Commit 08de658eb ("kernel: mem_domain: Check for overlapping regions
when considering W^X") introduced some compile issues on various
platforms.
The k_mem_partition_attr_t member is attr not attrs. Also, fix an issue
where sane_partition_domain neesd a pointer to a parition.
Signed-off-by: Kumar Gala <kumar.gala@linaro.org>
During system initialization, the global static variable (to
mem_domain.c) is initialized with the number of maximum partitions per
domain. This variable is of u8_t type.
Assertions throughout the code will check ranges and test for overflow
by relying on implicit type conversion.
Use an u8_t instead of u32_t to avoid doubts. Also, reorder the
k_mem_partition struct to remove the alignment hole created by reducing
sizeof(num_partitions).
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Multiple partitions can be added to a domain, and if they overlap, they
can have different attributes. The previous check would only check for
W^X for individual partitions, and this is insufficient. Overlapping
partitions could have W^X attributes, but in the end, a memory region
would be writable and executable.
The way this is performed is quite "heavyweight", as it is implemented
in a O(n^2) operation. The number of partitions per domain is small on
most devices, so this isn't an issue. CONFIG_EXECUTE_XOR_WRITE is
still an optional feature.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
The attributes are an u32_t only on ARM and ARC; on x86, it's something
else entirely. Use the proper type to avoid attributes being
truncated.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Instead of composing expressions with a logical AND, break down it into
multiple assertions. Smaller assertions are easier to read. While at
it, compare pointers against the NULL value, and numbers against 0
instead of relying on implicit conversion to boolean-ish values.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Without the parenthesis, the code was asserting this expression:
start + (size > start)
Where it should be this instead:
(start + size) > start
For a quick sanity check when adding these two unsigned values together.
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Rename the nano_internal.h to kernel_internal.h and modify the
header file name accordingly wherever it is used.
Signed-off-by: Ramakrishna Pallala <ramakrishna.pallala@intel.com>
when a current thread is added to a memory domain the pages/sections
must be configured immediately.
A problem occurs when we add a thread to current and then drop
down to usermode. In such a case memory domain will become active
the next time a swap occurs.
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Added arch specific calls to handle memory domain destroy
and removal of partition.
GH-3852
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
This adds CONFIG_EXECUTE_XOR_WRITE, which is enabled by default on
systems that support controlling whether a page can contain executable
code. This is also known as W^X[1].
Trying to add a memory domain with a page that is both executable and
writable, either for supervisor mode threads, or for user mode threads,
will result in a kernel panic.
There are few cases where a writable page should also be executable
(JIT compilers, which are most likely out of scope for Zephyr), so an
option is provided to disable the check.
Since the memory domain APIs are executed in supervisor mode, a
determined person could bypass these checks with ease. This is seen
more as a way to avoid people shooting themselves in the foot.
[1] https://en.wikipedia.org/wiki/W%5EX
Signed-off-by: Leandro Pereira <leandro.pereira@intel.com>
Added arch specific calls to handle memory domain destroy
and removal of partition.
GH-3852
Signed-off-by: Adithya Baglody <adithya.nagaraj.baglody@intel.com>
Add the following application-facing memory domain APIs:
k_mem_domain_init() - to initialize a memory domain
k_mem_domain_destroy() - to destroy a memory domain
k_mem_domain_add_partition() - to add a partition into a domain
k_mem_domain_remove_partition() - to remove a partition from a domain
k_mem_domain_add_thread() - to add a thread into a domain
k_mem_domain_remove_thread() - to remove a thread from a domain
A memory domain would contain some number of memory partitions.
A memory partition is a memory region (might be RAM, peripheral
registers, flash...) with specific attributes (access permission,
e.g. privileged read/write, unprivileged read-only, execute never...).
Memory partitions would be defined by set of MPU regions or MMU tables
underneath.
A thread could only belong to a single memory domain any point in time
but a memory domain could contain multiple threads.
Threads in the same memory domain would have the same access permission
to the memory partitions belong to the memory domain.
The memory domain APIs are used by unprivileged threads to share data
to the threads in the same memory and protect sensitive data from
threads outside their domain. It is not only for improving the security
but also useful for debugging (unexpected access would cause exception).
Jira: ZEP-2281
Signed-off-by: Chunlin Han <chunlin.han@linaro.org>
Kumar Gala