we generate a second
set of page tables. These tables, except for the shared page, have
all non-user pages marked as non-present.
The MMU generation script has been refactored:
- Debugging output has been make significantly simpler and less
verbose
- Useless globals removed or adjusted
- MMU region list is validated as it is read
- Some tuples unpacked into individual variables to make the
code easier to read.
- Useless command line option for output binary endian-ness
remobved
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In the event of a double fault, we do a HW task switch to
a special _df_tss hardware task which resets the stack
pointer to the interrupt stack and otherwise restores
the main hardware task to a runnable state so that
_df_handler_bottom() can run.
However, we need to make sure that _df_handler_bottom()
runs with interrupts locked, otherwise another IRQ could
corrupt the interrupt stack resulting in undefined
behavior.
We have very little stack space to work with in this
context, just zero it. It's a fatal error for the thread
in any event.
Fixes: #7291
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The linker file defines the __gcov_bss_size and _nocache_ram_size
symbols to get the size of the __gcov_bss and _nocache_ram section. Use
that instead of computing the value at runtime from the start and end
symbols.
Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
_arch_configure_dynamic_mpu_regions() may re-program the MPU
Stack Guard, to guard the privilege stack for overflows,
(if building with option CONFIG_MPU_STACK_GUARD). There is a
risk of actually overflowing the stack while doing the
re-programming. We minimize the risk by placing the
re-programming function immediately after we have switched to
the privileged stack so that the whole privilege stack area is
available for this critical operation.
Note that the risk for overflow is higher if using the normal
thread stack, since we do not control how much stack is actually
left, when user invokes _arm_userspace_enter().
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
