The current API was assuming too much, in that it expected that
arch-specific memory domain configuration is only maintained
in some global area, and updates to domains that are not currently
active have no effect.
This was true when all memory domain state was tracked in page
tables or MPU registers, but no longer works when arch-specific
memory management information is stored in thread-specific areas.
This is needed for: #13441#13074#15135
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
move misc/__assert.h to sys/__assert.h and
create a shim for backward-compatibility.
No functional changes to the headers.
A warning in the shim can be controlled with CONFIG_COMPAT_INCLUDES.
Related to #16539
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
While fixing the ASSERT expressions in mem_domain.c to use
%lx instead of %x for uintptr_t variables, commit
f32330b22c has overlooked
one ASSERT expression specific to ARMv8-M. This causes
printk compilation warnings for ARMv8-M builds, so we
provide a fix here.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Compilers (at least gcc and clang) already provide definitions to
create standard types and their range. For example, __INT16_TYPE__ is
normally defined as a short to be used with the int16_t typedef, and
__INT16_MAX__ is defined as 32767. So it makes sense to rely on them
rather than hardcoding our own, especially for the fast types where
the compiler itself knows what basic type is best.
Using compiler provided definitions makes even more sense when dealing
with 64-bit targets where some types such as intptr_t and size_t must
have a different size and range. Those definitions are then adjusted
by the compiler directly.
However there are two cases for which we should override those
definitions:
* The __INT32_TYPE__ definition on 32-bit targets vary between an int
and a long int depending on the architecture and configuration.
Notably, all compilers shipped with the Zephyr SDK, except for the
i586-zephyr-elfiamcu variant, define __INT32_TYPE__ to a long int.
Whereas, all Linux configurations for gcc, both 32-bit and 64-bit,
always define __INT32_TYPE__ as an int. Having variability here is
not welcome as pointers to a long int and to an int are not deemed
compatible by the compiler, and printing an int32_t defined with a
long using %d makes the compiler to complain, even if they're the
same size on 32-bit targets. Given that an int is always 32 bits
on all targets we might care about, and given that Zephyr hardcoded
int32_t to an int before, then we just redefine __INT32_TYPE__ and
derrivatives to an int to keep the peace in the code.
* The confusion also exists with __INTPTR_TYPE__. Looking again at the
Zephyr SDK, it is defined as an int, even even when __INT32_TYPE__ is
initially a long int. One notable exception is i586-zephyr-elf where
__INTPTR_TYPE__ is a long int even when using -m32. On 64-bit targets
this is always a long int. So let's redefine __INTPTR_TYPE__ to always
be a long int on Zephyr which simplifies the code, works for both
32-bit and 64-bit targets, and mimics what the Linux kernel does.
Only a few print format strings needed adjustment.
In those two cases, there is a safeguard to ensure the type we're
enforcing has the right size and fail the build otherwise.
Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Update the name of mem-domain API function to add a partition
so that it complies with the 'z_' prefix convention. Correct
the function documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Update reserved function names starting with one underscore, replacing
them as follows:
'_k_' with 'z_'
'_K_' with 'Z_'
'_handler_' with 'z_handl_'
'_Cstart' with 'z_cstart'
'_Swap' with 'z_swap'
This renaming is done on both global and those static function names
in kernel/include and include/. Other static function names in kernel/
are renamed by removing the leading underscore. Other function names
not starting with any prefix listed above are renamed starting with
a 'z_' or 'Z_' prefix.
Function names starting with two or three leading underscores are not
automatcally renamed since these names will collide with the variants
with two or three leading underscores.
Various generator scripts have also been updated as well as perf,
linker and usb files. These are
drivers/serial/uart_handlers.c
include/linker/kobject-text.ld
kernel/include/syscall_handler.h
scripts/gen_kobject_list.py
scripts/gen_syscall_header.py
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
On x86, if a supervisor thread belonging to a memory domain
adds a new partition to that domain, subsequent context switches
to another thread in the same domain, or dropping itself to user
mode, does not have the correct setup in the page tables.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This commit extends the implementation of sane_partition(..) in
kernel/mem_domain.c so that it generates an ASSERT if partitions
inside a mem_domain overlap. This extension is only implemented
for the case when the MPU requires non-overlapping regions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
When a memory partition is removed, it is not required
to clear the start and attr fields, since a free partition
is only indicated by a zero size field. This commit removes
the un-necessary clearing of start and attr fields.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit optimizes the process of checking that the
added partitions in a mem_domain are sane. It places the
sane_partition checking inside the loop of adding the
partitions in the mem_domain, so that the checkings are
not performed twice, and no partition is checked against
itself.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit fixes the calculations of the partition ending
addresses in two places in the code, according to:
<last> = <start> + <size> - 1. We also rename 'end' to 'last'
to stress that we calculate the last address in the partition.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Fixing a few minor typo fixes in kernel/mem_domain.c
and the respective documentation section.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The return of memset is never checked. This patch explicitly ignore
the return to avoid MISRA-C violations.
The only directory excluded directory was ext/* since it contains
only imported code.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Commit 08de658eb ("kernel: mem_domain: Check for overlapping regions
when considering W^X") introduced some compile issues on various
platforms.
The k_mem_partition_attr_t member is attr not attrs. Also, fix an issue
where sane_partition_domain neesd a pointer to a parition.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
During system initialization, the global static variable (to
mem_domain.c) is initialized with the number of maximum partitions per
domain. This variable is of u8_t type.
Assertions throughout the code will check ranges and test for overflow
by relying on implicit type conversion.
Use an u8_t instead of u32_t to avoid doubts. Also, reorder the
k_mem_partition struct to remove the alignment hole created by reducing
sizeof(num_partitions).
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Multiple partitions can be added to a domain, and if they overlap, they
can have different attributes. The previous check would only check for
W^X for individual partitions, and this is insufficient. Overlapping
partitions could have W^X attributes, but in the end, a memory region
would be writable and executable.
The way this is performed is quite "heavyweight", as it is implemented
in a O(n^2) operation. The number of partitions per domain is small on
most devices, so this isn't an issue. CONFIG_EXECUTE_XOR_WRITE is
still an optional feature.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
The attributes are an u32_t only on ARM and ARC; on x86, it's something
else entirely. Use the proper type to avoid attributes being
truncated.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Instead of composing expressions with a logical AND, break down it into
multiple assertions. Smaller assertions are easier to read. While at
it, compare pointers against the NULL value, and numbers against 0
instead of relying on implicit conversion to boolean-ish values.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Without the parenthesis, the code was asserting this expression:
start + (size > start)
Where it should be this instead:
(start + size) > start
For a quick sanity check when adding these two unsigned values together.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Rename the nano_internal.h to kernel_internal.h and modify the
header file name accordingly wherever it is used.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
when a current thread is added to a memory domain the pages/sections
must be configured immediately.
A problem occurs when we add a thread to current and then drop
down to usermode. In such a case memory domain will become active
the next time a swap occurs.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Added arch specific calls to handle memory domain destroy
and removal of partition.
GH-3852
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Added arch specific calls to handle memory domain destroy
and removal of partition.
GH-3852
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Andrew Boie