zephyr/arch/xtensa/core/mpu.c

1065 lines
31 KiB
C

/*
* Copyright (c) 2023 Intel Corporation
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <zephyr/kernel.h>
#include <zephyr/spinlock.h>
#include <zephyr/toolchain.h>
#include <zephyr/arch/xtensa/arch_inlines.h>
#include <zephyr/arch/xtensa/mpu.h>
#include <zephyr/linker/linker-defs.h>
#include <zephyr/sys/__assert.h>
#include <zephyr/sys/util_macro.h>
#include <xtensa/corebits.h>
#include <xtensa/config/core-matmap.h>
#include <xtensa/config/core-isa.h>
#include <xtensa_mpu_priv.h>
#ifdef CONFIG_USERSPACE
BUILD_ASSERT((CONFIG_PRIVILEGED_STACK_SIZE > 0) &&
(CONFIG_PRIVILEGED_STACK_SIZE % XCHAL_MPU_ALIGN) == 0);
#endif
extern char _heap_end[];
extern char _heap_start[];
/** MPU foreground map for kernel mode. */
static struct xtensa_mpu_map xtensa_mpu_map_fg_kernel;
/*
* Additional information about the MPU maps: foreground and background
* maps.
*
*
* Some things to keep in mind:
* - Each MPU region is described by TWO entries:
* [entry_a_address, entry_b_address). For contiguous memory regions,
* this should not much of an issue. However, disjoint memory regions
* "waste" another entry to describe the end of those regions.
* We might run out of available entries in the MPU map because of
* this.
* - The last entry is a special case as there is no more "next"
* entry in the map. In this case, the end of memory is
* the implicit boundary. In another word, the last entry
* describes the region between the start address of this entry
* and the end of memory.
* - Current implementation has following limitations:
* - All enabled entries are grouped towards the end of the map.
* - Except the last entry which can be disabled. This is
* the end of the last foreground region. With a disabled
* entry, memory after this will use the background map
* for access control.
* - No disabled MPU entries allowed in between.
*
*
* For foreground map to be valid, its entries must follow these rules:
* - The start addresses must always be in non-descending order.
* - The access rights and memory type fields must contain valid values.
* - The segment field needs to be correct for each entry.
* - MBZ fields must contain only zeroes.
* - Although the start address occupies 27 bits of the register,
* it does not mean all 27 bits are usable. The macro
* XCHAL_MPU_ALIGN_BITS provided by the toolchain indicates
* that only bits of and left of this value are valid. This
* corresponds to the minimum segment size (MINSEGMENTSIZE)
* definied in the processor configuration.
*/
#ifndef CONFIG_XTENSA_MPU_ONLY_SOC_RANGES
/**
* Static definition of all code and data memory regions of the
* current Zephyr image. This information must be available and
* need to be processed upon MPU initialization.
*/
static const struct xtensa_mpu_range mpu_zephyr_ranges[] = {
/* Region for vector handlers. */
{
.start = (uintptr_t)XCHAL_VECBASE_RESET_VADDR,
/*
* There is nothing from the Xtensa overlay about how big
* the vector handler region is. So we make an assumption
* that vecbase and .text are contiguous.
*
* SoC can override as needed if this is not the case,
* especially if the SoC reset/startup code relocates
* vecbase.
*/
.end = (uintptr_t)__text_region_start,
.access_rights = XTENSA_MPU_ACCESS_P_RX_U_RX,
.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
},
/*
* Mark the zephyr execution regions (data, bss, noinit, etc.)
