This PR adds Access Control to kernel objects on a per task basis to MPU
ports. The following needs to be defined in the `FreeRTOSConfig.h` to
enable this feature:
```c
```
This PR adds the following new APIs:
```c
void vGrantAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToGrantAccess );
void vRevokeAccessToTask( TaskHandle_t xTask,
TaskHandle_t xTaskToRevokeAccess );
void vGrantAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToGrantAccess );
void vRevokeAccessToSemaphore( TaskHandle_t xTask,
SemaphoreHandle_t xSemaphoreToRevokeAccess );
void vGrantAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToGrantAccess );
void vRevokeAccessToQueue( TaskHandle_t xTask,
QueueHandle_t xQueueToRevokeAccess );
void vGrantAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToGrantAccess );
void vRevokeAccessToQueueSet( TaskHandle_t xTask,
QueueSetHandle_t xQueueSetToRevokeAccess );
void vGrantAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToGrantAccess );
void vRevokeAccessToEventGroup( TaskHandle_t xTask,
EventGroupHandle_t xEventGroupToRevokeAccess );
void vGrantAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToGrantAccess );
void vRevokeAccessToStreamBuffer( TaskHandle_t xTask,
StreamBufferHandle_t xStreamBufferToRevokeAccess );
void vGrantAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToGrantAccess );
void vRevokeAccessToMessageBuffer( TaskHandle_t xTask,
MessageBufferHandle_t xMessageBufferToRevokeAccess );
void vGrantAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToGrantAccess );
void vRevokeAccessToTimer( TaskHandle_t xTask,
TimerHandle_t xTimerToRevokeAccess );
```
An unprivileged task by default has access to itself only and no other
kernel object. The application writer needs to explicitly grant an
unprivileged task access to all the kernel objects it needs. The best
place to do that is before starting the scheduler when all the kernel
objects are created.
For example, let's say an unprivileged tasks needs access to a queue and
an event group, the application writer needs to do the following:
```c
vGrantAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vGrantAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
```
The application writer MUST revoke all the accesses before deleting a
task. Failing to do so will result in undefined behavior. In the above
example, the application writer needs to make the following 2 calls
before deleting the task:
```c
vRevokeAccessToQueue( xUnprivilegedTaskHandle, xQueue );
vRevokeAccessToEventGroup( xUnprivilegedTaskHandle, xEventGroup );
```
Earlier the System Call entry from an unprivileged task looked like:
1. SVC for entering system call.
2. System call implementation.
3. SVC for exiting system call.
Now, the system call entry needs to make only one system call
and everything else is handled internally.
This PR also makes the following small changes:
1. Add one struct param for system calls with 5 parameters. This
removes the need for special handling for system calls with 5
parameters.
2. Remove raise privilege SVC when MPU wrapper v2 is used.
3. Add additional run time parameter checks to MPU wrappers
for xTaskGenericNotify and xQueueTakeMutexRecursive APIs.
These changes are tested on the following platforms:
1. STM32H743ZI (Cortex-M7)
2. STM32L152RE (Cortex-M3)
3. Nuvoton M2351 (Cortex-M23)
4. NXP LPC55S69 (Cortex-M33)
* Add runtime parameter checks
This commit adds runtime checks for function parameters
to mpu_wrappers_v2 file. The same checks are performed
in the API implementation using asserts.
Signed-off-by: kar-rahul-aws <karahulx@amazon.com>
Memory Protection Unit (MPU) Enhancements
This commit introduces a new MPU wrapper that places additional
restrictions on unprivileged tasks. The following is the list of changes
introduced with the new MPU wrapper:
1. Opaque and indirectly verifiable integers for kernel object handles:
All the kernel object handles (for example, queue handles) are now
opaque integers. Previously object handles were raw pointers.
2. Saving the task context in Task Control Block (TCB): When a task is
swapped out by the scheduler, the task's context is now saved in its
TCB. Previously the task's context was saved on its stack.
3. Execute system calls on a separate privileged only stack: FreeRTOS
system calls, which execute with elevated privilege, now use a
separate privileged only stack. Previously system calls used the
calling task's stack. The application writer can control the size of
the system call stack using new configSYSTEM_CALL_STACK_SIZE config
macro.
4. Memory bounds checks: FreeRTOS system calls which accept a pointer
and de-reference it, now verify that the calling task has required
permissions to access the memory location referenced by the pointer.
