It was possible for a third party that had already independently gained
the ability to execute injected code to achieve further privilege
escalation by branching directly inside a FreeRTOS MPU API wrapper
function with a manually crafted stack frame. This commit removes the
local stack variable `xRunningPrivileged` so that a manually crafted
stack frame cannot be used for privilege escalation by branching
directly inside a FreeRTOS MPU API wrapper.
We thank Certibit Consulting, LLC, Huazhong University of Science and
Technology and the SecLab team at Northeastern University for reporting
this issue.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
ARMv7-M allows overlapping MPU regions. When 2 MPU regions overlap, the
MPU configuration of the higher numbered MPU region is applied. For
example, if a memory area is covered by 2 MPU regions 0 and 1, the
memory permissions for MPU region 1 are applied.
We use 5 MPU regions for kernel code and kernel data protections and
leave the remaining for the application writer. We were using lowest
numbered MPU regions (0-4) for kernel protections and leaving the
remaining for the application writer. The application writer could
configure those higher numbered MPU regions to override kernel
protections.
This commit changes the code to use highest numbered MPU regions for
kernel protections and leave the remaining for the application writer.
This ensures that the application writer cannot override kernel
protections.
We thank the SecLab team at Northeastern University for reporting this
issue.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Clarify Cortex M7 r0p1 errata number in r0p1 specific port.
* Add ARM Cortex M7 r0p0 / r0p1 Errata 837070 workaround to CM4 MPU ports.
Optionally, enable the errata workaround by defining configTARGET_ARM_CM7_r0p0 or configTARGET_ARM_CM7_r0p1 in FreeRTOSConfig.h.
* Add r0p1 errata support to IAR port as well
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Change macro name to configENABLE_ERRATA_837070_WORKAROUND
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add supposrt for ARM CM55
* Fix file header
* Remove duplicate code
* Refactor portmacro.h
1. portmacro.h is re-factored into 2 parts - portmacrocommon.h which is
common to all ARMv8-M ports and portmacro.h which is different for
different compiler and architecture. This enables us to provide
Cortex-M55 ports without code duplication.
2. Update copy_files.py so that it copies Cortex-M55 ports correctly -
all files except portmacro.h are used from Cortex-M33 ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
This is needed to support the case when SysTick timer is not clocked
from the same source as CPU. This support already exists in other
Cortex-M ports.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add support for 16 MPU regions to GCC Cortex-M33 TZ port
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Add support for 16 MPU regions to Cortex-M33 NTZ GCC port
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This commit introduces a new config
configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS which enables developers to
prevent critical sections from unprivileged tasks. It defaults to 1 for
backward compatibility. Application should set it to 0 to disable
critical sections from unprivileged tasks.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
The secure side context management code now checks that the secure
context being saved or restored belongs to the task being switched-out
or switched-in respectively.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This commit improves ARMv8-M security by pre-allocating secure-side task
context structures and changing how tasks reference a secure-side
context structure when calling a secure function. The new configuration
constant secureconfigMAX_SECURE_CONTEXTS sets the number of secure
context structures to pre-allocate. secureconfigMAX_SECURE_CONTEXTS
defaults to 8 if left undefined.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Use cast to fix warnings.
* Remove all empty definitions of portCLEAN_UP_TCB( pxTCB ) and
portALLOCATE_SECURE_CONTEXT( ulSecureStackSize ) from ports.
When these are undefined, the default empty definition is defined
in FreeRTOS.h.
Critical sections in FreeRTOS are implemented using the following two
functions:
void vPortEnterCritical( void )
{
portDISABLE_INTERRUPTS();
uxCriticalNesting++;
}
void vPortExitCritical( void )
{
uxCriticalNesting--;
if( uxCriticalNesting == 0 )
{
portENABLE_INTERRUPTS();
}
}
uxCriticalNesting is initialized to a large value at the start and set
to zero when the scheduler is started (xPortStartScheduler). As a
result, before the scheduler is started, a pair of enter/exit critical
section will leave the interrupts disabled because uxCriticalNesting
will not reach zero in the vPortExitCritical function. This is done to
ensure that the interrupts remain disabled from the time first FreeRTOS
API is called to the time when the scheduler is started. The scheduler
starting code is expected to enure that interrupts are enabled before
the first task starts executing.