* cacheable, read / write and non-executable
*/
{
/* This includes .data, .bss and various kobject sections. */
.start = (uintptr_t)_image_ram_start,
.end = (uintptr_t)_image_ram_end,
.access_rights = XTENSA_MPU_ACCESS_P_RW_U_NA,
.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
},
#if K_HEAP_MEM_POOL_SIZE > 0
/* System heap memory */
{
.start = (uintptr_t)_heap_start,
.end = (uintptr_t)_heap_end,
.access_rights = XTENSA_MPU_ACCESS_P_RW_U_NA,
.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
},
#endif
/* Mark text segment cacheable, read only and executable */
{
.start = (uintptr_t)__text_region_start,
.end = (uintptr_t)__text_region_end,
.access_rights = XTENSA_MPU_ACCESS_P_RX_U_RX,
.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
},
/* Mark rodata segment cacheable, read only and non-executable */
{
.start = (uintptr_t)__rodata_region_start,
.end = (uintptr_t)__rodata_region_end,
.access_rights = XTENSA_MPU_ACCESS_P_RO_U_RO,
.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
},
};
#endif /* !CONFIG_XTENSA_MPU_ONLY_SOC_RANGES */
/**
* Return the pointer to the entry encompassing @a addr out of an array of MPU entries.
*
* Returning the entry where @a addr is greater or equal to the entry's start address,
* and where @a addr is less than the starting address of the next entry.
*
* @param[in] entries Array of MPU entries.
* @param[in] addr Address to be matched to one background entry.
* @param[in] first_enabled_idx The index of the first enabled entry.
* Use 0 if not sure.
* @param[out] exact Set to true if address matches exactly.
* NULL if do not care.
* @param[out] entry_idx Set to the index of the entry array if entry is found.
* NULL if do not care.
*
* @return Pointer to the map entry encompassing @a addr, or NULL if no such entry found.
*/
static const
struct xtensa_mpu_entry *check_addr_in_mpu_entries(const struct xtensa_mpu_entry *entries,
uintptr_t addr, uint8_t first_enabled_idx,
bool *exact, uint8_t *entry_idx)
{
const struct xtensa_mpu_entry *ret = NULL;
uintptr_t s_addr, e_addr;
uint8_t idx;
if (first_enabled_idx >= XTENSA_MPU_NUM_ENTRIES) {
goto out_null;
}
if (addr < xtensa_mpu_entry_start_address_get(&entries[first_enabled_idx])) {
/* Before the start address of very first entry. So no match. */
goto out_null;
}
/* Loop through the map except the last entry (which is a special case). */
for (idx = first_enabled_idx; idx < (XTENSA_MPU_NUM_ENTRIES - 1); idx++) {
s_addr = xtensa_mpu_entry_start_address_get(&entries[idx]);
e_addr = xtensa_mpu_entry_start_address_get(&entries[idx + 1]);
if ((addr >= s_addr) && (addr < e_addr)) {
ret = &entries[idx];
goto out;
}
}
idx = XTENSA_MPU_NUM_ENTRIES - 1;
s_addr = xtensa_mpu_entry_start_address_get(&entries[idx]);
if (addr >= s_addr) {
/* Last entry encompasses the start address to end of memory. */
ret = &entries[idx];
}
out:
if (ret != NULL) {
if (exact != NULL) {
if (addr == s_addr) {
*exact = true;
} else {
*exact = false;
}
}
if (entry_idx != NULL) {
*entry_idx = idx;
}
}
out_null:
return ret;
}
/**
* Find the first enabled MPU entry.
*
* @param entries Array of MPU entries with XTENSA_MPU_NUM_ENTRIES elements.
*
* @return Index of the first enabled entry.
* @retval XTENSA_MPU_NUM_ENTRIES if no entry is enabled.
*/
static inline uint8_t find_first_enabled_entry(const struct xtensa_mpu_entry *entries)
{
int first_enabled_idx;
for (first_enabled_idx = 0; first_enabled_idx < XTENSA_MPU_NUM_ENTRIES;
first_enabled_idx++) {
if (entries[first_enabled_idx].as.p.enable) {
break;
}
}
return first_enabled_idx;
}
/**
* Compare two MPU entries.
*
* This is used by qsort to compare two MPU entries on their ordering
* based on starting address.
*
* @param a First MPU entry.
* @param b Second MPU entry.
*
* @retval -1 First address is less than second address.
* @retval 0 First address is equal to second address.
* @retval 1 First address is great than second address.