5. System call restrictions: The following system calls are no longer
available to unprivileged tasks:
- vQueueDelete
- xQueueCreateMutex
- xQueueCreateMutexStatic
- xQueueCreateCountingSemaphore
- xQueueCreateCountingSemaphoreStatic
- xQueueGenericCreate
- xQueueGenericCreateStatic
- xQueueCreateSet
- xQueueRemoveFromSet
- xQueueGenericReset
- xTaskCreate
- xTaskCreateStatic
- vTaskDelete
- vTaskPrioritySet
- vTaskSuspendAll
- xTaskResumeAll
- xTaskGetHandle
- xTaskCallApplicationTaskHook
- vTaskList
- vTaskGetRunTimeStats
- xTaskCatchUpTicks
- xEventGroupCreate
- xEventGroupCreateStatic
- vEventGroupDelete
- xStreamBufferGenericCreate
- xStreamBufferGenericCreateStatic
- vStreamBufferDelete
- xStreamBufferReset
Also, an unprivileged task can no longer use vTaskSuspend to suspend
any task other than itself.
We thank the following people for their inputs in these enhancements:
- David Reiss of Meta Platforms, Inc.
- Lan Luo, Xinhui Shao, Yumeng Wei, Zixia Liu, Huaiyu Yan and Zhen Ling
of School of Computer Science and Engineering, Southeast University,
China.
- Xinwen Fu of Department of Computer Science, University of
Massachusetts Lowell, USA.
- Yuequi Chen, Zicheng Wang, Minghao Lin of University of Colorado
Boulder, USA.
* Fix circular dependency in cmake project
Fix for https://github.com/FreeRTOS/FreeRTOS-Kernel/issues/687
In order for custom ports to also break the cycle, they must link
against freertos_kernel_include instead of freertos_kernel.
* Simplify include path
* Remove __NVIC_PRIO_BITS and configPRIO_BITS check in CM3, CM4 and ARMv8.
* Add hardware not implemented bits check. These bits should be zero.
---------
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* Add croutines to the code base
* Add croutine changes to cmake, lexicon and readme
* Add croutine file to portable cmake file
* Add back more references from PR 591
The following is from the MSP430X instruction set -
```
MOVX.W Move source word to destination word.
The source operand is copied to the destination. The source operand is
not affected. Both operands may be located in the full address space.
```
The movx instruction allows both the operands to be located in the full
address space and therefore, works with large data model as well.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Armv8-M: Formatting changes
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Armv8-M: Add support for interrupt priority check
FreeRTOS provides `FromISR` system calls which can be called directly
from interrupt service routines. It is crucial that the priority of
these ISRs is set to same or lower value (numerically higher) than that
of `configMAX_SYSCALL_INTERRUPT_PRIORITY`. For more information refer
to https://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html.
Add a check to trigger an assert when an ISR with priority higher
(numerically lower) than `configMAX_SYSCALL_INTERRUPT_PRIORITY` calls
`FromISR` system calls if `configASSERT` macro is defined.
In addition, add a config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` to disable interrupt
priority check while running on QEMU. Based on the discussion
https://gitlab.com/qemu-project/qemu/-/issues/1122, The interrupt
priority bits in QEMU do not match the real hardware. Therefore the
assert that checks the number of implemented bits and __NVIC_PRIO_BITS
will always fail. The config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` should be defined in the
`FreeRTOSConfig.h` for QEMU targets.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Use SHPR2 for calculating interrupt priority bits
This removes the dependency on the secure software to mark the interrupt
as non-secure.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
---------
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
* Fix cast alignment warning
Without this change, the code produces the following warning when
compiled with `-Wcast-align` flag:
```
cast increases required alignment of target type
```
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
This commit updates the checks for the variable uxSchedulerSuspended in
tasks.c module to use a uniform format.
Signed-off-by: Sudeep Mohanty <sudp.mohanty@gmail.com>
Adjust assertions related to the CMSIS __NVIC_PRIO_BITS and FreeRTOS
configPRIO_BITS configuration macros such that these macros specify the
minimum number of implemented priority bits supported by a config
build rather than the exact number of implemented priority bits.
Related to Qemu issue #1122
FreeRTOS-Kernel/portable/GCC/ARM_CM4F/port.c:399:41: error: conversion from 'uint32_t' {aka 'long unsigned int'} to 'uint8_t' {aka 'unsigned char'} may change value [-Werror=conversion]
Signed-off-by: Vo Trung Chi <chi.votrung@vn.bosch.com>
