The PACBTI is an optional hardware security feature,
the current implementation assumes that every SoC that
has Armv8.1-M architecture extension, has the PACBTI
hardware feature, which does not have to be the case.
Hence, the `portHAS_PACBTI_FEATURE` is removed
and the implementation is modified to rely on
`configENABLE_PAC` and `configENABLE_BTI` macros
that can either be set using CMake or FreeRTOSConfig.h
header file.
Enabling PAC and/or BTI on a port variant that
doesn't have the PACBTI hardware feature would be
caught by a `configASSERT` statement.
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
Co-authored-by: Tony Josi <tonyjosi@amazon.com>
Related to #189
Update `configMTIMECMP_BASE_ADDRESS` to be stored in a 64-bit integer.
* Change the type of `ullMachineTimerCompareRegisterBase` to `uint64_t` in `portable/GCC/RISC-V/port.c`.
* Change the type of `ullMachineTimerCompareRegisterBase` to `uint64_t` in `portable/IAR/RISC-V/port.c`.
* Update the initialization of `ullMachineTimerCompareRegisterBase` to use `configMTIMECMP_BASE_ADDRESS` in both files.
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* copyright-checker: Add FreeRTOS Arm collab copyright
FreeRTOS Arm collab files shall have both Amazon's
and Arm's copyright headers. Hence, the copyright
checker is modified to check for both copyrights.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* armv8-m: Add support for IAR with TFM FREERTOS PORT
As the case for ARMClang, and GCC toolchains, IAR
with TFM FreeRTOS Port support is added.
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
* armv8-m: Do not overwrite Control register value
The current ARMv8-M FreeRTOS-Kernel Port code
implementation is modified in a way that allows
the CONTROL register's value to be retained
rather than being overwritten.
This is needed for adding PACBTI support as
the special-purpose CONTROL register `PAC_EN`,
`UPAC_EN`, `BTI_EN`, and `UBTI_EN` PACBTI
enablement bits should be configured before calling
`vRestoreContextOfFirstTask()` function which currently
overwrite the value inside the CONTROL register.
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
* armv8.1-m: Add PACBTI support to kernel non-secure implementation
In this commit, Pointer Authentication, and Branch Target
Identification Extension (PACBTI) support is added for
Non-Secure and Non-TrustZone variants of Cortex-M85
FreeRTOS-Kernel Port.
The PACBTI support is added for Arm Compiler For
Embedded, and IAR toolchains only. The support in
the kernel is not yet enabled for GNU toolchain
due to known issues.
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
* Fix CI check
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
---------
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
Co-authored-by: Ahmed Ismail <ahmism01@e133373.arm.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
Support for 16 MPU regions was added to Cortex-M33, M35P, M55 and M85
ports was added but the compile time error check was not removed. This
results in compilation error when 16 MPU regions are used. This PR
removes the not needed compile time error check.
It was reported here - https://forums.freertos.org/t/cortex-m55-and-16-region-mpu-support/21470.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Remove hardware dependence in portmacros.h
The IAR MSP430X port `#include "msp430.h"` which pulls all the hardware
register definitions into anything which `#include "FreeRTOS.h"`. This
removes that hardware dependency "leak" by removing the header file
and re-defining the `portDISABLE_INTERRUPTS()` and
`portENABLE_INTERRUPTS()` macros in terms of `__asm`.
* Code review suggestions
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
---------
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
FreeRTOS MPU: Add privileged execute never MPU attribute
A new MPU region attribute Privileged eXecute Never (PXN)
is introduced in Armv8.1-M architecture, where if an MPU
region has PXN attribute set and the processor attempts
to execute the code inside with privileged level,
the Memory Management Fault exception would be triggered,
with IACCVIOL bit in MemManage Fault State Register set
to 1. The PXN feature allows privileged software to ensure
specific application tasks (threads) to execute in
unprivileged level only.
Signed-off-by: Ahmed Ismail <Ahmed.Ismail@arm.com>
* Fix traceMALLOC() memory count is inaccurate. (#1078)
Modify xWantedSize to the size of a free block when not split blocks.
Ensure that the sizes within traceMALLOC() and traceFREE() macros are equal.