*/
static int compare_entries(const void *a, const void *b)
{
struct xtensa_mpu_entry *e_a = (struct xtensa_mpu_entry *)a;
struct xtensa_mpu_entry *e_b = (struct xtensa_mpu_entry *)b;
uintptr_t addr_a = xtensa_mpu_entry_start_address_get(e_a);
uintptr_t addr_b = xtensa_mpu_entry_start_address_get(e_b);
if (addr_a < addr_b) {
return -1;
} else if (addr_a == addr_b) {
return 0;
} else {
return 1;
}
}
/**
* Sort the MPU entries base on starting address.
*
* This sorts the MPU entries in ascending order of starting address.
* After sorting, it rewrites the segment numbers of all entries.
*/
static void sort_entries(struct xtensa_mpu_entry *entries)
{
qsort(entries, XTENSA_MPU_NUM_ENTRIES, sizeof(entries[0]), compare_entries);
for (uint32_t idx = 0; idx < XTENSA_MPU_NUM_ENTRIES; idx++) {
/* Segment value must correspond to the index. */
entries[idx].at.p.segment = idx;
}
}
/**
* Consolidate the MPU entries.
*
* This removes consecutive entries where the attributes are the same.
*
* @param entries Array of MPU entries with XTENSA_MPU_NUM_ENTRIES elements.
* @param first_enabled_idx Index of first enabled entry.
*
* @return Index of the first enabled entry after consolidation.
*/
static uint8_t consolidate_entries(struct xtensa_mpu_entry *entries,
uint8_t first_enabled_idx)
{
uint8_t new_first;
uint8_t idx_0 = first_enabled_idx;
uint8_t idx_1 = first_enabled_idx + 1;
bool to_consolidate = false;
/* For each a pair of entries... */
while (idx_1 < XTENSA_MPU_NUM_ENTRIES) {
struct xtensa_mpu_entry *entry_0 = &entries[idx_0];
struct xtensa_mpu_entry *entry_1 = &entries[idx_1];
bool mark_disable_0 = false;
bool mark_disable_1 = false;
if (xtensa_mpu_entries_has_same_attributes(entry_0, entry_1)) {
/*
* If both entry has same attributes (access_rights and memory type),
* they can be consolidated into one by removing the higher indexed
* one.
*/
mark_disable_1 = true;
} else if (xtensa_mpu_entries_has_same_address(entry_0, entry_1)) {
/*
* If both entries have the same address, the higher index
* one always override the lower one. So remove the lower indexed
* one.
*/
mark_disable_0 = true;
}
/*
* Marking an entry as disabled here so it can be removed later.
*
* The MBZ field of the AS register is re-purposed to indicate that
* this is an entry to be removed.
*/
if (mark_disable_1) {
/* Remove the higher indexed entry. */
to_consolidate = true;
entry_1->as.p.mbz = 1U;
/* Skip ahead for next comparison. */
idx_1++;
continue;
} else if (mark_disable_0) {
/* Remove the lower indexed entry. */
to_consolidate = true;
entry_0->as.p.mbz = 1U;
}
idx_0 = idx_1;
idx_1++;
}
if (to_consolidate) {
uint8_t read_idx = XTENSA_MPU_NUM_ENTRIES - 1;
uint8_t write_idx = XTENSA_MPU_NUM_ENTRIES;
/* Go through the map from the end and copy enabled entries in place. */
while (read_idx >= first_enabled_idx) {
struct xtensa_mpu_entry *entry_rd = &entries[read_idx];
if (entry_rd->as.p.mbz != 1U) {
struct xtensa_mpu_entry *entry_wr;
write_idx--;
entry_wr = &entries[write_idx];
*entry_wr = *entry_rd;
entry_wr->at.p.segment = write_idx;
}
read_idx--;
}
/* New first enabled entry is where the last written entry is. */
new_first = write_idx;
for (idx_0 = 0; idx_0 < new_first; idx_0++) {
struct xtensa_mpu_entry *e = &entries[idx_0];
/* Shortcut to zero out address and enabled bit. */
e->as.raw = 0U;
/* Segment value must correspond to the index. */
e->at.p.segment = idx_0;
/* No access at all for both kernel and user modes. */
e->at.p.access_rights = XTENSA_MPU_ACCESS_P_NA_U_NA;
/* Use default memory type for disabled entries. */
e->at.p.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE;
}
} else {
/* No need to conlidate entries. Map is same as before. */
new_first = first_enabled_idx;
}
return new_first;
}
/**
* Add a memory region to the MPU map.
