CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT is taken into
account when allocating the area for the interrupt stack
using the K_THREAD_STACK_DEFINE macro. Therefore, we can
simplify how the top of the stack is derived during the
initialization of the system, by removing one more
occurrence of CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The typeof definitions in tz.h and cmse.h are not required
any more, as the ARM GCC toolchain intrinsics have been
modified to use __typeof__ directly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This macro is slated for complete removal, as it's not possible
on arches with an MPU stack guard to know the true buffer bounds
without also knowing the runtime state of its associated thread.
As removing this completely would be invasive to where we are
in the 1.14 release, demote to a private kernel Z_ API instead.
The current way that the macro is being used internally will
not cause any undue harm, we just don't want any external code
depending on it.
The final work to remove this (and overhaul stack specification in
general) will take place in 1.15 in the context of #14269Fixes: #14766
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Rename reserved function names in arch/ subdirectory. The Python
script gen_priv_stacks.py was updated to follow the 'z_' prefix
naming.
Signed-off-by: Patrik Flykt <patrik.flykt@intel.com>
Based on the definition of _ARCH_THREAD_STACK_DEFINE() macro
for ARM, the MPU Stack Guard region is placed inside the
allocated stack object, only if
CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT and CONFIG_USERSPACE
are both set. For ARM stack objects, allocated using the
_ARCH_THREAD_STACK_DEFINE() macro, such as the threads' stacks
and the interrupt stack, the above must be reflected on how we
set the initial start of the stacks.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Replace Cortex-M3 with Cortex-M architecture family
in the header documentation of kernel_arch_data.h and
kernel_arch_func.h, which are generic header files for
the entire familty of ARM Cortex-M CPUs. The commit
adds some more minor style fixes in functions'
documentation.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit enforces default double-word stack alignmnet
on exception entry for Cortex-M3 and Cortex-M4 MCUs. The
patch ensures that we have consistent behavior in all
Cortex-M MCUs (double-world stack alignment on exception
entry is enforced by default in ARMv6, ARMv8, and Cortex-M7
processors).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces and implements an internal ARM
TrustZone-M API to allow the Non-Secure firmware to use
the Floating Point Unit (FPU).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
The function _IsInIsr computes a Boolean value but the function
returns a integer value. Fix the return type of the function.
This makes the zephyr api _is_in_isr() return a boolean type.
Thereby making it consistent across all the architectures.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Any word started with underscore followed by and uppercase letter or a
second underscore is a reserved word according with C99.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit adds K-config options that allow the user to
signify an ARM Secure Firmware that contains Secure Entry
functions and to define the starting address of the linker
section that will contain the Secure Entry functions. It
also instructs the linker to append the NSC section if
instructed so by the user.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contribute an internal ARM API that enables the
user to confgure an ARM Security Attribution Unit region. It
also defines ARM_SAU as a K-config option to indicate that
an MCU implements the ARM SAU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes a simple API to allow the TrustZone
user to block or permit Non-Secure System Reset requests.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit introduces an internal ARM macro API to allow the
TrustZone user to define Non-Secure entry functions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements and internal ARM macro API
that allows the TrustZone user to declare, define, and evaluate
pointers of non-secure function type.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define and implement a function to read the number of
SAU regions configued for the MCU.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M TrustZone
API to allow the user to select whether Secure exceptions will
have priority boosting over Non-Secure exceptions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M TrustZone
API to allow the user to configure the target state of fault
exceptions that are not banked between security states.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds a macro definition for the Vector Key value of
AIRCR register that permits the accompanying writes. The macro
is then used instead of the hard-coded numerical value.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit adds and implements an ARM internal API function
to configure the Non-Secure instance of MSPLIM or PSPLIM.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements the internal ARM TrustZone
API to enable or disable the Security Attribution Unit.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Define and implement an API to configure the Non-Secure instances
of core registers in ARM Cortex-M23 and Cortex-M33.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Declare and implement convenience wrappers to evaluate Non-Secure
read and write permissions of C variables using the cmse address
range intrinsics.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the CMSE
address range permission checks based on the ARMv8-M
address range check intrinsics exlusicely for Secure state.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Refactor arm_cmse_mpu_region_get(.) function, so its signature,
documentation, and implementation align with the rest of functions
for obtaining MPU, SAU and IDAU region numbers via the TT instruction.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M API
that allows the user to evaluate access permissions of memory
locations, based on the ARMv8-M Tests Target (TT, TTA)
instruction support (for Secure requests).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Change the zero latency interrupt priority level from 2 to 1.
This is the priority level that the kernel has reserved for the
zero latency IRQ feature by the _IRQ_PRIO_OFFSET constant.
The zero latency IRQ will now not be masked by the irq_lock function.
Update comments to reflect the priority levels reserved by the kernel.
Fixes: #8073
Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
Declare and implement convenience wrappers to evaluate read and
write permissions of C variables using the cmse address range
intrinsics.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the
CMSE address range permission checks based on the
ARMv8-M address range check intrinsics.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit defines and implements an internal ARMv8-M API
that allows the user to evaluate access permissions of memory
locations, based on the ARMv8-M Test Target (TT) instruction
support.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Fix bug when setting SCB_AIRCR during initialization; add
Vector Key to permit write to AIRCR fields.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the Secure fault handling for ARMv8-m
implementations, that do not support the Main Extension, such
as the (Baseline) Cortex-M23 processor.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit implements the build-in interrupt stack protection
via the native MSPLIM register in ARMv8-M MCUs that support the
Main Extension. Main stack pointer overflows will cause Stack
Overflow UsageFaults. In addition, the commit introduces a new
config option, BUILTIN_STACK_GUARD, allowing the user to enable
and use the built-in stack protection in ARMv8-M firmware.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit contributes the implementation of the SecureFault
handling for ARMv8-M-based Cortex-M33. The implementation is
compiled conditionally with compile-time directive
CONFIG_ARM_SECURE_FIRMWARE, which is to signify the intention to
build a Secure image on ARMv8-M with Security Extensions.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the unnecessary asm inline header for ARM.
