New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MPU API #8335
MPU API #8335
Conversation
platform/mbed_mpu_mgmt.c
Outdated
core_util_critical_section_enter(); | ||
if (mem_xn_lock == USHRT_MAX) { | ||
core_util_critical_section_exit(); | ||
MBED_ERROR1(MBED_MAKE_ERROR(MBED_MODULE_HAL, MBED_ERROR_CODE_OVERFLOW), "Memory execute never lock overflow (> USHRT_MAX)", mem_xn_lock); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the module be MBED_MODULE_PLATFORM or MBED_MODULE_HAL? Since the code is under platform should that be MBED_MODULE_PLATFORM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I changed this to MBED_MODULE_PLATFORM
since it is under the platform directory.
Made the following changes:
|
Added a design doc and title of this PR. I also removed Need work since this can be merged once everyone is happy with it. |
At the minute, because mbed OS doesn't touch the MPU, targets can and do use it to configure particular requirements about, for example, marking SRAM regions for Ethernet or similar buffers Shareable/Non-cacheable. I think you may need some sort of hook to allow that, or maybe just reserve some region numbers for target use - eg don't touch regions 4 and up. |
@kjbracey-arm the default implementation here is for the ARMv7m MPU which I don't see being used in any of the targets. I know some Kinetis devices turn off their MPU for certain operations but Kinetis devices have a custom MPU, so this change won't effect them. Which targets did you see changing MPU settings? Are any targets with an Arm MPU using it? |
@SenRamakri @ARMmbed/mbed-os-hal @bulislaw @flit @dreemkiller @donatieng @deepikabhavnani @TacoGrandeTX |
I rebased this to master and added a commit to disable the MPU when doing flash programming. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 for the design docs. Please make sure docs are in place both for the platform and porting guide sides.
- System integration so the execution from RAM is disabled by default | ||
- Initial porting for the Arm MPU | ||
|
||
The goal of this is to increase security for a large number of devices by disabling execution from ram it is not required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
disabling execution from ram it is not required.
what's not required?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, this should be disabling execution from ram when it is not required
hal/mbed_mpu_api.c
Outdated
} | ||
|
||
/* | ||
* ARMv6m and ARMv7m memory map: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it make sense to allow platforms override default memory map on hal level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be required if there is a target with non-standard memory, but for now there isn't a good reason to.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We discussed one fix https://github.com/ARMmbed/mbed-os/pull/8335/files#diff-891ef2631c17d62d627a2598292b2ebeR81, which is needed, Apart from that looks good. Thanks 👍
Added fixes, an RAII XN API and rebased on master. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff @c1728p9
@ARMmbed/mbed-os-maintainers please hold CI for now, v8M support is coming
@dreemkiller would you be able to check this?
Restarting CI |
I restarted travis (already second time, having networking issues, not related) |
Third time's the charm 🤔 - restarted again |
😭 |
@donatieng Somehow, it looks like Travis is searching for the head branch in ARMmbed's repo instead of @c1728p9' fork. Looking into what we can do for now. Might end up either reopening the PR or cloning the contents of this PR into ARMmbed:mpu to allow the PR to progress. |
@cmonr Yes just noticed the same: git clone --depth=50 --branch=mpu https://github.com/ARMmbed/mbed-os.git ARMmbed/mbed-os |
Trying a thing. Standby. |
Trying another thing. |
Test run: SUCCESSSummary: 4 of 4 test jobs passed |
Hi, I've just tried to update to the latest master and my code size has increased considerably because of this PR. I was somewhat surprised!
An increase of 824 bytes feels like a lot, to me, for something I didn't ask for! :-; I can mitigate this slightly by defining
But now it feels like I've got 406 byte of completely pointless code in mbed_mpu_mgmt.c. I'm using the develop profile and errors are enabled. Some space could/would be saved by removing the error messages. My target is a STM32L442 and luckily I've got some spare code flash at the moment. I've got more code to write though. Obviously security is a really important subject but shouldn't it be possible to disable this feature so that it has zero impact?? Our device has propriety LoRaWAN and NFC interfaces (there's no network or Internet connection). I'm wondering how exposed we are to exploits such as buffer overrun attacks. (If we'd finished our software on time I never would have noticed this PR or realised that the ARM M4 had an MPU.) Perhaps security professionals would suggest this is exactly the attitude that has caused all the great security breaches! :-} |
Thanks @mattbrown015 for the feedback, we will review |
@mattbrown015 Would you mind migrating this to an issue, so that we can track and assign it properly? |
@c1728p9 this memory increase is unacceptable, I'm considering actually switching this feature off by default for now. Please can you look at it ASAP. |
That mbed_mpu_mgmt code should only be activated if someone trying to deactivate protection at runtime. The only in-tree user is I can knock up a quick PR addressing #9007 and also cutting down the memory use when it's enabled. |
We are using Up until #8335 I didn't even realise the M4 had a MPU so we're not explicitly doing anything about memory protection. Obviously that implies some issues on our part but we're trying to get this project finished so I think it is a bit late for us to make many changes. |
Description
Add a minimalistic HAL MPU API with the ability to prevent execution in ram. Enable this by default.
This is just a preliminary patchset intended for testing and feedback.Pull request type