*
* This adds a memory region to the MPU map, by setting the appropriate
* start and end entries. This may re-use existing entries or add new
* entries to the map.
*
* @param[in,out] map Pointer to MPU map.
* @param[in] start_addr Start address of the region.
* @param[in] end_addr End address of the region.
* @param[in] access_rights Access rights of this region.
* @param[in] memory_type Memory type of this region.
* @param[out] first_idx Return index of first enabled entry if not NULL.
*
* @retval 0 Successful in adding the region.
* @retval -EINVAL Invalid values in function arguments.
*/
static int mpu_map_region_add(struct xtensa_mpu_map *map,
uintptr_t start_addr, uintptr_t end_addr,
uint32_t access_rights, uint32_t memory_type,
uint8_t *first_idx)
{
int ret;
bool exact_s, exact_e;
uint8_t idx_s, idx_e, first_enabled_idx;
struct xtensa_mpu_entry *entry_slot_s, *entry_slot_e, prev_entry;
struct xtensa_mpu_entry *entries = map->entries;
if (start_addr >= end_addr) {
ret = -EINVAL;
goto out;
}
first_enabled_idx = find_first_enabled_entry(entries);
if (first_enabled_idx >= XTENSA_MPU_NUM_ENTRIES) {
/*
* If the last entry in the map is not enabled and the start
* address is NULL, we can assume the map has not been populated
* at all. This is because we group all enabled entries at
* the end of map.
*/
struct xtensa_mpu_entry *last_entry = &entries[XTENSA_MPU_NUM_ENTRIES - 1];
if (!xtensa_mpu_entry_enable_get(last_entry) &&
(xtensa_mpu_entry_start_address_get(last_entry) == 0U)) {
/* Empty table, so populate the entries as-is. */
if (end_addr == 0xFFFFFFFFU) {
/*
* Region goes to end of memory, so only need to
* program one entry.
*/
entry_slot_s = &entries[XTENSA_MPU_NUM_ENTRIES - 1];
xtensa_mpu_entry_set(entry_slot_s, start_addr, true,
access_rights, memory_type);
} else {
/*
* Populate the last two entries to indicate
* a memory region. Notice that the second entry
* is not enabled as it is merely marking the end of
* a region and is not the starting of another
* enabled MPU region.
*/
entry_slot_s = &entries[XTENSA_MPU_NUM_ENTRIES - 2];
entry_slot_e = &entries[XTENSA_MPU_NUM_ENTRIES - 1];
xtensa_mpu_entry_set(entry_slot_s, start_addr, true,
access_rights, memory_type);
xtensa_mpu_entry_set(entry_slot_e, end_addr, false,
XTENSA_MPU_ACCESS_P_NA_U_NA,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE);
}
ret = 0;
goto out;
}
first_enabled_idx = consolidate_entries(entries, first_enabled_idx);
if (first_enabled_idx >= XTENSA_MPU_NUM_ENTRIES) {
ret = -EINVAL;
goto out;
}
}
entry_slot_s = (struct xtensa_mpu_entry *)
check_addr_in_mpu_entries(entries, start_addr, first_enabled_idx,
&exact_s, &idx_s);
entry_slot_e = (struct xtensa_mpu_entry *)
check_addr_in_mpu_entries(entries, end_addr, first_enabled_idx,
&exact_e, &idx_e);
__ASSERT_NO_MSG(entry_slot_s != NULL);
__ASSERT_NO_MSG(entry_slot_e != NULL);
__ASSERT_NO_MSG(start_addr < end_addr);
if ((entry_slot_s == NULL) || (entry_slot_e == NULL)) {
ret = -EINVAL;
goto out;
}
/*
* Figure out if we need to add new slots for either addresses.
* If the addresses match exactly the addresses current in map,
* we can reuse those entries without adding new one.
