Consistently place C++ use of extern "C" after all include directives,
within the negative branch of _ASMLANGUAGE if used.
In arch.h the extern "C" in the including context is left active during
include of target-specific mpu headers to avoid more complex
restructuring.
Background from issue #17997:
Declarations that use C linkage should be placed within extern "C"
so the language linkage is correct when the header is included by
a C++ compiler.
Similarly #include directives should be outside the extern "C" to
ensure the language-specific default linkage is applied to any
declarations provided by the included header.
See: https://en.cppreference.com/w/cpp/language/language_linkage
Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
Cortex R has a write buffer that can cause reordering problems when
accessing memory mapped registers. Use memory barries to make sure that
these accesses are performed in the desired order.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
These defines are specific to the Cortex-M. Move them to their own
header file to prepare for Cortex-R support.
Signed-off-by: Bradley Bolen <bbolen@lexmark.com>
We introduce a new define to describe the alignment for a
privilege stack buffer. This macro definition is used by the
privilege stack generation script, to determine the required
alignment of threads' privilege stacks when building with
support for user mode.
We cannot use Z_THREAD_MIN_STACK_ALIGN in this case, because
the privilege stacks do not need to respect the minimum MPU
region alignment requirement, unless, of course, this is
enforced via the MPU Stack Guard feature.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit re-organizes the macro definitions in arch.h for
the ARM architecture. In particular, the commit:
- defines the minimum alignment requirement for thread stacks,
that is, excluding alignment requirement for (possible)
MPU stack guards.
- defines convenience macros for the MPU stack guard align and
size for threads using the FP services under Shared registers
mode (CONFIG_FP_SHARING=y). For that, a hidden Kconfig option
is defined in arch/arm/core/cortex_m/mpu/Kconfig.
- enforces stack alignment with a wide MPU stack guard (128
bytes) under CONFIG_FP_SHARING=y for the ARMv7-M architecture,
which requires start address alignment with power-of-two and
region size.
The commit does not change the amount of stack that is reserved
with K_THREAD_STACK_DEFINE; it only determines the stack buffer
alignment as explained above.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
All architectures declare those variables the same way, no need to
define them per arch, instead put them in common. If someone deviates,
they can create their own header.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
We had architectures doing this differently, some had a dedicated
sys_io.h file, some not. Unify how it is done by splitting the arch
specific sys_io implementation into a sys_io file and include it
instead.
Move bits_portable.h to arch/common and split the file so more
architecture can reuse some of the definitions here instead of
duplicating code.
Where applicable use the common sys_io/ffs definitions.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
This is used to have each arch canonically state how much
room in the stack object is reserved for non-thread use.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
This commit corrects and improves the documentation for the
convenience macro _ARCH_THREAD_STACK_SIZEOF(sym). It stresses
that the returned size is guaranteed to match the amount of
stack that is available for the thread, that is, excluding any
areas not directly usable, e.g. a Stack Guard.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
There are issues using lowercase min and max macros when compiling a C++
application with a third-party toolchain such as GNU ARM Embedded when
using some STL headers i.e. <chrono>.
This is because there are actual C++ functions called min and max
defined in some of the STL headers and these macros interfere with them.
By changing the macros to UPPERCASE, which is consistent with almost all
other pre-processor macros this naming conflict is avoided.
All files that use these macros have been updated.
Signed-off-by: Carlos Stuart <carlosstuart1970@gmail.com>
This was never a long-term solution, more of a gross hack
to get test cases working until we could figure out a good
end-to-end solution for memory domains that generated
appropriate linker sections. Now that we have this with
the app shared memory feature, and have converted all tests
to remove it, delete this feature.
To date all userspace APIs have been tagged as 'experimental'
which sidesteps deprecation policies.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit does the following:
- it introduces additional convenience macros for representing
MPU attributions for no-cacheability, in both ARMv7-M and
ARMv8-M MPU architectures,
- it adds documentation in K_MEM_PARTITION_IS_WRITABLE/CACHEABLE
macros in all macro definitions in the different MPU variants
- it moves the type definition of k_mem_partition_attr_t inside
the architecture-specific MPU headers, so it can be defined
per-architecture. It generalizes app_mem_domain.h, to be able
to work with _any_ (struct) type of k_mem_partition_attr_t.
- it refactors the type of k_mem_partition_attr_t for ARMv8-M
to comply with the MPU register API.
