platform: mpu: Allow setting kernel level permissions

Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
tock · Aug 17, 2020 · 5b0d254 · 5b0d254
1 parent 128782d
commit 5b0d254
Showing 1 changed file with 73 additions and 0 deletions.
diff --git a/kernel/src/platform/mpu.rs b/kernel/src/platform/mpu.rs
@@ -266,3 +266,76 @@ pub trait MPU {
 
 /// Implement default MPU trait for unit.
 impl MPU for () {}
+
+/// The generic trait that particular kernel level memory protection unit
+/// implementations need to implement.
+///
+/// This trait provides generic functionality to extend the MPU trait above
+/// to also allow the kernel to protect itself. It is expected that only a
+/// limited number of SoCs can support this, which is why it is a seperate
+/// implementation.
+pub trait KernelMPU {
+    /// MPU-specific state that defines a particular configuration for the kernel
+    /// MPU.
+    /// That is, this should contain all of the required state such that the
+    /// implementation can be passed an object of this type and it should be
+    /// able to correctly and entirely configure the MPU.
+    ///
+    /// It is `Default` so we can create empty state when the kernel is
+    /// created, and `Display` so that the `panic!()` output can display the
+    /// current state to help with debugging.
+    type KernelMpuConfig: Default + Display = MpuConfigDefault;
+
+    /// Mark a region of memory that the Tock kernel owns.
+    ///
+    /// This function will optionally set the MPU to enforce the specified
+    /// constraints for all accessess (even from the kernel).
+    /// This should be used to mark read/write/execute areas of the Tock
+    /// kernel to have the hardware enforce those permissions.
+    ///
+    /// If the KernelMPU trait is supported a board should use this function
+    /// to set permissions for all areas of memory the kernel will use.
+    /// Once all regions of memory have been allocated, the board must call
+    /// enable_kernel_mpu(). After enable_kernel_mpu() is called no changes
+    /// to kernel level code permissions can be made.
+    ///
+    /// Note that kernel level permissions also apply to apps, although apps
+    /// will have more constraints applied on top of the kernel ones as
+    /// specified by the `MPU` trait.
+    ///
+    /// Not all architectures support this, so don't assume this will be
+    /// implemented.
+    ///
+    /// # Arguments
+    ///
+    /// - `memory_start`:             start of memory region
+    /// - `memory_size`:              size of unallocated memory
+    /// - `permissions`:              permissions for the region
+    /// - `config`:                   MPU region configuration
+    ///
+    /// # Return Value
+    ///
+    /// Returns the start and size of the requested memory region. If it is
+    /// infeasible to allocate the MPU region, returns None.
+    #[allow(unused_variables)]
+    fn allocate_kernel_region(
+        &self,
+        memory_start: *const u8,
+        memory_size: usize,
+        permissions: Permissions,
+        config: &mut Self::KernelMpuConfig,
+    ) -> Option<Region>;
+
+    /// Enables the MPU for the kernel.
+    ///
+    /// This function must enable the permission restrictions on the various
+    /// kernel regions specified by `allocate_kernel_region()` protected by
+    /// the MPU.
+    ///
+    /// It is expected that this function is called in `reset_handler()`.
+    ///
+    /// Once enabled this cannot be disabled. It is expected there won't be any
+    /// changes to the kernel regions after this is enabled.
+    #[allow(unused_variables)]
+    fn enable_kernel_mpu(&self, config: &mut Self::KernelMpuConfig);
+}