*/
if (!exact_s || !exact_e) {
uint8_t needed = (exact_s ? 0 : 1) + (exact_e ? 0 : 1);
/* Check if there are enough empty slots. */
if (first_enabled_idx < needed) {
ret = -ENOMEM;
goto out;
}
}
/*
* Need to keep track of the attributes of the memory region before
* we start adding entries, as we will need to apply the same
* attributes to the "ending address" entry to preseve the attributes
* of existing map.
*/
prev_entry = *entry_slot_e;
/*
* Entry for beginning of new region.
*
* - Use existing entry if start addresses are the same for existing
* and incoming region. We can simply reuse the entry.
* - Add an entry if incoming region is within existing region.
*/
if (!exact_s) {
/*
* Put a new entry before the first enabled entry.
* We will sort the entries later.
*/
first_enabled_idx--;
entry_slot_s = &entries[first_enabled_idx];
}
xtensa_mpu_entry_set(entry_slot_s, start_addr, true, access_rights, memory_type);
/*
* Entry for ending of region.
*
* - Add an entry if incoming region is within existing region.
* - If the end address matches exactly to existing entry, there is
* no need to do anything.
*/
if (!exact_e) {
/*
* Put a new entry before the first enabled entry.
* We will sort the entries later.
*/
first_enabled_idx--;
entry_slot_e = &entries[first_enabled_idx];
/*
* Since we are going to punch a hole in the map,
* we need to preserve the attribute of existing region
* between the end address and next entry.
*/
*entry_slot_e = prev_entry;
xtensa_mpu_entry_start_address_set(entry_slot_e, end_addr);
}
/* Sort the entries in ascending order of starting address */
sort_entries(entries);
/*
* Need to figure out where the start and end entries are as sorting
* may change their positions.
*/
entry_slot_s = (struct xtensa_mpu_entry *)
check_addr_in_mpu_entries(entries, start_addr, first_enabled_idx,
&exact_s, &idx_s);
entry_slot_e = (struct xtensa_mpu_entry *)
check_addr_in_mpu_entries(entries, end_addr, first_enabled_idx,
&exact_e, &idx_e);
/* Both must be exact match. */
__ASSERT_NO_MSG(exact_s);
__ASSERT_NO_MSG(exact_e);
if (end_addr == 0xFFFFFFFFU) {
/*
* If end_addr = 0xFFFFFFFFU, entry_slot_e and idx_e both
* point to the last slot. Because the incoming region goes
* to the end of memory, we simply cheat by including
* the last entry by incrementing idx_e so the loop to
* update entries will change the attribute of last entry
* in map.
*/
idx_e++;
}
/*
* Any existing entries between the "newly" popluated start and
* end entries must bear the same attributes. So modify them
* here.
*/
for (int idx = idx_s + 1; idx < idx_e; idx++) {
xtensa_mpu_entry_attributes_set(&entries[idx], access_rights, memory_type);
}
if (first_idx != NULL) {
*first_idx = first_enabled_idx;
}
ret = 0;
out:
return ret;
}
/**
* Write the MPU map to hardware.
*
* @param map Pointer to foreground MPU map.
*/
#ifdef CONFIG_USERSPACE
/* With userspace enabled, the pointer to per memory domain MPU map is stashed
* inside the thread struct. If we still only take struct xtensa_mpu_map as
* argument, a wrapper function is needed. To avoid the cost associated with
* calling that wrapper function, takes thread pointer directly as argument
* when userspace is enabled. Not to mention that writing the map to hardware
* is already a costly operation per context switch. So every little bit helps.
*/
void xtensa_mpu_map_write(struct k_thread *thread)
#else
void xtensa_mpu_map_write(struct xtensa_mpu_map *map)
#endif
{
int entry;
#ifdef CONFIG_USERSPACE
struct xtensa_mpu_map *map = thread->arch.mpu_map;
#endif
/*
* Clear MPU entries first, then write MPU entries in reverse order.
*
* Remember that the boundary of each memory region is marked by
* two consecutive entries, and that the addresses of all entries
* must not be in descending order (i.e. equal or increasing).
* To ensure this, we clear out the entries first then write them
* in reverse order. This avoids any intermediate invalid
* configuration with regard to ordering.
