* Allow access to any buffer in xPortIsAuthorizedToAccessBuffer if xSchedulerRunning is set to pdFALSE
* Allow access to any buffer in xPortIsAuthorizedToAccessBuffer if xSchedulerRunning is set to pdFALSE in the copied ARMv8M Port Files
Verify that the application has correctly installed PendSV
and SVCall handlers. The application can choose to
disable these checks by setting configCHECK_HANDLER_INSTALLATION
to 0 in their FreeRTOSConfig.h.
Earlier the System Call entry from an unprivileged task
looked like:
1. SVC for entering system call.
2. System call implementation.
3. SVC for exiting system call.
Now, the system call entry needs to make only one SVC
call and everything else is handled internally.
This PR also makes the following changes:
1. Update the Access Control List (ACL) mechanism to
grant access to all the kernel objects before the
scheduler is started.
2. Add one struct param for system calls with 5 parameters.
This removes the need for special handling for system
calls with 5 parameters.
3. Remove raise privilege SVC when MPU wrapper v2 is used.
4. Add additional run time parameter checks to MPU wrappers
for xTaskGenericNotify and xQueueTakeMutexRecursive APIs.
According to Armv8-M technical reference manual, if the main extension
is not implemented then PSPLIM_NS is RES0. Update the cortex-M23
port to not use the reserved PSPLIM_NS.
Add trace hook macro for most ports
In pull request #659 we introduced better support for tracing
tools like systemview. This patchset adds support for more
ports as requested in the original pull request.
This PR adds Access Control to kernel objects on a per task basis to MPU
ports. The following needs to be defined in the `FreeRTOSConfig.h` to
enable this feature:
#define configUSE_MPU_WRAPPERS_V1 0
This PR adds the following new APIs:
void vGrantAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToGrantAccess );
void vRevokeAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToRevokeAccess );
void vGrantAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToGrantAccess );
void vRevokeAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToRevokeAccess );
void vGrantAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToGrantAccess );
void vRevokeAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToRevokeAccess );
void vGrantAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToGrantAccess );
void vRevokeAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToRevokeAccess );
void vGrantAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToGrantAccess );
void vRevokeAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToRevokeAccess );
void vGrantAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToGrantAccess );
void vRevokeAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToRevokeAccess );
void vGrantAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToGrantAccess );
void vRevokeAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToRevokeAccess );
void vGrantAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToGrantAccess );
void vRevokeAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToRevokeAccess );
An unprivileged task by default has access to itself only and no other
kernel object. The application writer needs to explicitly grant an
unprivileged task access to all the kernel objects it needs. The best
place to do that is before starting the scheduler when all the kernel
objects are created.
For example, let's say an unprivileged tasks needs access to a queue and
an event group, the application writer needs to do the following:
vGrantAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vGrantAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
The application writer MUST revoke all the accesses before deleting a
task. Failing to do so will result in undefined behavior. In the above
example, the application writer needs to make the following 2 calls
before deleting the task:
vRevokeAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vRevokeAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
* Use new version of CI-CD Actions
* Use cSpell spell check, and use ubuntu-20.04 for formatting check
* Format and spell check all files in the portable directory
* Remove the https:// from #errors and #warnings as uncrustify attempts to change it to /*
* Use checkout@v3 instead of checkout@v2 on all jobs
* Set SysTick CLKSOURCE bit before enabling SysTick
The workaround now uses portNVIC_SYSTICK_CLK_BIT_CONFIG instead of
portNVIC_SYSTICK_CLK_BIT, which saves us from having to explain in the
comments why it's OK to temporarily set the CLKSOURCE bit even if the
user's FreeRTOS configuration clears the CLKSOURCE bit.
Using portNVIC_SYSTICK_CLK_BIT_CONFIG here still correctly prevents the
firmware from triggering the QEMU bug.
Memory Protection Unit (MPU) Enhancements
This commit introduces a new MPU wrapper that places additional
restrictions on unprivileged tasks. The following is the list of changes
introduced with the new MPU wrapper:
1. Opaque and indirectly verifiable integers for kernel object handles:
All the kernel object handles (for example, queue handles) are now
opaque integers. Previously object handles were raw pointers.
2. Saving the task context in Task Control Block (TCB): When a task is
swapped out by the scheduler, the task's context is now saved in its
TCB. Previously the task's context was saved on its stack.
