Add tests of the ability to read or write the stack of another thread.
Use semaphores for explicit synchronization of the start and end of the
other thread to ensure that the attempted stack access occurs while the
thread is alive. This ensures that the MMU/MPU has been configured at
least once to allow userspace access to the stack, and that any
removal of access upon thread termination has not yet occurred. This
therefore should exercise changing the MMU/MPU configuration to remove
access to the other thread's stack when switching back to our
thread.
Tested on qemu_x86 (pass) and on frdm_k64f (with and without the ARM
userspace patches; with them, the tests pass; without, they fail as
expected). Also, as with most of the other tests, if you replace
ztest_user_unit_test() with ztest_unit_test(), then the tests fail as
expected.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch removes the extraneous priv_insn test as it is a duplicate
of the following test that writes to the control register. For ARM,
unprivileged contexts which access control registers does not result
in a fault. It results in no modification of the register, so we have
to check that a modification occurred.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch fixes the calculation of the privileged stack portion. The
ztest threads have a stack size of 2048. The privileged area resides in
the lowest 512 bytes. So use the definition of the stack size to get to
the right area.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Due to insufficient ISR stack memory the irq offload was
corrupting the memory.
GH-4766
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Testcase developed x86mmu specific, to validate
existing APIs. This checks for the PDE/PTE set
on the address and returns if some violation occurs or not.
Signed-off-by: Akhilesh Kumar Upadhyay <akhilesh.kumarx.upadhyay@intel.com>
Remove references to k_mem_pool_defrag and any related bits associated
with mem_pool defrag that don't make sense anymore.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This is still work-in-progress, but putting it up in case it is
helpful to people working in this area and for early comments.
Add a set of tests to validate the expected security properties
of threads created with K_USER when CONFIG_USERSPACE=y. This can
be used as a regression test for architectures that already implement
this support and as a validation test for others.
I considered incorporating these tests into the existing protection
test, but decided against it since protection does not enable or rely
upon CONFIG_USERSPACE for its existing tests and passes on everything
that provides MPU or MMU support, even without full userspace support.
I also considered incorporating these tests into the existing
obj_validation test, but decided against it since obj_validation only
tests the object validation/permission logic, does not run any user
mode threads (or strictly depend on that support), and passes
on both x86 and arm today, unlike these tests. That said, I have no
strong objections if it would be preferable to fold these into it
(and perhaps rename it to be more general).
The current tests implemented in this test program verify the following
for a thread created with K_USER:
is_usermode: is running in usermode
priv_insn: cannot invoke privileged insns directly
write_control: cannot write to control registers
disable_mmu_mpu: cannot disable memory protections (MMU/MPU)
read_kernram: cannot read from kernel RAM
write_kernram: cannot write to kernel RAM
write_kernro: cannot write to kernel rodata
write_kerntext: cannot write to kernel text
read_kernel_data: cannot read __kernel-marked data
write_kernel_data: cannot write __kernel-marked data
read_kernel_stack: cannot read the kernel/privileged stack
write_kernel_stack: cannot write the kernel/privileged stack
pass_user_object: cannot pass a non-kernel object to a syscall
pass_noperms_object: cannot pass an object to a syscall without a grant
start_kernel_thread: cannot start a kernel (non-user) thread
Some of the tests overlap and could possibly be dropped, but it
seems harmless to retain them. The particular targets of read/write
tests are arbitrary other than meeting the test criteria and can be
changed (e.g. in data, rodata, or text) if desired to avoid coupling
to kernel implementation details that may change in the future.
On qemu_x86, all of the tests pass. And, if you replace all
occurrences of ztest_user_unit_test() with ztest_unit_test(), then
all of the tests fail (i.e. when the tests are run in kernel mode,
they all fail as expected). On frdm_k64f presently (w/o the arm
userspace patches), all of the tests fail except for write_kernro and
write_kerntext, as expected.
ToDo:
- Verify that a user thread cannot access data in another memory domain.
- Verify that a user thread cannot access another thread's stack.
- Verify that a user thread cannot access another thread's kobject.
- Verify that k_thread_user_mode_enter() transitions correctly.
- Verify that k_object_access_revoke() is enforced.
- Verify that syscalls return to user mode upon completion.
- Verify that a user thread cannot abuse other svc calls (ARM-specific).
- Other suggested properties we should be testing?
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
test_main() takes no arguments, so this was causing a fault
after returning from test_main due to the stack canary checking.
Before, the test run ends with:
PROJECT EXECUTION SUCCESSFUL
***** CPU Page Fault (error code 0x00000011)
Supervisor thread executed address 0x00400000
PDE: 0x027 Present, Writable, User, Execute Enabled
PTE: 0x80000000267 Present, Writable, User, Execute Disable
Current thread ID = 0x00401080
Faulting segment:address = 0x0008:0x00400000
eax: 0x00000000, ebx: 0x00000000, ecx: 0x0040b19c, edx: 0x000056df
esi: 0x00000000, edi: 0x00000000, ebp: 0x000051c0, esp: 0x0040b1d8
eflags: 0x246
Caught system error -- reason 6
After, the test run ends with:
PROJECT EXECUTION SUCCESSFUL
Reported-by: Joshua Domagalski <jedomag@tycho.ncsc.mil>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch do following things :
- fix checkpatch warnings
- replace conditions with ztest apis wherever necessary
Signed-off-by: Punit Vara <punit.vara@intel.com>
Make legacy test case use of ztest apis to support
ztest framework.
