From 748154d55f10f260502eb19bdb81298878543329 Mon Sep 17 00:00:00 2001 From: Daisuke Nojiri Date: Tue, 2 Apr 2013 17:49:59 -0700 Subject: Introducing MPU module for Cortex-M3 Preventing instruction fetch from RAM for Link except iram.text, which is used for hibernation. Stm32 on Snow does not support MPU. Tested on Link using commands 'crash nxtext/nxdata/nxstack', which run code from .iram.text, .data section, and the stack, respectively: ... RAM locked. Exclusion 20005980-200059a0 ... > crash nxtext Running from 20005984 > crash nxdata === PROCESS EXCEPTION: 04 ====== xPSR: 61000000 === r0 :00000000 r1 :0000dff2 r2 :00000005 r3 :0000086d r4 :00000000 r5 :00000032 r6 :2000544c r7 :00000000 r8 :00000000 r9 :20005456 r10:00000000 r11:00000000 r12:20005961 sp :20002748 lr :000008d7 pc :20005960 Instruction access violation mmfs = 1, shcsr = 70001, hfsr = 0, dfsr = 0 =========== Process Stack Contents =========== 200027b0: 0000086d 00000002 0000d504 00009f27 200027c0: 2000544c 20005452 00000000 00000000 200027d0: 00000000 00000000 00000000 00000000 200027e0: 00000000 00000000 00000000 00000cbb Rebooting... > crash nxstack === PROCESS EXCEPTION: 04 ====== xPSR: 20000200 === r0 :00000070 r1 :00000047 r2 :00000000 r3 :200027a8 r4 :00000000 r5 :00000001 r6 :2000544c r7 :00000000 r8 :00000000 r9 :20005456 r10:00000000 r11:00000000 r12:00000002 sp :20002740 lr :00000913 pc :200027ac Instruction access violation mmfs = 1, shcsr = 70001, hfsr = 0, dfsr = 0 =========== Process Stack Contents =========== 200027ac: 00000070 00000047 00000002 0000d57c 200027bc: 00009f9f 2000544c 20005452 00000000 200027cc: 00000000 00000000 00000000 00000000 200027dc: 00000000 00000000 00000000 00000000 Rebooting... BUG=chrome-os-partner:16904 BRANCH=master TEST=stated above Change-Id: I7c6593c527f29609442f33550f9d16755f32297c Signed-off-by: Daisuke Nojiri Reviewed-on: https://chromium-review.googlesource.com/51337 Reviewed-by: Randall Spangler --- chip/lm4/config_chip.h | 1 + common/main.c | 7 +++ common/system_common.c | 21 ++++++++ core/cortex-m/build.mk | 1 + core/cortex-m/ec.lds.S | 11 ++++ core/cortex-m/include/mpu.h | 84 ++++++++++++++++++++++++++++++ core/cortex-m/mpu.c | 121 ++++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 246 insertions(+) create mode 100644 core/cortex-m/include/mpu.h create mode 100644 core/cortex-m/mpu.c diff --git a/chip/lm4/config_chip.h b/chip/lm4/config_chip.h index 9fbda8d970..1ade3365f4 100644 --- a/chip/lm4/config_chip.h +++ b/chip/lm4/config_chip.h @@ -117,6 +117,7 @@ #define CONFIG_LPC #define CONFIG_PECI #define CONFIG_SWITCH +#define CONFIG_MPU /* Compile for running from RAM instead of flash */ /* #define COMPILE_FOR_RAM */ diff --git a/common/main.c b/common/main.c index 9a5a75f1cd..ec4bc2b48c 100644 --- a/common/main.c +++ b/common/main.c @@ -17,6 +17,9 @@ #include "hooks.h" #include "jtag.h" #include "keyboard_scan.h" +#ifdef CONFIG_MPU +#include "mpu.h" +#endif #include "system.h" #include "task.h" #include "timer.h" @@ -40,6 +43,10 @@ test_mockable int main(void) board_config_pre_init(); #endif +#ifdef CONFIG_MPU + mpu_pre_init(); +#endif + /* Configure the pin multiplexers and GPIOs */ jtag_pre_init(); gpio_pre_init(); diff --git a/common/system_common.c b/common/system_common.c index ecf72c0782..55ea35d20d 100644 --- a/common/system_common.c +++ b/common/system_common.c @@ -13,6 +13,9 @@ #include "hooks.h" #include "host_command.h" #include "lpc.h" +#ifdef CONFIG_MPU +#include "mpu.h" +#endif #include "panic.h" #include "system.h" #include "task.h" @@ -212,6 +215,24 @@ const uint8_t *system_get_jump_tag(uint16_t tag, int *version, int *size) void system_disable_jump(void) { disable_jump = 1; + +#ifdef CONFIG_MPU + /* + * Lock down memory + * TODO: Lock down other images (RO or RW) not running. + */ + { + int mpu_error = mpu_protect_ram(); + if (mpu_error == EC_SUCCESS) { + mpu_enable(); + CPRINTF("RAM locked. Exclusion %08x-%08x\n", + &__iram_text_start, &__iram_text_end); + } else { + CPRINTF("Failed to lock RAM. mpu_type:%08x. error:%d\n", + mpu_get_type(), mpu_error); + } + } +#endif } test_mockable enum system_image_copy_t system_get_image_copy(void) diff --git a/core/cortex-m/build.mk b/core/cortex-m/build.mk index 5a7877bd02..5f036bc522 100644 --- a/core/cortex-m/build.mk +++ b/core/cortex-m/build.mk @@ -16,3 +16,4 @@ CFLAGS_CPU+=$(CFLAGS_FPU-y) core-y=cpu.o init.o panic.o switch.o task.o timer.o core-$(CONFIG_WATCHDOG)+=watchdog.o +core-$(CONFIG_MPU)+=mpu.o diff --git a/core/cortex-m/ec.lds.S b/core/cortex-m/ec.lds.S index 115310bc28..6d858abd15 100644 --- a/core/cortex-m/ec.lds.S +++ b/core/cortex-m/ec.lds.S @@ -162,9 +162,20 @@ SECTIONS __data_start = .; *(.data.tasks) *(.data) +#ifdef CONFIG_MPU + /* It has to be aligned by 32 bytes to be a valid MPU region. */ + . = ALIGN(32); + __iram_text_start = .; +#else . = ALIGN(4); +#endif *(.iram.text) +#ifdef CONFIG_MPU + . = ALIGN(32); + __iram_text_end = .; +#else . = ALIGN(4); +#endif __data_end = .; /* Shared memory buffer must be at the end of preallocated RAM, so it diff --git a/core/cortex-m/include/mpu.h b/core/cortex-m/include/mpu.h new file mode 100644 index 0000000000..c3a632aff7 --- /dev/null +++ b/core/cortex-m/include/mpu.h @@ -0,0 +1,84 @@ +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* MPU module for Cortex-M3 */ + +#ifndef __CROS_EC_MPU_H +#define __CROS_EC_MPU_H + +#include "common.h" + +#define MPU_TYPE REG32(0xe000ed90) +#define MPU_CTRL REG32(0xe000ed94) +#define MPU_NUMBER REG32(0xe000ed98) +#define MPU_BASE REG32(0xe000ed9c) +#define MPU_SIZE REG16(0xe000eda0) +#define MPU_ATTR REG16(0xe000eda2) + +#define MPU_CTRL_PRIVDEFEN (1 << 2) +#define MPU_CTRL_HFNMIENA (1 << 1) +#define MPU_CTRL_ENABLE (1 << 0) +#define MPU_ATTR_NX (1 << 12) +#define MPU_ATTR_NOACCESS (0 << 8) +#define MPU_ATTR_FULLACCESS (3 << 8) +/* Suggested in table 3-6 of Stellaris LM4F232H5QC Datasheet and table 38 of + * STM32F10xxx Cortex-M3 programming manual for internal sram. */ +#define MPU_ATTR_INTERNALSRAM 6 + +/** + * Configure a region + * + * region: Number of the region to update + * addr: Base address of the region + * size: Size of the region in bytes + * attr: Attribute of the region. Current value will be overwritten if enable + * is set. + * enable: Enables the region if non zero. Otherwise, disables the region. + * + * Returns EC_SUCCESS on success or EC_ERROR_INVAL if a parameter is invalid. + */ +int mpu_config_region(uint8_t region, uint32_t addr, uint32_t size, + uint16_t attr, uint8_t enable); + +/** + * Set a region non-executable. + * + * region: number of the region + * addr: base address of the region + * size: size of the region in bytes + */ +int mpu_nx_region(uint8_t region, uint32_t addr, uint32_t size); + +/** + * Enable MPU */ +void mpu_enable(void); + +/** + * Returns the value of MPU type register + * + * Bit