Cortex-M33 ports were not enabling interrupts before starting the first
task and as a result, the first task was started with interrupts
disabled. This PR fixes the issue by ensuring that interrupts are
enabled before the first task is started.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Maintenance: Add readme.txt in each Renesas RX folder to show recomended port
* Update readme.txt in each Renesas RX folder regarding to Notes *1 and *2 (both are RX100 port)
* Style: fix some broken/redirect links
* Fix: atmel url
* Fix microchip typo
* Fix url links
* Fix shortcut link
* Comment: fix line wrapping
* Style: fix line wrapping to 80 chars
* Add now microchip beside Atmel
* Fix link in History
* Add Now Microchip before Atmel link
* Comment: add *
* Style: make freertos.org = FreeRTOS.org also add https
* Style: Fix freertos into FreeRTOS
* Style: Fix freertos into FreeRTOS
Co-authored-by: Alfred Gedeon <gedeonag@amazon.com>
* Style: Change FreeRTOS websites in comments
* Style: Change freertos to FreeRTOS in comments
* Style: Remove broken link
Co-authored-by: Alfred Gedeon <gedeonag@amazon.com>
The TEX, Shareable (S), Cacheable (C) and Bufferable (B) bits define
the memory type, and where necessary the cacheable and shareable
properties of the memory region.
The default values for these bits, as configured in our MPU ports, are
sometimes not suitable for application. One such example is when the MCU
has a cache, the application writer may not want to mark the memory as
shareable to avoid disabling the cache. This change allows the
application writer to override default vales for TEX, S C and B bits for
Flash and RAM in their FreeRTOSConfig.h. The following two new
configurations are introduced:
- configTEX_S_C_B_FLASH
- configTEX_S_C_B_SRAM
If undefined, the default values for the above configurations are
TEX=000, S=1, C=1, B=1. This ensures backward compatibility.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Removed TICK_stop() macro from portable/GCC/{AVR_AVRDx, AVR_Mega0}/porthardware.h because it is not used anywhere.
* Updated indentation in portable/GCC/{AVR_AVRDx, AVR_Mega0}/* files.
* Added portable/IAR/{AVR_AVRDx, AVR_Mega0 folders.
configSYSTICK_CLOCK_HZ should be used to configure SysTick to support
the use case when the clock for SysTick timer is scaled from the main
CPU clock.
configSYSTICK_CLOCK_HZ is defined to configCPU_CLOCK_HZ when it is not
defined in FreeRTOSConfig.h.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
ARMv7-M supports 8 or 16 MPU regions. FreeRTOS Cortex-M4 MPU ports so
far assumed 8 regions. This change adds support for 16 MPU regions. The
hardware with 16 MPU regions must define configTOTAL_MPU_REGIONS to 16
in their FreeRTOSConfig.h.
If left undefined, it defaults to 8 for backward compatibility.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
The reason for the change is that the register is called System Handler
Priority Register 3 (SHPR3).
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Some of the privileged symbols were not being placed in their respective
sections. This commit addresses those and places them in
privileged_functions or privileged_data section.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
If xTaskCreate API is used to create a task, the task's stack is
allocated on heap using pvPortMalloc. This places the task's stack
in the privileged data section, if the heap is placed in the
privileged data section.
We use a separate MPU region to grant a task access to its stack.
If the task's stack is in the privileged data section, this results in
overlapping MPU regions as privileged data section is already protected
using a separate MPU region. ARMv8-M does not allow overlapping MPU
regions and this results in a fault. This commit ensures to not use a
separate MPU region for the task's stack if it lies within the
privileged data section.
Note that if the heap memory is placed in the privileged data section,
the xTaskCreate API cannot be used to create an unprivileged task as
the task's stack will be in the privileged data section and the task
won't have access to it. xTaskCreateRestricted and
xTaskCreateRestrictedStatic API should be used to create unprivileged
tasks.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
