A test was trying to add the maximum number of partitions,
but when the domain was initialized there was already one
added which needed to be accounted for to avoid an
assertion failing.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Dynamic kernel objects no longer is hard-coded to use the kernel
heap. Instead, objects will now be drawn from the calling thread's
resource pool.
Since we now have a reference counting mechanism, if an object
loses all its references and it was dynamically allocated, it will
be automatically freed.
A parallel dlist is added for efficient iteration over the set of
all dynamic objects, allowing deletion during iteration.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Forthcoming patches will dual-purpose an object's permission
bitfield as also reference tracking for kernel objects, used to
handle automatic freeing of resources.
We do not want to allow user thread A to revoke thread B's access
to some object O if B is in the middle of an API call using O.
However we do want to allow threads to revoke their own access to
an object, so introduce a new API and syscall for that.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If a variable is declared extern first, the name and type
information is stored in a special DW_DIE_variable which
is then referenced by the actual instances via the
tag DW_AT_specification.
We now place extern variable instances in an extern environment
and use this data to fetch the name/type of the instances,
which do not have it (which is why they were being skipped).
As it turns out, the gross hack for the system workqueue was
due to this problem because of the extern declaration in
kernel.h.
Fixes: #6992
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Add few tests to check access permissions of memory partitions
of a memory domain, validate memory domain destroy.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
The testcases presented here will test the following functionality
1. Inheritance of permission from parent thread to child.
2. Memory domain implementation.
3. Access permission for k objects.
The combinations of these test cases will cover some of the basic
usecases of the userspace mode.
These test cases are meant to be executed by any board with has
CONFIG_USERSPACE enabled.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Instead of completely excluding those tests, mark them as skipped and
provide an noop function that marks the test as skipped where test is
not supported.
Signed-off-by: Anas Nashif <anas.nashif@intel.com>
A red-black tree is maintained containing the metadata for all
dynamically created kernel objects, which are allocated out of the
system heap.
Currently, k_object_alloc() and k_object_free() are supervisor-only.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Remove arduino_101 from platform whitelist in testcase.yaml as all the
test cases are not meant to run on Arduino_101.
Signed-off-by: Spoorthi K <spoorthi.k@intel.com>
This is a component of address space layout randomization that we can
implement even though we have a physical address space.
Support for upward-growing stacks omitted for now, it's not done
currently on any of our current or planned architectures.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The read/write_kernel_stack tests are confusingly named and incorrectly
implemented for ARM; they are intended to test that user mode threads
cannot read or write their privileged stacks. The privileged stacks
on ARM are not relative to the user stack, and thus their location
cannot be computed from the user stack. To find the privileged stack on
ARM, we have to use _k_priv_stack_find(), which we do during setup
in test_main() rather than from the usermode thread itself. Accessing
thread_stack directly from the test function requires making it
non-static in ztest, so we also give it a ztest_ prefix to avoid
collisions with other test programs. Rename the test functions and
global pointer variable to more accurately reflect their purpose.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch adjusts the calculation of the overflow size for the kernel
stack tests which read/write to areas below the current user stack.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Check the fault reason against the expected value.
This is presently architecture-specific, and possibly
reflects a bug on ARM (all faults end up with reason 0,
even though ARM does define a separate value for Oops).
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Previously we were handling any fault during test execution as
a pass condition. Explicitly indicate when a fault is expected
and fail the test if we encounter an unexpected fault.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Tests system call memory buffer read/write validation using the
k_pipe_get() and k_pipe_put() calls from a userspace thread.
Specifically, this tests _SYSCALL_MEMORY_READ/WRITE checks
by the system call handler by attempting to read/write to a
kernel object.
write_kobject_user_pipe() attempts to write over a kernel object
by using the kernel object's location as the buffer to place
the data read from the pipe.
read_kobject_user_pipe() attempts to read a kernel object by using
the kernel object's location as the location of data to be placed
into the pipe.
Tested on qemu_x86 and frdm_k64, passes on both.