fields: + * [15:8] Number of the data regions implemented or 0 if MPU is not present. + * [1] 0: unified (no distinction between instruction and data) + * 1: separated + */ +uint32_t mpu_get_type(void); + +/* Location of iram.text */ +extern char __iram_text_start; +extern char __iram_text_end; + +/** + * Lock down RAM + */ +int mpu_protect_ram(void); + +/** + * Initialize MPU. + * It disables all regions if MPU is implemented. Otherwise, returns + * EC_ERROR_UNIMPLEMENTED. + */ +int mpu_pre_init(void); + +#endif /* __CROS_EC_MPU_H */ diff --git a/core/cortex-m/mpu.c b/core/cortex-m/mpu.c new file mode 100644 index 0000000000..23d434d7e6 --- /dev/null +++ b/core/cortex-m/mpu.c @@ -0,0 +1,121 @@ +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +/* MPU module for Chrome EC */ + +#include "mpu.h" +#include "console.h" +#include "registers.h" +#include "task.h" +#include "util.h" + +/** + * Update a memory region. + * + * region: number of the region to update + * addr: base address of the region + * size_bit: size of the region in power of two. + * attr: attribute of the region. Current value will be overwritten if enable + * is set. + * enable: enables the region if non zero. Otherwise, disables the region. + * + * Based on 3.1.4.1 'Updating an MPU Region' of Stellaris LM4F232H5QC Datasheet + */ +static void mpu_update_region(uint8_t region, uint32_t addr, uint8_t size_bit, + uint16_t attr, uint8_t enable) +{ + asm volatile("isb; dsb;"); + + MPU_NUMBER = region; + MPU_SIZE &= ~1; /* Disable */ + if (enable) { + MPU_BASE = addr; + MPU_ATTR = attr; + MPU_SIZE = (size_bit - 1) << 1 | 1; /* Enable */ + } + + asm volatile("isb; dsb;"); +} + +int mpu_config_region(uint8_t region, uint32_t addr, uint32_t size, + uint16_t attr, uint8_t enable) +{ + int size_bit = 0; + + if (!size) + return -EC_ERROR_INVAL; + while (!(size & 1)) { + size_bit++; + size >>= 1; + } + /* Region size must be a power of 2 (size == 0) and equal or larger than + * 32 (size_bit >= 5) */ + if (size > 1 || size_bit < 5) + return -EC_ERROR_INVAL; + + mpu_update_region(region, addr, size_bit, attr, enable); + + return EC_SUCCESS; +} + +int mpu_nx_region(uint8_t region, uint32_t addr, uint32_t size) +{ + return mpu_config_region( + region, addr, size, + MPU_ATTR_NX | MPU_ATTR_FULLACCESS | MPU_ATTR_INTERNALSRAM, 1); +} + +void mpu_enable(void) +{ + MPU_CTRL |= MPU_CTRL_PRIVDEFEN | MPU_CTRL_HFNMIENA | MPU_CTRL_ENABLE; +} + +void mpu_disable(void) +{ + MPU_CTRL &= ~(MPU_CTRL_PRIVDEFEN | MPU_CTRL_HFNMIENA | MPU_CTRL_ENABLE); +} + +uint32_t mpu_get_type(void) +{ + return MPU_TYPE; +} + +/** + * Prevent code from running on RAM. + * We need to allow execution from iram.text. Using higher region# allows us to + * do 'whitelisting' (lock down all then create exceptions). + */ +int mpu_protect_ram(void) +{ + int ret; + + ret = mpu_nx_region(0, CONFIG_RAM_BASE, CONFIG_RAM_SIZE); + if (ret != EC_SUCCESS) + return ret; + + ret = mpu_config_region( + 7, (uint32_t)&__iram_text_start, + (uint32_t)(&__iram_text_end - &__iram_text_start), + MPU_ATTR_FULLACCESS | MPU_ATTR_INTERNALSRAM, 1); + + return ret; +} + +int mpu_pre_init(void) +{ + int i; + + if (mpu_get_type() != 0x00000800) + return EC_ERROR_UNIMPLEMENTED; + + mpu_disable(); + for (i = 0; i < 8; ++i) { + mpu_config_region( + i, CONFIG_RAM_BASE, CONFIG_RAM_SIZE, + MPU_ATTR_FULLACCESS | MPU_ATTR_INTERNALSRAM, 0); + } + + return EC_SUCCESS; +} -- cgit v1.2.1