3. Execute system calls on a separate privileged only stack: FreeRTOS
system calls, which execute with elevated privilege, now use a
separate privileged only stack. Previously system calls used the
calling task's stack. The application writer can control the size of
the system call stack using new configSYSTEM_CALL_STACK_SIZE config
4. Memory bounds checks: FreeRTOS system calls which accept a pointer
and de-reference it, now verify that the calling task has required
permissions to access the memory location referenced by the pointer.
5. System call restrictions: The following system calls are no longer
available to unprivileged tasks:
- vQueueDelete
- xQueueCreateMutex
- xQueueCreateMutexStatic
- xQueueCreateCountingSemaphore
- xQueueCreateCountingSemaphoreStatic
- xQueueGenericCreate
- xQueueGenericCreateStatic
- xQueueCreateSet
- xQueueRemoveFromSet
- xQueueGenericReset
- xTaskCreate
- xTaskCreateStatic
- vTaskDelete
- vTaskPrioritySet
- vTaskSuspendAll
- xTaskResumeAll
- xTaskGetHandle
- xTaskCallApplicationTaskHook
- vTaskList
- vTaskGetRunTimeStats
- xTaskCatchUpTicks
- xEventGroupCreate
- xEventGroupCreateStatic
- vEventGroupDelete
- xStreamBufferGenericCreate
- xStreamBufferGenericCreateStatic
- vStreamBufferDelete
- xStreamBufferReset
Also, an unprivileged task can no longer use vTaskSuspend to suspend
any task other than itself.
We thank the following people for their inputs in these enhancements:
- David Reiss of Meta Platforms, Inc.
- Lan Luo, Xinhui Shao, Yumeng Wei, Zixia Liu, Huaiyu Yan and Zhen Ling
of School of Computer Science and Engineering, Southeast University,
- Xinwen Fu of Department of Computer Science, University of
Massachusetts Lowell, USA.
- Yuequi Chen, Zicheng Wang, Minghao Lin of University of Colorado
Boulder, USA.
* Remove __NVIC_PRIO_BITS and configPRIO_BITS check in CM3, CM4 and ARMv8.
* Add hardware not implemented bits check. These bits should be zero.
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* Armv8-M: Formatting changes
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Armv8-M: Add support for interrupt priority check
FreeRTOS provides `FromISR` system calls which can be called directly
from interrupt service routines. It is crucial that the priority of
these ISRs is set to same or lower value (numerically higher) than that
of `configMAX_SYSCALL_INTERRUPT_PRIORITY`. For more information refer
to https://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html.
Add a check to trigger an assert when an ISR with priority higher
(numerically lower) than `configMAX_SYSCALL_INTERRUPT_PRIORITY` calls
`FromISR` system calls if `configASSERT` macro is defined.
In addition, add a config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` to disable interrupt
priority check while running on QEMU. Based on the discussion
https://gitlab.com/qemu-project/qemu/-/issues/1122, The interrupt
priority bits in QEMU do not match the real hardware. Therefore the
assert that checks the number of implemented bits and __NVIC_PRIO_BITS
will always fail. The config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` should be defined in the
`FreeRTOSConfig.h` for QEMU targets.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Use SHPR2 for calculating interrupt priority bits
This removes the dependency on the secure software to mark the interrupt
as non-secure.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* Add better pointer declaration readability
I revised the declaration of single-line pointers by splitting it into
multiple lines. Now, every pointer is declared (and initialized
accordingly) on its own line. This refactoring should enhance
readability and decrease the probability of error when a new pointer is
added/removed or a current one has its initialization value modified.
Signed-off-by: Cristian Cristea <cristiancristea00@gmail.com>
* Remove unnecessary whitespace characters and lines
It removes whitespace characters at the end of lines (empty or
othwerwise) and clear lines at the end of the file (only one remains).
It is an automatic operation done by git.
Signed-off-by: Cristian Cristea <cristiancristea00@gmail.com>
Signed-off-by: Cristian Cristea <cristiancristea00@gmail.com>
* Add supposrt for ARM CM55
* Fix file header
* Remove duplicate code
* Refactor portmacro.h
1. portmacro.h is re-factored into 2 parts - portmacrocommon.h which is
common to all ARMv8-M ports and portmacro.h which is different for
different compiler and architecture. This enables us to provide
Cortex-M55 ports without code duplication.
2. Update copy_files.py so that it copies Cortex-M55 ports correctly -
all files except portmacro.h are used from Cortex-M33 ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>