*/
for (entry = 0; entry < XTENSA_MPU_NUM_ENTRIES; entry++) {
__asm__ volatile("wptlb %0, %1\n\t" : : "a"(entry), "a"(0));
}
for (entry = XTENSA_MPU_NUM_ENTRIES - 1; entry >= 0; entry--) {
__asm__ volatile("wptlb %0, %1\n\t"
: : "a"(map->entries[entry].at), "a"(map->entries[entry].as));
}
}
/**
* Perform necessary steps to enable MPU.
*/
void xtensa_mpu_init(void)
{
unsigned int entry;
uint8_t first_enabled_idx;
/* Disable all foreground segments before we start configuration. */
xtensa_mpu_mpuenb_write(0);
/*
* Clear the foreground MPU map so we can populate it later with valid entries.
* Note that we still need to make sure the map is valid, and cannot be totally
* zeroed.
*/
for (entry = 0; entry < XTENSA_MPU_NUM_ENTRIES; entry++) {
/* Make sure to zero out everything as a start, especially the MBZ fields. */
struct xtensa_mpu_entry ent = {0};
/* Segment value must correspond to the index. */
ent.at.p.segment = entry;
/* No access at all for both kernel and user modes. */
ent.at.p.access_rights = XTENSA_MPU_ACCESS_P_NA_U_NA;
/* Use default memory type for disabled entries. */
ent.at.p.memory_type = CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE;
xtensa_mpu_map_fg_kernel.entries[entry] = ent;
}
#ifndef CONFIG_XTENSA_MPU_ONLY_SOC_RANGES
/*
* Add necessary MPU entries for the memory regions of base Zephyr image.
*/
for (entry = 0; entry < ARRAY_SIZE(mpu_zephyr_ranges); entry++) {
const struct xtensa_mpu_range *range = &mpu_zephyr_ranges[entry];
int ret = mpu_map_region_add(&xtensa_mpu_map_fg_kernel,
range->start, range->end,
range->access_rights, range->memory_type,
&first_enabled_idx);
ARG_UNUSED(ret);
__ASSERT(ret == 0, "Unable to add region [0x%08x, 0x%08x): %d",
(unsigned int)range->start,
(unsigned int)range->end,
ret);
}
#endif /* !CONFIG_XTENSA_MPU_ONLY_SOC_RANGES */
/*
* Now for the entries for memory regions needed by SoC.
*/
for (entry = 0; entry < xtensa_soc_mpu_ranges_num; entry++) {
const struct xtensa_mpu_range *range = &xtensa_soc_mpu_ranges[entry];
int ret = mpu_map_region_add(&xtensa_mpu_map_fg_kernel,
range->start, range->end,
range->access_rights, range->memory_type,
&first_enabled_idx);
ARG_UNUSED(ret);
__ASSERT(ret == 0, "Unable to add region [0x%08x, 0x%08x): %d",
(unsigned int)range->start,
(unsigned int)range->end,
ret);
}
/* Consolidate entries so we have a compact map at boot. */
consolidate_entries(xtensa_mpu_map_fg_kernel.entries, first_enabled_idx);
/* Write the map into hardware. There is no turning back now. */
#ifdef CONFIG_USERSPACE
struct k_thread dummy_map_thread;
dummy_map_thread.arch.mpu_map = &xtensa_mpu_map_fg_kernel;
xtensa_mpu_map_write(&dummy_map_thread);
#else
xtensa_mpu_map_write(&xtensa_mpu_map_fg_kernel);
#endif
}
#ifdef CONFIG_USERSPACE
int arch_mem_domain_init(struct k_mem_domain *domain)
{
domain->arch.mpu_map = xtensa_mpu_map_fg_kernel;
return 0;
}
int arch_mem_domain_max_partitions_get(void)
{
/*
* Due to each memory region requiring 2 MPU entries to describe,
* it is hard to figure out how many partitions are available.
* For example, if all those partitions are contiguous, it only
* needs 2 entries (1 if the end of region already has an entry).
* If they are all disjoint, it will need (2 * n) entries to
* describe all of them. So just use CONFIG_MAX_DOMAIN_PARTITIONS
* here and let the application set this instead.
