First box to call NVIC owns the interrupt

[niklarm]

This also copies the initial VTOR table from flash to ram and sets correct priority. That way, statically allocated interrupts are preserved and need only be enabled.

cc @AlessandroA @Patater

[Patater]

Use command tense in commit messages.

Consider replacing First box to call NVIC owns the interrupt with Make vIRQ functions claim unclaimed IRQs

[Patater]

We wouldn't need this check if, instead of UNVIC_VECTOR_UNUSED, we use an invalid box ID define (which we may need to create). Simply checking uv->id != g_active_box would be good enough.

[Patater]

We wouldn't have to do this check if UNVIC_VECTOR_UNUSED were replaced with an invalid box ID define.

[niklarm]

Yup, this same mechanism is used in page allocator. I'll make it generic then.

[Patater]

Is registering the user interrupt table interrupts with the public box really necessary? It sounds like a nice thing to do at first glance, but given that interrupts must be enabled before use, isn't just having enable (and the other vIRQ functions) register for the interrupt good enough? Is there some case I'm missing where an interrupt in the user interrupt table can be used without calling one of the NVIC or vIRQ functions?

If it is possible for a user to use an interrupt without calling any NVIC (or vIRQ) functions, how easy is it for a user to change the user interrupt table? Does a user need to change mbed OS code?

On the surface, I agree with this change. Interrupts in the user interrupt table are "legacy" interrupts and should be removed in favor of using the "non-legacy" vIRQ API. This fits with the uVisor story well of: the public box is for backwards compatibility; to do things with secure boxes you need to use uVisor APIs. However, if it is too hard to remove some interrupt from the user interrupt table (and I'd argue that having to change a local copy of mbed OS is too hard), then I think usability goes out the window if there is no other way to unregister the interrupt from the public box. We may need to rethink including the ability for a box to unregister interrupts.

[Patater]

Nevermind. You are only setting the priority, not claiming the IRQ. Good job.

[Patater]

Instead of halting, which shuts down the entire system even on release builds, consider debug asserting so we can catch programmer mistakes, but silently not fulfill the request in release builds. This will allow us to write tests that make sure we handle interrupt ownership contention. Note that this will require changes to all functions that call unvic_acl_check, as the function can now return in the case where the IRQ is registered, but not to the caller. All functions using unvic_acl_check will have to deal with: IRQ unclaimed, IRQ claimed by current box, IRQ claimed by other box.

[niklarm]

Updated for review.

[Patater]

If this were in vmpu_exports.h, we wouldn't have to redefine it as -1 in the unsupported files.

[niklarm]

Good point.

[Patater]

The registration of an irqn to a box is something we do often in these functions. Consider placing this into an itty bitty static function, so we don't have to repeat the code and DPRINTF string so much.

Heck, even the call and check of unvic_acl_check is done very often. Maybe a new function like unvic_irq_register would be good. You'd use it like so.

/* Attempt to register for the IRQ. */
if (!unvic_irq_register(irqn)) {
    /* We couldn't claim the interrupt. */
    return 0;
}

This is just a suggestion. Do what you think makes sense.

[Patater]

OK

[Patater]

Use complete sentences (with capital letter and correct punctuation) for new comments.

[Patater]

Add space before (

[Patater]

Other than a little missing space, LGTM

[Patater]

Add space before (

[AlessandroA]

@niklas-arm As part of this PR you should also quickly update the docs. Please scan the docs folder for occurrences of the NVIC APIs. While the APIs haven't changed, the underlying behavior has.

This includes at least:

• https://github.com/ARMmbed/uvisor/blob/master/docs/api/API.md
• https://github.com/ARMmbed/uvisor/blob/master/docs/api/QUICKSTART.md

Please specify the new behavior (no need to set an ISR first; first box touching an IRQ gets the IRQ; you cannot release ownership of an IRQ; if you don't set an IRQ you get the box 0 default one).

[AlessandroA]

Here and in other similar instances return should be replaced with an HALT_ERROR, so the user gets a notification, the NVIC API does not silently fail, and the system halts exactly at that point.

The backward compatibility introduced by this PR still allows legacy code to work as expected.

As @Patater points out this is a source of DoS, and it will be solved when we will support individually-killable boxes.

[niklarm]

I "fixed" this by halting in the unvic_acl_check function. This prevents duplicate code and restores the original behavior.

[AlessandroA]

Yup! The return gives the wrong expectation, though. Even if we use hardcoded IRQ ACLs, the API will never be meant to return if the IRQ is not registered to the calling box.

Consider replacing occurrences of:

if (!unvic_isr_register(irqn)) {
        return;
}

with:

/* This function halts if the IRQ is owned by another box or by uVisor. */
unvic_isr_register(irqn)

[AlessandroA]

(If instead you want to keep the semantics by which unvic_isr_register(irqn) returns the ownership status of irqn, you will have to halt from every function that calls that function. I like this semantics so I'd rather duplicate the HALT_ERROR. @Patater ?)

[niklarm]

-1 for duplication, I'll call the function without if.

[AlessandroA]

-uint32_t ii=0;
+uint32_t ii = 0;

The ii is very MATLAB-y 😄

[AlessandroA]

Could you add a comment here specifying the reason why this is needed and the consequences? In particular, it's important to specify that if a secure box code enables an IRQ before setting its ISR, the IRQ might be immediately served by the static ISR, which is out of the secure box control (because it's usually set by box 0/the host OS).

Related to this: #403 (comment).

[AlessandroA]

Yup! The return gives the wrong expectation, though. Even if we use hardcoded IRQ ACLs, the API will never be meant to return if the IRQ is not registered to the calling box.

Consider replacing occurrences of:

if (!unvic_isr_register(irqn)) {
        return;
}

with:

/* This function halts if the IRQ is owned by another box or by uVisor. */
unvic_isr_register(irqn)

[AlessandroA]

Now the return values from both unvic_acl_check and unvic_isr_register do not make sense anymore. I'd rather have unvic_acl_check return the ownership status and unvic_isr_register be a void function that either registers the IRQ or halts.

[niklarm]

Updated.

[AlessandroA]

Thanks a lot for the changes, it's a very neat PR! I left a couple of comments for minor fixes (remember to fix the style when you happen to modify a line with a broken style).

I think this doc still needs an update: https://github.com/ARMmbed/uvisor/blob/master/docs/api/API.md#low-level-apis (the vIRQ_SetVector API in particular).

LGTM after those fixes 👍

[AlessandroA]

\n\r ---> \r\n

[AlessandroA]

/* Clear pending IRQ. */

[AlessandroA]

/* Set pending IRQ. */

[AlessandroA]

/* Save the unprivileged handler. */

[AlessandroA]

retest uvisor

[AlessandroA]

retest uvisor

[AlessandroA]

retest uvisor

[AlessandroA]

retest uvisor