Signed-off-by: Joshua Domagalski <jedomag@tycho.nsa.gov>
Added three tests for kernel objects focusing on 1) revoking
access to a k_object that the thread does not have
permissions to access, 2) accessing a k_object after
permissions to access it were revoked, and 3) trying to
revoke access to a k_object from a parent thread by a
child thread. Additionally, added a test for
k_thread_user_mode_enter().
revoke_noperms_object() tests by calling
k_object_access_revoke() on a semaphore (kernel object) that it
does not have access to (ksem).
access_after_revoke() tests ability to access a semaphore after
access has been revoked by itself.
revoke_other_thread() tests whether a thread can revoke access
for an object for which it has permissions from a thread for
which it does not have permissions.
user_mode_enter() tests whether k_thread_user_mode_enter()
truly enters user mode.
Tested on qemu_x86 and frdm_k64 with pr-4974 applied, passes
on qemu_x86 but requires small fix for ARM (will submit
separately).
Signed-off-by: Joshua Domagalski <jedomag@tycho.nsa.gov>
Rename the nano_internal.h to kernel_internal.h and modify the
header file name accordingly wherever it is used.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
Running this testcase on qemu without userspace enabled it
crashes. The testcase was modifing page table information
of the bss region. This in turn caused some variables to be
inaccessible. Fixed it by moving the page manipulation to a
different location.
GH-5646
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
What this test actually does is verify internal APIs for manipulating
the MMU specifically on the X86. It is not compatible with other arches.
Moved to live with the rest of the memory protection tests.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The following 3 testcases are blacklisted for the POSIX
arch / simple_process BOARD:
* tests/drivers/ipm : won't compile due to missing
__stdout_hook_install() [part of minimal libc]
(POSIX arch uses the native libc)
* tests/kernel/mem_protect/stackprot : will crash
"natively" when trying to corrupt the stack and therefore
will fail the testcase. The current understanding is that
the POSIX arch should let the native OS handle faults,
so they can be debugged with the native tools.
* samples/cpp_synchronization : it is not possible
to build cpp code yet on top of the posix arch
Signed-off-by: Alberto Escolar Piedras <alpi@oticon.com>
Add tests of the ability to read or write the stack of another thread.
Use semaphores for explicit synchronization of the start and end of the
other thread to ensure that the attempted stack access occurs while the
thread is alive. This ensures that the MMU/MPU has been configured at
least once to allow userspace access to the stack, and that any
removal of access upon thread termination has not yet occurred. This
therefore should exercise changing the MMU/MPU configuration to remove
access to the other thread's stack when switching back to our
thread.
Tested on qemu_x86 (pass) and on frdm_k64f (with and without the ARM
userspace patches; with them, the tests pass; without, they fail as
expected). Also, as with most of the other tests, if you replace
ztest_user_unit_test() with ztest_unit_test(), then the tests fail as
expected.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This patch removes the extraneous priv_insn test as it is a duplicate
of the following test that writes to the control register. For ARM,
unprivileged contexts which access control registers does not result
in a fault. It results in no modification of the register, so we have
to check that a modification occurred.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This patch fixes the calculation of the privileged stack portion. The
ztest threads have a stack size of 2048. The privileged area resides in
the lowest 512 bytes. So use the definition of the stack size to get to
the right area.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This is still work-in-progress, but putting it up in case it is
helpful to people working in this area and for early comments.
Add a set of tests to validate the expected security properties
of threads created with K_USER when CONFIG_USERSPACE=y. This can
be used as a regression test for architectures that already implement
this support and as a validation test for others.
I considered incorporating these tests into the existing protection
test, but decided against it since protection does not enable or rely
upon CONFIG_USERSPACE for its existing tests and passes on everything
that provides MPU or MMU support, even without full userspace support.
I also considered incorporating these tests into the existing
obj_validation test, but decided against it since obj_validation only
tests the object validation/permission logic, does not run any user
mode threads (or strictly depend on that support), and passes
on both x86 and arm today, unlike these tests. That said, I have no
strong objections if it would be preferable to fold these into it
(and perhaps rename it to be more general).