*/
return CONFIG_MAX_DOMAIN_PARTITIONS;
}
int arch_mem_domain_partition_remove(struct k_mem_domain *domain,
uint32_t partition_id)
{
int ret;
uint32_t perm;
struct xtensa_mpu_map *map = &domain->arch.mpu_map;
struct k_mem_partition *partition = &domain->partitions[partition_id];
uintptr_t end_addr = partition->start + partition->size;
if (end_addr <= partition->start) {
ret = -EINVAL;
goto out;
}
/*
* This is simply to get rid of the user permissions and retain
* whatever the kernel permissions are. So that we won't be
* setting the memory region permission incorrectly, for example,
* marking read only region writable.
*
* Note that Zephyr does not do RWX partitions so we can treat it
* as invalid.
*/
switch (partition->attr) {
case XTENSA_MPU_ACCESS_P_RO_U_NA:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RX_U_NA:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RO_U_RO:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RX_U_RX:
perm = XTENSA_MPU_ACCESS_P_RO_U_NA;
break;
case XTENSA_MPU_ACCESS_P_RW_U_NA:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_NA:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RWX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RO:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_RX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RW:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_RWX:
perm = XTENSA_MPU_ACCESS_P_RW_U_NA;
break;
default:
/* _P_X_U_NA is not a valid permission for userspace, so ignore.
* _P_NA_U_X becomes _P_NA_U_NA when removing user permissions.
* _P_WO_U_WO has not kernel only counterpart so just force no access.
* If we get here with _P_NA_P_NA, there is something seriously
* wrong with the userspace and/or application code.
*/
perm = XTENSA_MPU_ACCESS_P_NA_U_NA;
break;
}
/*
* Reset the memory region attributes by simply "adding"
* a region with default attributes. If entries already
* exist for the region, the corresponding entries will
* be updated with the default attributes. Or new entries
* will be added to carve a hole in existing regions.
*/
ret = mpu_map_region_add(map, partition->start, end_addr,
perm,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
out:
return ret;
}
int arch_mem_domain_partition_add(struct k_mem_domain *domain,
uint32_t partition_id)
{
int ret;
struct xtensa_mpu_map *map = &domain->arch.mpu_map;
struct k_mem_partition *partition = &domain->partitions[partition_id];
uintptr_t end_addr = partition->start + partition->size;
if (end_addr <= partition->start) {
ret = -EINVAL;
goto out;
}
ret = mpu_map_region_add(map, partition->start, end_addr,
(uint8_t)partition->attr,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
out:
return ret;
}
int arch_mem_domain_thread_add(struct k_thread *thread)
{
int ret = 0;
/* New memory domain we are being added to */
struct k_mem_domain *domain = thread->mem_domain_info.mem_domain;
/*
* this is only set for threads that were migrating from some other
* memory domain; new threads this is NULL.
*/
struct xtensa_mpu_map *old_map = thread->arch.mpu_map;
bool is_user = (thread->base.user_options & K_USER) != 0;
bool is_migration = (old_map != NULL) && is_user;
uintptr_t stack_end_addr = thread->stack_info.start + thread->stack_info.size;
if (stack_end_addr < thread->stack_info.start) {
/* Account for wrapping around back to 0. */
stack_end_addr = 0xFFFFFFFFU;
}
/*
* Allow USER access to the thread's stack in its new domain if
* we are migrating. If we are not migrating this is done in
* xtensa_user_stack_perms().
*/
if (is_migration) {
/* Add stack to new domain's MPU map. */
ret = mpu_map_region_add(&domain->arch.mpu_map,
thread->stack_info.start, stack_end_addr,
XTENSA_MPU_ACCESS_P_RW_U_RW,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
/* Probably this fails due to no more available slots in MPU map. */
__ASSERT_NO_MSG(ret == 0);
}
thread->arch.mpu_map = &domain->arch.mpu_map;
/*
* Remove thread stack from old memory domain if we are
* migrating away from old memory domain. This is done
* by simply remove USER access from the region.
*/
if (is_migration) {
/*
* Remove stack from old MPU map by...
* "adding" a new memory region to the map
* as this carves a hole in the existing map.
