Temporarily save and restore all callee-saved registers
in the sub-routine, not only the frame pointer, to avoid
errors if compiler chooses to use them in the alternative
thread function. The callee-saved regs are restored after
the alternative thread switches back in.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
AArch64 has support for PSCI. This is especially useful for SMP because
PSCI is used to power on the secordary cores.
When the PSCI driver was introduced in Zephyr it was designed to rely on
a very PSCI-centric subsystem / interface.
There are two kinds of problems with this choice:
1. PSCI is only defined for the non-secure world and it is designed to
boot CPU cores into non-secure state (that means that PSCI is only
supposed to work if Zephyr is running in non-secure state)
2. There can be other ways or standards used to start / stop a core
different from PSCI
This patch is trying to fix the original wrong assumption by making the
interface / subsystem a generic one, called 'pm_cpu_ops', and using PSCI
only as an actual driver that is a user of this new interface /
subsystem.
For now the new subsystem is only exposing two methods: cpu_on and
cpu_off, others will probably follow according to the needs.
Signed-off-by: Carlo Caione <ccaione@baylibre.com>
Add a test case for the null pointer dereferencing detection
feature in Cortex-M. The test case is added in arm_interrupt
test suite and the README file is updated accordingly.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
arm_psci test suite is specific to ARM64, while
all other test suites in tests/arch/arm directory
are supported in Cortex-M architecture only. We
move arm_psci to arm64 directory, effectively,
separating tests suites for AARCH32 and AARCH64.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Clear Floating Point Status and Control Register (FPSCR),
to prevent from having the interrupt line set to pending again,
in case FPU IRQ is selected by the test as "Available IRQ line"
Fixes#31982
Signed-off-by: Alexandre Bourdiol <alexandre.bourdiol@st.com>
All RAM may not be mapped. Check the mapping for the main kernel
image and the locore if it exists.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
All RAM may not be mapped. Check the mapping for the main kernel
image and the locore if it exists.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
For a while now, we've had two APIC drivers. The older was preserved
initially as the new (much smaller, "new style") code didn't have
support for Quark interrupt handling. But that's long dead now. Just
remove it.
Note that this migrates the one board using this driver (acrn) to
CONFIG_APIC_TIMER instead.
Signed-off-by: Andy Ross <andrew.j.ross@intel.com>
Add the new x86 board to the x86/info test list, and exclude it from
the cmsis_rtos_v2 test (something that seems to be needed for all 64
bit x86 architectures).
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Show the page table layout for a user thread. This
may be somewhat different from a supervisor thread
especially if KPTI is enabled.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
We provide an option for low-memory systems to use a single set
of page tables for all threads. This is only supported if
KPTI and SMP are disabled. This configuration saves a considerable
amount of RAM, especially if multiple memory domains are used,
at a cost of context switching overhead.
Some caching techniques are used to reduce the amount of context
switch updates; the page tables aren't updated if switching to
a supervisor thread, and the page table configuration of the last
user thread switched in is cached.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
If KPTI is not enabled, then the US bit will be set for all
the default memory partitions in the _app_smem section.
The error printed when a mismatch occurs now shows the
expected flags.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Adds the necessary bits to initialize TLS in the stack
area and sets up CPU registers during context switch.
Note that this does not enable TLS for all Xtensa SoC.
This is because Xtensa SoCs are highly configurable
so that each SoC can be considered a whole architecture.
So TLS needs to be enabled on the SoC level, instead of
at the arch level.
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
No need to mix super short version of names with other structures
having full name. Let's follow a more relevant naming where each and
every attribute name is self-documenting then. (such as s/id/apic_id
etc...)
Also make CONFIG_ACPI usable through IS_ENABLED by enclosing exposed
functions with ifdef CONFIG_ACPI.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Enable interrupts before switching to main()
in cortex-m builds with single-thread mode
(CONFIG_MULTITHREADING=n).
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
According to comment memset() should be used instead of memcpy().
There is no need to access to address 0x0.
Fixes#28691
Signed-off-by: Alexandre Bourdiol <alexandre.bourdiol@st.com>
For boards with (relatively) large memory, the test which dumps
page tables takes a long time to finish. The default timeout of
sanitycheck is not enough for those boards. UP Squared board is
such a board. So limits to pagetable dumping to boards with
less than 32MB.
Fixes#28548
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
To improve Zephyr security, I decided to create a test
to check upon exit of a system call back to the calling thread,
the kernel scrubs CPU registers for sensitive data.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Some test suites depend on determining at run-time
an available IRQ line which can then be used to execute
the test suite. This logic cannot used if the available
IRQ line is not targeting the current security state.
Therefore, filter out the _ns Cortex-m boards from
running these tests suites (i.e. when building with
CONFIG_TRUSTED_EXECUTION_NONSECURE=y) since we can not
contol the target state of the NVIC interrupt lines.