The current tests implemented in this test program verify the following
for a thread created with K_USER:
is_usermode: is running in usermode
priv_insn: cannot invoke privileged insns directly
write_control: cannot write to control registers
disable_mmu_mpu: cannot disable memory protections (MMU/MPU)
read_kernram: cannot read from kernel RAM
write_kernram: cannot write to kernel RAM
write_kernro: cannot write to kernel rodata
write_kerntext: cannot write to kernel text
read_kernel_data: cannot read __kernel-marked data
write_kernel_data: cannot write __kernel-marked data
read_kernel_stack: cannot read the kernel/privileged stack
write_kernel_stack: cannot write the kernel/privileged stack
pass_user_object: cannot pass a non-kernel object to a syscall
pass_noperms_object: cannot pass an object to a syscall without a grant
start_kernel_thread: cannot start a kernel (non-user) thread
Some of the tests overlap and could possibly be dropped, but it
seems harmless to retain them. The particular targets of read/write
tests are arbitrary other than meeting the test criteria and can be
changed (e.g. in data, rodata, or text) if desired to avoid coupling
to kernel implementation details that may change in the future.
On qemu_x86, all of the tests pass. And, if you replace all
occurrences of ztest_user_unit_test() with ztest_unit_test(), then
all of the tests fail (i.e. when the tests are run in kernel mode,
they all fail as expected). On frdm_k64f presently (w/o the arm
userspace patches), all of the tests fail except for write_kernro and
write_kerntext, as expected.
ToDo:
- Verify that a user thread cannot access data in another memory domain.
- Verify that a user thread cannot access another thread's stack.
- Verify that a user thread cannot access another thread's kobject.
- Verify that k_thread_user_mode_enter() transitions correctly.
- Verify that k_object_access_revoke() is enforced.
- Verify that syscalls return to user mode upon completion.
- Verify that a user thread cannot abuse other svc calls (ARM-specific).
- Other suggested properties we should be testing?
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
test_main() takes no arguments, so this was causing a fault
after returning from test_main due to the stack canary checking.
Before, the test run ends with:
PROJECT EXECUTION SUCCESSFUL
***** CPU Page Fault (error code 0x00000011)
Supervisor thread executed address 0x00400000
PDE: 0x027 Present, Writable, User, Execute Enabled
PTE: 0x80000000267 Present, Writable, User, Execute Disable
Current thread ID = 0x00401080
Faulting segment:address = 0x0008:0x00400000
eax: 0x00000000, ebx: 0x00000000, ecx: 0x0040b19c, edx: 0x000056df
esi: 0x00000000, edi: 0x00000000, ebp: 0x000051c0, esp: 0x0040b1d8
eflags: 0x246
Caught system error -- reason 6
After, the test run ends with:
PROJECT EXECUTION SUCCESSFUL
Reported-by: Joshua Domagalski <jedomag@tycho.ncsc.mil>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Added a case for ARC in the test so it builds. ARC MPU has execute
permision bit so we can enable the NO_EXECUTE_SUPPORT testing.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Introducing CMake is an important step in a larger effort to make
Zephyr easy to use for application developers working on different
platforms with different development environment needs.
Simplified, this change retains Kconfig as-is, and replaces all
Makefiles with CMakeLists.txt. The DSL-like Make language that KBuild
offers is replaced by a set of CMake extentions. These extentions have
either provided simple one-to-one translations of KBuild features or
introduced new concepts that replace KBuild concepts.
This is a breaking change for existing test infrastructure and build
scripts that are maintained out-of-tree. But for FW itself, no porting
should be necessary.
For users that just want to continue their work with minimal
disruption the following should suffice:
Install CMake 3.8.2+
Port any out-of-tree Makefiles to CMake.
Learn the absolute minimum about the new command line interface:
$ cd samples/hello_world
$ mkdir build && cd build
$ cmake -DBOARD=nrf52_pca10040 ..
$ cd build
$ make
PR: zephyrproject-rtos#4692
docs: http://docs.zephyrproject.org/getting_started/getting_started.html
Signed-off-by: Sebastian Boe <sebastian.boe@nordicsemi.no>
This should clear up some of the confusion with random number
generators and drivers that obtain entropy from the hardware. Also,
many hardware number generators have limited bandwidth, so it's natural
for their output to be only used for seeding a random number generator.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Using the PAE page tables it is possible to disable code execution
form RAM.
JIRA:ZEP-2511
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
We also need macros to assert that an object must be in an
uninitialized state. This will be used for validating thread
and stack objects to k_thread_create(), which must not be already
in use.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Wayne Ren