* Create a new variable xAllocatedBlockSize for traceMALLOC()
---------
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/GCC/ARM_CM23/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/GCC/ARM_CM23_NTZ/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/GCC/ARM_CM33/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/GCC/ARM_CM33_NTZ/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/IAR/ARM_CM23/mpu_wrappers_v2_asm.S
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/IAR/ARM_CM23_NTZ/mpu_wrappers_v2_asm.S
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/IAR/ARM_CM33/mpu_wrappers_v2_asm.S
* Remove duplicate pop instruction from portable/ARMv8M/non_secure/portable/IAR/ARM_CM33_NTZ/mpu_wrappers_v2_asm.S
* Run the copy_files.py script to update the ARMv8M ports to remove the duplicate pop instruction in mpu_wrappers_v2_asm
* Remove duplicate pop instruction from portable/GCC/ARM_CM3_MPU/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/GCC/ARM_CM4_MPU/mpu_wrappers_v2_asm.c
* Remove duplicate pop instruction from portable/IAR/ARM_CM4F_MPU/mpu_wrappers_v2_asm.S
* Remove duplicate pop instruction from portable/RVDS/ARM_CM4_MPU/mpu_wrappers_v2_asm.c
---------
Co-authored-by: Rahul Kar <118818625+kar-rahul-aws@users.noreply.github.com>
Add a check for configENABLE_MVE to M23, M33 ports
configENABLE_MVE is only applicable to Cortex-M55 and Cortex-M85 ports.
It must not be defined to 1 for other ARMv8_m ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Allow access to any buffer in xPortIsAuthorizedToAccessBuffer if xSchedulerRunning is set to pdFALSE
* Allow access to any buffer in xPortIsAuthorizedToAccessBuffer if xSchedulerRunning is set to pdFALSE in the copied ARMv8M Port Files
* Introduce portHAS_NESTED_INTERRUPTS to identify if port has nested interrupt or not.
* Update atomic.h to use portHAS_NESTED_INTERRUPTS instead of portSET_INTERRUPT_MASK_FROM_ISR definition.
---------
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
Co-authored-by: ActoryOu <jay2002824@gmail.com>
Verify that the application has correctly installed PendSV
and SVCall handlers. The application can choose to
disable these checks by setting configCHECK_HANDLER_INSTALLATION
to 0 in their FreeRTOSConfig.h.
Earlier the System Call entry from an unprivileged task
looked like:
1. SVC for entering system call.
2. System call implementation.
3. SVC for exiting system call.
Now, the system call entry needs to make only one SVC
call and everything else is handled internally.
This PR also makes the following changes:
1. Update the Access Control List (ACL) mechanism to
grant access to all the kernel objects before the
scheduler is started.
2. Add one struct param for system calls with 5 parameters.
This removes the need for special handling for system
calls with 5 parameters.
3. Remove raise privilege SVC when MPU wrapper v2 is used.
4. Add additional run time parameter checks to MPU wrappers
for xTaskGenericNotify and xQueueTakeMutexRecursive APIs.
* Support configurable RISC-V chip extension
Added the FREERTOS_RISCV_EXTENSION option to allow the user
to select which chip extension they want included. Removed the
port for pulpino to instead use the new option.
* Add port GCC_RISC_V_GENERIC and IAR_RISC_V_GENERIC
* Add two rics-v generic ports to support FREERTOS_RISCV_EXTENSION
config
---------
Co-authored-by: Joe Benczarski <jbenczarski@trijicon.com>
Co-authored-by: chinglee-iot <61685396+chinglee-iot@users.noreply.github.com>
Co-authored-by: Ching-Hsin Lee <chinglee@amazon.com>
Co-authored-by: kar-rahul-aws <118818625+kar-rahul-aws@users.noreply.github.com>
Co-authored-by: Soren Ptak <ptaksoren@gmail.com>
According to Armv8-M technical reference manual, if the main extension
is not implemented then PSPLIM_NS is RES0. Update the cortex-M23
port to not use the reserved PSPLIM_NS.
A task's privilege level is stored in ulTaskFlag member in the TCB. Current
implementation of portSWITCH_TO_USER_MODE() does not update this
flag but just lowers the processor's privilege level. This results in many
APIs incorrectly determining task's privilege level and access permissions -
- xPortIsAuthorizedToAccessBuffer
- xPortIsTaskPrivileged
- xPortIsAuthorizedToAccessKernelObject
This PR fixes the portSWITCH_TO_USER_MODE() implementation to correctly
update the ulTaskFlag member in the TCB before lowering the processor's
privilege level.
Add trace hook macro for most ports
In pull request #659 we introduced better support for tracing
tools like systemview. This patchset adds support for more
ports as requested in the original pull request.
This PR adds Access Control to kernel objects on a per task basis to MPU
ports. The following needs to be defined in the `FreeRTOSConfig.h` to
enable this feature:
```c
#define configUSE_MPU_WRAPPERS_V1 0
#define configENABLE_ACCESS_CONTROL_LIST 1
```
This PR adds the following new APIs:
```c
void vGrantAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToGrantAccess );
void vRevokeAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToRevokeAccess );
void vGrantAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToGrantAccess );
void vRevokeAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToRevokeAccess );
void vGrantAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToGrantAccess );
void vRevokeAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToRevokeAccess );
void vGrantAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToGrantAccess );
void vRevokeAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToRevokeAccess );
void vGrantAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToGrantAccess );
void vRevokeAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToRevokeAccess );
void vGrantAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToGrantAccess );
void vRevokeAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToRevokeAccess );
void vGrantAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToGrantAccess );
void vRevokeAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToRevokeAccess );
void vGrantAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToGrantAccess );
void vRevokeAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToRevokeAccess );
```
An unprivileged task by default has access to itself only and no other
kernel object. The application writer needs to explicitly grant an
unprivileged task access to all the kernel objects it needs. The best
place to do that is before starting the scheduler when all the kernel
objects are created.
