Memory Protection Unit (MPU) Enhancements (#705)

Memory Protection Unit (MPU) Enhancements

This commit introduces a new MPU wrapper that places additional
restrictions on unprivileged tasks. The following is the list of changes
introduced with the new MPU wrapper:

1. Opaque and indirectly verifiable integers for kernel object handles:
   All the kernel object handles (for example, queue handles) are now
   opaque integers. Previously object handles were raw pointers.

2. Saving the task context in Task Control Block (TCB): When a task is
   swapped out by the scheduler, the task's context is now saved in its
   TCB. Previously the task's context was saved on its stack.

3. Execute system calls on a separate privileged only stack: FreeRTOS
   system calls, which execute with elevated privilege, now use a
   separate privileged only stack. Previously system calls used the
   calling task's stack. The application writer can control the size of
   the system call stack using new configSYSTEM_CALL_STACK_SIZE config
   macro.

4. Memory bounds checks: FreeRTOS system calls which accept a pointer
   and de-reference it, now verify that the calling task has required
   permissions to access the memory location referenced by the pointer.

5. System call restrictions: The following system calls are no longer
   available to unprivileged tasks:
    - vQueueDelete
    - xQueueCreateMutex
    - xQueueCreateMutexStatic
    - xQueueCreateCountingSemaphore
    - xQueueCreateCountingSemaphoreStatic
    - xQueueGenericCreate
    - xQueueGenericCreateStatic
    - xQueueCreateSet
    - xQueueRemoveFromSet
    - xQueueGenericReset
    - xTaskCreate
    - xTaskCreateStatic
    - vTaskDelete
    - vTaskPrioritySet
    - vTaskSuspendAll
    - xTaskResumeAll
    - xTaskGetHandle
    - xTaskCallApplicationTaskHook
    - vTaskList
    - vTaskGetRunTimeStats
    - xTaskCatchUpTicks
    - xEventGroupCreate
    - xEventGroupCreateStatic
    - vEventGroupDelete
    - xStreamBufferGenericCreate
    - xStreamBufferGenericCreateStatic
    - vStreamBufferDelete
    - xStreamBufferReset
   Also, an unprivileged task can no longer use vTaskSuspend to suspend
   any task other than itself.

We thank the following people for their inputs in these enhancements:
- David Reiss of Meta Platforms, Inc.
- Lan Luo, Xinhui Shao, Yumeng Wei, Zixia Liu, Huaiyu Yan and Zhen Ling
  of School of Computer Science and Engineering, Southeast University,
  China.
- Xinwen Fu of Department of Computer Science, University of
  Massachusetts Lowell, USA.
- Yuequi Chen, Zicheng Wang, Minghao Lin of University of Colorado
  Boulder, USA.

portable/GCC/ARM_CM3_MPU/portmacro.h

@@ -104,10 +104,45 @@
         uint32_t ulRegionAttribute;
     } xMPU_REGION_REGISTERS;
 
-/* Plus 1 to create space for the stack region. */
+    typedef struct MPU_REGION_SETTINGS
+    {
+        uint32_t ulRegionStartAddress;
+        uint32_t ulRegionEndAddress;
+        uint32_t ulRegionPermissions;
+    } xMPU_REGION_SETTINGS;
+
+    #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+
+        #ifndef configSYSTEM_CALL_STACK_SIZE
+            #error configSYSTEM_CALL_STACK_SIZE must be defined to the desired size of the system call stack in words for using MPU wrappers v2.
+        #endif
+
+        typedef struct SYSTEM_CALL_STACK_INFO
+        {
+            uint32_t ulSystemCallStackBuffer[ configSYSTEM_CALL_STACK_SIZE ];
+            uint32_t * pulSystemCallStack;
+            uint32_t * pulTaskStack;
+            uint32_t ulLinkRegisterAtSystemCallEntry;
+        } xSYSTEM_CALL_STACK_INFO;
+
+    #endif /* #if ( configUSE_MPU_WRAPPERS_V1 == 0 ) */
+
+    #define MAX_CONTEXT_SIZE 20
+
+    /* Flags used for xMPU_SETTINGS.ulTaskFlags member. */
+    #define portSTACK_FRAME_HAS_PADDING_FLAG     ( 1UL << 0UL )
+    #define portTASK_IS_PRIVILEGED_FLAG          ( 1UL << 1UL )
+
     typedef struct MPU_SETTINGS
     {
         xMPU_REGION_REGISTERS xRegion[ portTOTAL_NUM_REGIONS_IN_TCB ];
+        xMPU_REGION_SETTINGS xRegionSettings[ portTOTAL_NUM_REGIONS_IN_TCB ];
+        uint32_t ulContext[ MAX_CONTEXT_SIZE ];
+        uint32_t ulTaskFlags;
+
+        #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+            xSYSTEM_CALL_STACK_INFO xSystemCallStackInfo;
+        #endif
     } xMPU_SETTINGS;
 
 /* Architecture specifics. */
@@ -118,9 +153,12 @@
 /*-----------------------------------------------------------*/
 
 /* SVC numbers for various services. */
-    #define portSVC_START_SCHEDULER    0
-    #define portSVC_YIELD              1
-    #define portSVC_RAISE_PRIVILEGE    2
+    #define portSVC_START_SCHEDULER     0
+    #define portSVC_YIELD               1
+    #define portSVC_RAISE_PRIVILEGE     2
+    #define portSVC_SYSTEM_CALL_ENTER   3   /* System calls with upto 4 parameters. */
+    #define portSVC_SYSTEM_CALL_ENTER_1 4   /* System calls with 5 parameters. */
+    #define portSVC_SYSTEM_CALL_EXIT    5
 
 /* Scheduler utilities. */
 
@@ -232,6 +270,16 @@
     #define portRESET_PRIVILEGE()    vResetPrivilege()
 /*-----------------------------------------------------------*/
 
+    extern BaseType_t xPortIsTaskPrivileged( void );
+
+/**
+ * @brief Checks whether or not the calling task is privileged.
+ *
+ * @return pdTRUE if the calling task is privileged, pdFALSE otherwise.
+ */
+    #define portIS_TASK_PRIVILEGED()      xPortIsTaskPrivileged()
+/*-----------------------------------------------------------*/
+
     portFORCE_INLINE static BaseType_t xPortIsInsideInterrupt( void )
     {
         uint32_t ulCurrentInterrupt;