It also adapts the stack.h and exc.h to use the ARM CMSIS inline
functions to access the IPSR and MSP registers.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch fixes calculations for the top of the interrupt and main
stacks. Due to power of two alignment requirements for certain MPUs,
the guard size must be taken into account due to the guard being
counted against the initial stack size.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
This PR includes the required changes in order to support
conditional compilation for Armv8-M architecture. Two
variants of the Armv8-M architecture are defined:
- the Armv8-M Baseline (backwards compatible with ARMv6-M),
- the Armv8-M Mainline (backwards compatible with ARMv7-M).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This patch fixes a couple of issues with the stack guard size and
properly constructs the STACK_ALIGN and STACK_ALIGN_SIZE definitions.
The ARM AAPCS requires that the stack pointers be 8 byte aligned. The
STACK_ALIGN_SIZE definition is meant to contain the stack pointer
alignment requirements. This is the required alignment at public API
boundaries (ie stack frames).
The STACK_ALIGN definition is the required alignment for the start
address for stack buffer storage. STACK_ALIGN is used to validate
the allocation sizes for stack buffers.
The MPU_GUARD_ALIGN_AND_SIZE definition is the minimum alignment and
size for the MPU. The minimum size and alignment just so happen to be
32 bytes for vanilla ARM MPU implementations.
When defining stack buffers, the stack guard alignment requirements
must be taken into consideration when allocating the stack memory.
The __align() must be filled in with either STACK_ALIGN_SIZE or the
align/size of the MPU stack guard. The align/size for the guard region
will be 0 when CONFIG_MPU_STACK_GUARD is not set, and 32 bytes when it
is.
The _ARCH_THREAD_STACK_XXXXXX APIs need to know the minimum alignment
requirements for the stack buffer memory and the stack guard size to
correctly allocate and reference the stack memory. This is reflected
in the macros with the use of the STACK_ALIGN definition and the
MPU_GUARD_ALIGN_AND_SIZE definition.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Historically, stacks were just character buffers and could be treated
as such if the user wanted to look inside the stack data, and also
declared as an array of the desired stack size.
This is no longer the case. Certain architectures will create a memory
region much larger to account for MPU/MMU guard pages. Unfortunately,
the kernel interfaces treat both the declared stack, and the valid
stack buffer within it as the same char * data type, even though these
absolutely cannot be used interchangeably.
We introduce an opaque k_thread_stack_t which gets instantiated by
K_THREAD_STACK_DECLARE(), this is no longer treated by the compiler
as a character pointer, even though it really is.
To access the real stack buffer within, the result of
K_THREAD_STACK_BUFFER() can be used, which will return a char * type.
This should catch a bunch of programming mistakes at build time:
- Declaring a character array outside of K_THREAD_STACK_DECLARE() and
passing it to K_THREAD_CREATE
- Directly examining the stack created by K_THREAD_STACK_DECLARE()
which is not actually the memory desired and may trigger a CPU
exception
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Put the reason code in r0 and make a SVC #2 call, which will be
propagated to _fatal_error_handler as an exception.
The _is_in_isr() implementation had to be tweaked a bit. User-generated
SVC exception no longer just used for irq_offload(); just because we are
in it does not mean we are in interrupt context. Instead, have the
irq_offload code set and clear the offload_routine global; it will be
non-NULL only if it's in use. Upcoming changes to support memory
protection (which will require system calls) will need this too.
We free up some small amount of ROM deleting _default_esf struct as it's
no longer needed.
Issue: ZEP-843
Change-Id: Ie82bd708575934cffe41e64f5c128c8704ca4e48
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The ICSR RETTOBASE bit is improperly implemented in QEMU (the polarity
is flipped) and the fix for it has not yet made it into a QEMU release,
although it is present in upstream master branch.
The symptom is that if we are not in thread mode, the system always
believes were are in a nested exception state, causing _IsInIsr() to
always return true.
Skip the nested exception check if we are building for QEMU.
This is a workaround until SDK-54 is resolved.
Issue: SDK-54
Change-Id: I06eafcc85fb76a9b23b4ba85ed6e111a08516231
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Convert code to use u{8,16,32,64}_t and s{8,16,32,64}_t instead of C99
integer types. There are few places we dont convert over to the new
types because of compatiability with ext/HALs or for ease of transition
at this point. Fixup a few of the PRI formatters so we build with newlib.
Jira: ZEP-2051
Change-Id: I7d2d3697cad04f20aaa8f6e77228f502cd9c8286
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
The previous code incorrectly used the value 0xfe to clear the mem and
bus faults. It attempted to handle the address register valid bits
separately, but reversed the bit order.
Jira: ZEP-1568
Change-Id: I240d072610af9979ca93c0081ed862df08929372
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Signed-off-by: Maureen Helm <maureen.helm@nxp.com>
A number of SoCs clear out the Mem/Bus/Usage and Hard Fault exceptions
during init. Lets refactor that into a common function so we don't have
to keep duplicating it over and over.
Change-Id: Ida908a9092db37447abcf3c9872f36937982f729
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Replace _ScbExcPrioSet with calls to NVIC_SetPriority as it handles both
interrupt and exception priorities. We don't need to shift around the
priority values for NVIC_SetPriority.
Jira: ZEP-1568
Change-Id: Iccd68733c3f7faa82b7ccb17200eef328090b6da
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
Ioannis Glaropoulos