- for NXP MPU, the commit moves the macros for region access
permissions' attributes inside nxp_mpu.h, to align with what
we do for ARM MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit exposes k_mem_partition_attr_t outside User Mode, so
we can use struct k_mem_partition for defining memory partitions
outside the scope of user space (for example, to describe thread
stack guards or no-cacheable MPU regions). A requirement is that
the Zephyr build supports Memory protection. To signify this, a
new hidden, all-architecture Kconfig symbol is defined (MPU). In
the wake of exposing k_mem_partition_attr_t, the commit exposes
the MPU architecture-specific access permission attribute macros
outside the User space context (for all ARCHs), so they can be
used in a more generic way.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The commit enforces the use of ARM_MPU_REGION_MIN_ALIGN_AND_SIZE
in include/arch/arm/arch.h, instead of using 32 as a hard-coded
value. The symbol is also used in arm/thread.c to truncate the
thread stack size to satisfy MPU granularity. The commit does
not introduce behavioral changes.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Several style and typo fixes in inline comments of arm kernel
files and thread.c.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes all MPU-related (ARM_CORE_MPU and NXP_MPU)
options exept ARM_MPU, which becomes master switch controlling
MPU support on ARM.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
Any word started with underscore followed by and uppercase letter or a
second underscore is a reserved word according with C99.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit moves the documentation corresponding to
_ARCH_THREAD_STACK_DEFINE(..) macro to the right place.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Split out the arch specific syscall code to reduce include pollution
from other arch related headers. For example on ARM its possible to get
errno.h included via SoC specific headers. Which created an interesting
compile issue because of the order of syscall & errno/errno syscall
inclusion.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Shouldn't declare this and then pull in headers, fixes
errors like "util.h:41:1: error: template with C linkage"
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit moves the macro definitions and convenience wrappers
for ARM MPU that are specific to ARMv6-m, and ARMv7-m to an
arch-specific MPU header file. It leaves only the generic
content in arm_mpu.h, i.e. the content that is supposed to
be common for ARMv8-M MPU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This is a public macro which calculates the size to be allocated for
stacks inside a stack array. This is necessitated because of some
internal padding (e.g. for MPU scenarios). This is particularly
useful when a reference to K_THREAD_STACK_ARRAY_DEFINE needs to be
made from within a struct.
Signed-off-by: Rajavardhan Gundi <rajavardhan.gundi@intel.com>
All architecture defines OCTET_TO_SIZEOFUNIT and SIZEOFUNIT_TO_OCTET
as identity functions. But the only user is tests/benchmarks/app_kernel.
It's effectively a no-op. Remove them.
Signed-off-by: Yasushi SHOJI <y-shoji@ispace-inc.com>
This commit removes the macro definitions for MPU_RASR register
bitmasks, defined in arm_mpu.h, and modifies the MPU driver to
directly use the equivalent macros defined in ARM CMSIS.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The r7 register is used as a frame pointer on ARM Thumb. As result, it
cannot be modified by the assembly code in functions using stack frame.
This commit replaces r7 by r8, which is a general purpose register.
Also it fixes#7704.
Signed-off-by: Piotr Zięcik <piotr.ziecik@nordicsemi.no>
Upon return from a syscall handlers, the r1, r2, and r3 registers
could contain random kernel data that should not be leaked to user
mode. Zero these out before returning from _arm_do_syscall().
Fixes#7753.
The invocation macros need a clobber if r1, r2, or r3 are not used
to carry syscall arguments. This is a partial fix for #7754 but
there appear to be other issues.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This patch changes the ARM system calls to use registers for passing
or arguments. This removes the possibility of stack issues when
callers do not adhere to the AAPCS.
Fixes#6802
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adds support for userspace on ARM architectures. Arch
specific calls for transitioning threads to user mode, system calls,
and associated handlers.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Added architecture specific support for memory domain destroy
and remove partition for arm and nxp. An optimized version of
remove partition was also added.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
We need to track permission on stack memory regions like we do
with other kernel objects. We want stacks to live in a memory
area that is outside the scope of memory domain permission
management. We need to be able track what stacks are in use,
and what stacks may be used by user threads trying to call
k_thread_create().
Some special handling is needed because thread stacks appear as
variously-sized arrays of struct _k_thread_stack_element which is
just a char. We need the entire array to be considered an object,
but also properly handle arrays of stacks.