Reduce ztest stack size to 512 otherwise region 'SRAM'
will overflow for nucleo board.
Signed-off-by: Punit Vara <punit.vara@intel.com>
Added a case for ARC in the test so it builds. ARC MPU has execute
permision bit so we can enable the NO_EXECUTE_SUPPORT testing.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
The end_sema k_sem was only initialized on one of the several paths
that used it, leading to some crazy clobber-the-run-queue behavior
that was dependent on linkage order (see the linked bug) when end_sema
and the pipe object were made non-static..
Adding a k_sem_init() call fixes the corrupt issue, but really the
right thing is to use the DEFINE macro, so do that instead. Note that
that the initializer changes the linkage order too (by putting the
semaphore in a separate segment), so... yeah, it's actually impossible
to prove that this patch in isolation resolves the issue seen without
manual validation.
Issue: https://github.com/zephyrproject-rtos/zephyr/issues/4366
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Introducing CMake is an important step in a larger effort to make
Zephyr easy to use for application developers working on different
platforms with different development environment needs.
Simplified, this change retains Kconfig as-is, and replaces all
Makefiles with CMakeLists.txt. The DSL-like Make language that KBuild
offers is replaced by a set of CMake extentions. These extentions have
either provided simple one-to-one translations of KBuild features or
introduced new concepts that replace KBuild concepts.
This is a breaking change for existing test infrastructure and build
scripts that are maintained out-of-tree. But for FW itself, no porting
should be necessary.
For users that just want to continue their work with minimal
disruption the following should suffice:
Install CMake 3.8.2+
Port any out-of-tree Makefiles to CMake.
Learn the absolute minimum about the new command line interface:
$ cd samples/hello_world
$ mkdir build && cd build
$ cmake -DBOARD=nrf52_pca10040 ..
$ cd build
$ make
PR: zephyrproject-rtos#4692
docs: http://docs.zephyrproject.org/getting_started/getting_started.html
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
This patch removes checkpatch warnings as well as
make use of ztest apis to convert legacy test to ztest.
Signed-off-by: Punit Vara <punit.vara@intel.com>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This should clear up some of the confusion with random number
generators and drivers that obtain entropy from the hardware. Also,
many hardware number generators have limited bandwidth, so it's natural
for their output to be only used for seeding a random number generator.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Two tests were on the knife-edge of their current stack limit and
were overflowing when UART system calls were added and userspace
enabled.
Test case stack sizes are often pulled out of thin air, the current
value of 256 was just a guess.
Kick these stacks up to 384; verified with sanitycheck --all that
this doesn't break anything.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
When the header file is located in the same directory as the source
file it is better to use a relative quote-include, e.g.
than a system include like
Avoiding the use of system includes in these cases is beneficial
because;
* The source code will be easier to build because there will be fewer
system include paths.
* It is easier for a user to determine where a quote-include header
file is located than where a system include is located.
* You are less likely to encounter aliasing issues if the list of
system include paths is minimized.
Authors:
Anas Nashif
Sebastian Bøe
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
Using the PAE page tables it is possible to disable code execution
form RAM.
JIRA:ZEP-2511
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
main.c and test_thread_init.c merged.
All tests which don't require cooperative priorities now running in
user mode.
Userspace tag added to testcase.yaml.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Some unnecessary k_thread_abort() removed.
userspace tag added to testcase.yaml.
Suspend/resume, spawn_forever, and spawn_priority tests remain in
supervisor mode due to the priority requests they make.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Unnecessary k_thread_abort() removed from test_msgq_purge_when_put.
A single global msgq object is now shared instead of being declared
on thread stacks, except for an ISR test case which has had its
semaphore renamed.
Moved k_sem_init() call from msgq_thread() to test_msgq_thread()
to fix a race condition.
userspace tag added to testcase.yaml.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
main.c and test_sema_contexts.c merged
userspace tag added to testcase.yaml
stack-allocated semaphore in test_sema_thread2thread now just uses
the global semaphore with the same name.
ISR tests run in supervisor mode.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
main.c and test_alert_contexts.c merged.
User threads can't look inside the alert structures, so an extra
variable 'htype' introduced to track expectations for any given
alert object in alert_recv().
Alert objects have to be initialized by supervisor threads since
they register callbacks. An array of toplevel alert objects created
and initialized in test_main(), replacing the ones that used to
live on thread stacks.
Added userspace tag to testcase.yaml
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Main thread grants itself access to objects it or its children need
and does the rest of the test case in user mode.
Statically defined threads now all run in user mode, with permissions
granted via K_THREAD_ACCESS_GRANT().
Added userspace tag to testcase.yaml.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Currently this is defined as a k_thread_stack_t pointer.
However this isn't correct, stacks are defined as arrays. Extern
references to k_thread_stack_t doesn't work properly as the compiler
treats it as a pointer to the stack array and not the array itself.
Declaring as an unsized array of k_thread_stack_t doesn't work
well either. The least amount of confusion is to leave out the
pointer/array status completely, use pointers for function prototypes,
and define K_THREAD_STACK_EXTERN() to properly create an extern
reference.
The definitions for all functions and struct that use
k_thread_stack_t need to be updated, but code that uses them should
be unchanged.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