For example, let's say an unprivileged tasks needs access to a queue and
an event group, the application writer needs to do the following:
```c
vGrantAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vGrantAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
```
The application writer MUST revoke all the accesses before deleting a
task. Failing to do so will result in undefined behavior. In the above
example, the application writer needs to make the following 2 calls
before deleting the task:
```c
vRevokeAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vRevokeAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
```
* Use new version of CI-CD Actions
* Use cSpell spell check, and use ubuntu-20.04 for formatting check
* Format and spell check all files in the portable directory
* Remove the https:// from #errors and #warnings as uncrustify attempts to change it to /*
* Use checkout@v3 instead of checkout@v2 on all jobs
---------
* Set SysTick CLKSOURCE bit before enabling SysTick
* Use portNVIC_SYSTICK_CLK_BIT_CONFIG
The workaround now uses portNVIC_SYSTICK_CLK_BIT_CONFIG instead of
portNVIC_SYSTICK_CLK_BIT, which saves us from having to explain in the
comments why it's OK to temporarily set the CLKSOURCE bit even if the
user's FreeRTOS configuration clears the CLKSOURCE bit.
Using portNVIC_SYSTICK_CLK_BIT_CONFIG here still correctly prevents the
firmware from triggering the QEMU bug.
Memory Protection Unit (MPU) Enhancements
This commit introduces a new MPU wrapper that places additional
restrictions on unprivileged tasks. The following is the list of changes
introduced with the new MPU wrapper:
1. Opaque and indirectly verifiable integers for kernel object handles:
All the kernel object handles (for example, queue handles) are now
opaque integers. Previously object handles were raw pointers.
2. Saving the task context in Task Control Block (TCB): When a task is
swapped out by the scheduler, the task's context is now saved in its
TCB. Previously the task's context was saved on its stack.
3. Execute system calls on a separate privileged only stack: FreeRTOS
system calls, which execute with elevated privilege, now use a
separate privileged only stack. Previously system calls used the
calling task's stack. The application writer can control the size of
the system call stack using new configSYSTEM_CALL_STACK_SIZE config
macro.
4. Memory bounds checks: FreeRTOS system calls which accept a pointer
and de-reference it, now verify that the calling task has required
permissions to access the memory location referenced by the pointer.
5. System call restrictions: The following system calls are no longer
available to unprivileged tasks:
- vQueueDelete
- xQueueCreateMutex
- xQueueCreateMutexStatic
- xQueueCreateCountingSemaphore
- xQueueCreateCountingSemaphoreStatic
- xQueueGenericCreate
- xQueueGenericCreateStatic
- xQueueCreateSet
- xQueueRemoveFromSet
- xQueueGenericReset
- xTaskCreate
- xTaskCreateStatic
- vTaskDelete
- vTaskPrioritySet
- vTaskSuspendAll
- xTaskResumeAll
- xTaskGetHandle
- xTaskCallApplicationTaskHook
- vTaskList
- vTaskGetRunTimeStats
- xTaskCatchUpTicks
- xEventGroupCreate
- xEventGroupCreateStatic
- vEventGroupDelete
- xStreamBufferGenericCreate
- xStreamBufferGenericCreateStatic
- vStreamBufferDelete
- xStreamBufferReset
Also, an unprivileged task can no longer use vTaskSuspend to suspend
any task other than itself.
We thank the following people for their inputs in these enhancements:
- David Reiss of Meta Platforms, Inc.
- Lan Luo, Xinhui Shao, Yumeng Wei, Zixia Liu, Huaiyu Yan and Zhen Ling
of School of Computer Science and Engineering, Southeast University,
China.
- Xinwen Fu of Department of Computer Science, University of
Massachusetts Lowell, USA.
- Yuequi Chen, Zicheng Wang, Minghao Lin of University of Colorado
Boulder, USA.
Ahmed Ismail
Vishwanath Martur
ActoryOu
K.Kashi
Gaurav-Aggarwal-AWS
Oliver Mueller
mayl
Rahul Kar
Florian La Roche
耀眼的大神
Soren Ptak
Phillip Stevens
chinglee-iot
Jeff Tenney
Ha Thach
Joe Benczarski
Devaraj Ranganna
Moral-Hao
Boris van der Meer
Soren Ptak
Evgeny Ermakov