Validation of stacks also requires that the bounds of the stack
are not exceeded. Various approaches were considered. Storing
the size in some header region of the stack itself would not allow
the stack to live in 'noinit'. Having a stack object be a data
structure that points to the stack buffer would confound our
current APIs for declaring stacks as arrays or struct members.
In the end, the struct _k_object was extended to store this size.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
This patch fixes a couple of issues with the stack guard size and
properly constructs the STACK_ALIGN and STACK_ALIGN_SIZE definitions.
The ARM AAPCS requires that the stack pointers be 8 byte aligned. The
STACK_ALIGN_SIZE definition is meant to contain the stack pointer
alignment requirements. This is the required alignment at public API
boundaries (ie stack frames).
The STACK_ALIGN definition is the required alignment for the start
address for stack buffer storage. STACK_ALIGN is used to validate
the allocation sizes for stack buffers.
The MPU_GUARD_ALIGN_AND_SIZE definition is the minimum alignment and
size for the MPU. The minimum size and alignment just so happen to be
32 bytes for vanilla ARM MPU implementations.
When defining stack buffers, the stack guard alignment requirements
must be taken into consideration when allocating the stack memory.
The __align() must be filled in with either STACK_ALIGN_SIZE or the
align/size of the MPU stack guard. The align/size for the guard region
will be 0 when CONFIG_MPU_STACK_GUARD is not set, and 32 bytes when it
is.
The _ARCH_THREAD_STACK_XXXXXX APIs need to know the minimum alignment
requirements for the stack buffer memory and the stack guard size to
correctly allocate and reference the stack memory. This is reflected
in the macros with the use of the STACK_ALIGN definition and the
MPU_GUARD_ALIGN_AND_SIZE definition.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch adjusts the ARM MPU implementation to be compliant to the
recent changes that introduced the opaque kernel data types.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch always defines the ARCH_THREAD_STACK_XXX macros/functions
regardless of the MPU_STACK_GUARD usage. Only use MPU_STACK_GUARD when
determining the minimum stack alignment.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
The mimimum mpu size is 32 bytes, but requires mpu base address to be
aligned on 32 bytes to work. Define architecture thread macro when
MPU_STACK_GUARD config to allocate stack with 32 more bytes.
Signed-off-by: Michel Jaouen <michel.jaouen@st.com>
Convert code to use u{8,16,32,64}_t and s{8,16,32,64}_t instead of C99
integer types. This handles the remaining includes and kernel, plus
touching up various points that we skipped because of include
dependancies. We also convert the PRI printf formatters in the arch
code over to normal formatters.
Jira: ZEP-2051
Change-Id: Iecbb12601a3ee4ea936fd7ddea37788a645b08b0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
This patch moves the include for the generated_dts_board.h inside of
the include/arch/arm/arch.h file. This was done to simplify the
includes required for files. Only two files will include the dts
generated include file directly: arch.h and the linker.ld
Change-Id: I2614f4fd4eeed2ab635a3264d7dac8b83f97b760
Signed-off-by: Andy Gross <andy.gross@linaro.org>
We now use CMSIS for ARM Cortex-M SoCs so we can remove the last bits of
scs and scb.
Jira: ZEP-1568
Change-Id: I0c7c45b0321dc402ed594e9faffb5109922edcf0
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Coverted:
_ScbMemFaultMmfarReset
_ScbBusFaultBfarReset
_ScbUsageFaultAllFaultsReset
To use direct CMSIS register access.
Also removed scb.h and references as there is no longer any code in it.
Jira: ZEP-1568
Change-Id: I469f6af39d1bd41db712454b0b3e5ab331979033
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Kill of nvic.h and use either CMSIS helper functions for NVIC or direct
NVIC register access via CMSIS for IRQ handling code.
Jira: ZEP-1568
Change-Id: If21910b9293121efe85c3c9076a1c2b475ef91ef
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Replace the existing Apache 2.0 boilerplate header with an SPDX tag
throughout the zephyr code tree. This patch was generated via a
script run over the master branch.
Also updated doc/porting/application.rst that had a dependency on
line numbers in a literal include.
Manually updated subsys/logging/sys_log.c that had a malformed
header in the original file. Also cleanup several cases that already
had a SPDX tag and we either got a duplicate or missed updating.
Jira: ZEP-1457
Change-Id: I6131a1d4ee0e58f5b938300c2d2fc77d2e69572c
Signed-off-by: David B. Kinder <david.b.kinder@intel.com>
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