These tests suites test generic ARM features, that do
not depend on TrustZone-M configuration, so it is OK
that they are only executed on ARM platforms without
the NONSECURE configration set.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit reworks the .yaml files in Cortex-M
test suites, by grouping the common configuration
under the common: section. This considerably cleans
up the test suite configuration.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Read a volatile status into a local variable to
discard a side effect in assertion. This fixes
an issue reported by Coverity: CID: 214210.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
To improve Zephyr security, I decided to create a test
test_after_syscall_cpu_scrubs_regs
I think necessary to check upon exit of a system call back
to the calling thread, the kernel scrubs CPU registers for sensitive
data.
Signed-off-by: Maksim Masalski <maksim.masalski@intel.com>
Provide a TZ_SAFE_ENTRY_FUNC() macro for wrapping non-secure entry
functions in calls to k_sched_lock()/k_sched_unlock()
Provide a __TZ_WRAP_FUNC() macro which helps in creating a function
that "wraps" another in a preface and postface function call.
int foo(char *arg); // Implemented somewhere else.
int __attribute__((naked)) foo_wrapped(char *arg)
{
WRAP_FUNC(bar, foo, baz);
}
is equivalent to
int foo(char *arg); // Implemented somewhere else.
int foo_wrapped(char *arg)
{
bar();
int res = foo(arg);
baz();
return res;
}
This commit also adds tests for __TZ_WRAP_FUNC().
Signed-off-by: Øyvind Rønningstad <oyvind.ronningstad@nordicsemi.no>
It should be nrfx_power_clock_irq_handler, not nrfx_clock_irq_handler.
The latter is only present as a function if both nrfx CLOCK and POWER
drivers are used and it is then called from the actual IRQ handler,
which is always named nrfx_power_clock_irq_handler (also when only
the nrfx CLOCK driver is used as in case of this test).
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
We no longer plan to support a split address space with
the kernel in high memory and per-process address spaces.
Because of this, we can simplify some things. System RAM
is now always identity mapped at boot.
We no longer require any virtual-to-physical translation
for page tables, and can remove the dual-mapping logic
from the page table generation script since we won't need
to transition the instruction point off of physical
addresses.
CONFIG_KERNEL_VM_BASE and CONFIG_KERNEL_VM_LIMIT
have been removed. The kernel's address space always
starts at CONFIG_SRAM_BASE_ADDRESS, of a fixed size
specified by CONFIG_KERNEL_VM_SIZE.
Driver MMIOs and other uses of k_mem_map() are still
virtually mapped, and the later introduction of demand
paging will result in only a subset of system RAM being
a fixed identity mapping instead of all of it.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
In order to be possible to debug usermode threads need to be able
issue breakpoint and debug exceptions. To do this it is necessary to
set DPL bits to, at least, the same CPL level.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Remove special handling of the ARM Cortex-M1 DesignStart FPGA reference
design running on the Digilent Arty after CONFIG_NUM_IRQS was reduced
from 8 to 7.
Signed-off-by: Henrik Brix Andersen <henrik@brixandersen.dk>
Extend check to determine a usable ARM NVIC IRQ line to verify that the
IRQ line is not always pending.
Signed-off-by: Henrik Brix Andersen <henrik@brixandersen.dk>
We add a simple test-case for verifying the behavior of the
Cortex-M IRQ target state management. We add an additional
test only for TrustZone-enabled Cortex-M targets running
in Secure mode. We explicitly exclude ARMv8-M platforms that
enable Non-Secure FW build by default from running the test.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Now that device_api attribute is unmodified at runtime, as well as all
the other attributes, it is possible to switch all device driver
instance to be constant.
A coccinelle rule is used for this:
@r_const_dev_1
disable optional_qualifier
@
@@
-struct device *
+const struct device *
@r_const_dev_2
disable optional_qualifier
@
@@
-struct device * const
+const struct device *
Fixes#27399
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Update the driver implementation to use nrfx_clock and nrfx_power
drivers. Update also revisions of the hal_nordic and nrf_hw_models
modules, so that it is actually possible to use those drivers.
Signed-off-by: Krzysztof Chruscinski <krzysztof.chruscinski@nordicsemi.no>
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
To debug hard-to-reproduce faults/panics, it's helpful to get the full
register state at the time a fault occurred. This enables recovering
full backtraces and the state of local variables at the time of a
crash.
This PR introduces a new Kconfig option, CONFIG_EXTRA_EXCEPTION_INFO,
to facilitate this use case. The option enables the capturing of the
callee-saved register state (r4-r11 & exc_return) during a fault. The
info is forwarded to `k_sys_fatal_error_handler` in the z_arch_esf_t
parameter. From there, the data can be saved for post-mortem analysis.
To test the functionality a new unit test was added to
tests/arch/arm_interrupt which verifies the register contents passed
in the argument match the state leading up to a crash.
Signed-off-by: Chris Coleman <chris@memfault.com>
For the moment, we validate the flags on all RAM pages,
ensure that NULL is never mapped, and show that dumping
page tables doesn't crash.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Ioannis Glaropoulos