*/
ret = mpu_map_region_add(old_map,
thread->stack_info.start, stack_end_addr,
XTENSA_MPU_ACCESS_P_RW_U_NA,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
}
/*
* Need to switch to new MPU map if this is the current
* running thread.
*/
if (thread == _current_cpu->current) {
xtensa_mpu_map_write(thread);
}
return ret;
}
int arch_mem_domain_thread_remove(struct k_thread *thread)
{
uintptr_t stack_end_addr;
int ret;
struct k_mem_domain *domain = thread->mem_domain_info.mem_domain;
if ((thread->base.user_options & K_USER) == 0) {
ret = 0;
goto out;
}
if ((thread->base.thread_state & _THREAD_DEAD) == 0) {
/* Thread is migrating to another memory domain and not
* exiting for good; we weren't called from
* z_thread_abort(). Resetting the stack region will
* take place in the forthcoming thread_add() call.
*/
ret = 0;
goto out;
}
stack_end_addr = thread->stack_info.start + thread->stack_info.size;
if (stack_end_addr < thread->stack_info.start) {
/* Account for wrapping around back to 0. */
stack_end_addr = 0xFFFFFFFFU;
}
/*
* Restore permissions on the thread's stack area since it is no
* longer a member of the domain.
*/
ret = mpu_map_region_add(&domain->arch.mpu_map,
thread->stack_info.start, stack_end_addr,
XTENSA_MPU_ACCESS_P_RW_U_NA,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
xtensa_mpu_map_write(thread);
out:
return ret;
}
int arch_buffer_validate(const void *addr, size_t size, int write)
{
uintptr_t aligned_addr;
size_t aligned_size, addr_offset;
int ret = 0;
/* addr/size arbitrary, fix this up into an aligned region */
aligned_addr = ROUND_DOWN((uintptr_t)addr, XCHAL_MPU_ALIGN);
addr_offset = (uintptr_t)addr - aligned_addr;
aligned_size = ROUND_UP(size + addr_offset, XCHAL_MPU_ALIGN);
for (size_t offset = 0; offset < aligned_size;
offset += XCHAL_MPU_ALIGN) {
uint32_t probed = xtensa_pptlb_probe(aligned_addr + offset);
uint8_t access_rights = (probed & XTENSA_MPU_PPTLB_ACCESS_RIGHTS_MASK)
>> XTENSA_MPU_PPTLB_ACCESS_RIGHTS_SHIFT;
if (write) {
/* Need to check write permission. */
switch (access_rights) {
case XTENSA_MPU_ACCESS_P_WO_U_WO:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RWX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RW:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_RWX:
/* These permissions are okay. */
break;
default:
ret = -EPERM;
goto out;
}
} else {
/* Only check read permission. */
switch (access_rights) {
case XTENSA_MPU_ACCESS_P_RW_U_RWX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RO:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_RX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RO_U_RO:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RX_U_RX:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RW_U_RW:
__fallthrough;
case XTENSA_MPU_ACCESS_P_RWX_U_RWX:
/* These permissions are okay. */
break;
default:
ret = -EPERM;
goto out;
}
}
}
out:
return ret;
}
void xtensa_user_stack_perms(struct k_thread *thread)
{
int ret;
uintptr_t stack_end_addr = thread->stack_info.start + thread->stack_info.size;
if (stack_end_addr < thread->stack_info.start) {
/* Account for wrapping around back to 0. */
stack_end_addr = 0xFFFFFFFFU;
}
(void)memset((void *)thread->stack_info.start,
(IS_ENABLED(CONFIG_INIT_STACKS)) ? 0xAA : 0x00,
thread->stack_info.size - thread->stack_info.delta);
/* Add stack to new domain's MPU map. */
ret = mpu_map_region_add(thread->arch.mpu_map,
thread->stack_info.start, stack_end_addr,
XTENSA_MPU_ACCESS_P_RW_U_RW,
CONFIG_XTENSA_MPU_DEFAULT_MEM_TYPE,
NULL);
xtensa_mpu_map_write(thread);
/* Probably this fails due to no more available slots in MPU map. */
ARG_UNUSED(ret);
__ASSERT_NO_MSG(ret == 0);
}
#endif /* CONFIG_USERSPACE */