Advantages of a Memory Protection Unit with an RTOS

Home , Memory protection unit

Making Products Safer and More Secure with an MPU JEAN LABROSSE | DISTINGUISHED ENGINEER EMBEDDED WORLD: FEBRUARY 26- 28, 2019 An RTOS Provides Multitasking

§ Software that manages the time and resources of a CPU § Application is split into multiple tasks § The RTOS’s job is to run the most important task that is ready-to-run § On a single CPU, only one task executes at any given time

Tasks that are ready-to-run High Low Priority Priority Task Task Task Task (Code+Data+Stack) (Code+Data+Stack) (Code+Data+Stack) (Code+Data+Stack)

Events RTOS Select Signals/Messages from Tasks or ISRs (Code) Highest Priority Task

CPU+FPU+MPU (8, 16, 32 or 64-bit)

silabs.com | @silabs An RTOS Provides Services to Your Application

Application Optional Middleware (Code + Data) (Code + Data) (TCP/IP, GUI, File System, USB Stacks, Bluetooth, Etc.)

RTOS Tasks Time Semaphores Event Flags Mutexes Queues Soft Timers Memory Blocks

OSTaskCreate(..) OSTimeDly(..) OSSemCreate(..) OSFlagCreate(..) OSMutexCreate(..) OSQCreate(..) OSTmrCreate(..) OSMemCreate(..) OSTaskDel(..) OSTimeDlyHMSM(..) OSSemDel(..) OSFlagDel(..) OSMutexDel(..) OSQDel(..) OSTmrDel(..) OSMemDel(..) OSTaskSuspend(..) OSTimeDlyResume(..) OSSemPend(..) OSFlagPend(..) OSMutexPend(..) OSQPend(..) OSTmrStart(..) OSMemGet(..) OSTaskResume(..) OSTimeGet(..) OSSemPost(..) OSFlagPost(..) OSMutexPost(..) OSQPost(..) OSTmrStop(..) OSMemPut(..) OSTaskChangePrio() OSTimeSet(..) : : : : : : : : : : : : : : : :

CPU + FPU (opt) + MPU (opt)

silabs.com | @silabs Most RTOSs Are Preemptive

void Low_Prio_Task (void) { Task initialization; while (1) { RTOS Overhead Setup to wait for event; Signal Wait for event to occur; Perform task operation; Task } ISR } RTOS void ISR (void) Resumes { Task Wait For Entering ISR; Event Perform Work; Event Signal or Send Message to Task; High Priority Task Occurs Perform Work; // Optional Leaving ISR; RTOS } Resumes Task void High_Prio_Task (void) { Task initialization; Low Priority Task Low Priority Task while (1) { Setup to wait for event; Wait for event to occur; Time Perform task operation; } }

silabs.com | @silabs What Is a Task? (a.k.a. Thread)

§ Each task: § Is assigned a priority based on its importance § Has its own set of CPU registers (Thinks it has the CPU all to itself) § Requires a stack § Manages its own variables, arrays and structures § Possibly manages I/O devices CPU I/O Registers Device(s) § Is typically an infinite loop waiting for an event: (CPU+FPU) (Optional) void Task (void) { Task initialization; Task while (1) { (Priority) Wait for event to occur; Perform task operation; Stack } (RAM) Variables } Arrays Structures § Contains mostly the application code (RAM)

silabs.com | @silabs An RTOS without an MPU

§ Without an MPU, RTOS tasks run in Privileged mode § Access to all resources § Done for performance reasons

§ Drawbacks: § Reliability of the system is in the hands of the application code § ISRs and tasks have full access to the memory address space § Tasks can disable interrupts § Task stacks can overflow without detection § Code can execute out of RAM § Susceptible to code injection attacks § A misbehaved task can take the whole system down § Expensive to get safety certification for the whole product

silabs.com | @silabs Switching Between Tasks

silabs.com | @silabs An RTOS with MPU – Process Model

§ Tasks are grouped by processes § Can have multiple tasks per process § Memory of one process is not accessible to other processes § Unless they share a common memory space § ISRs typically have full access to memory § Would be very complex otherwise § I’ll assume a Cortex-M MPU from now on § User tasks can’t disable/enable interrupts § Also cannot alter the interrupt controller settings § This is a P/NP feature, not an MPU one § Requires an SVC handler § Task stack overflows can be detected with the MPU § Not needed for ARMv8-M because of stack limit registers § MPU configuration consist of setting up a process table for each task

silabs.com | @silabs RTOS with MPU – Context Switch – Only the OS can Update the MPU

silabs.com | @silabs Expanded Process View

Peripherals I/Os 2 § A task can have up to 8 or 16 regions (I/O) § Depends on the on-chip MPU

§ (1) Full access to code space Heap

§ 3 Typically don’t limit access to code 5

Process § (2) At least one region for process peripheral Variables

§ May need more than one Task 4 - Stack

Memory Task 3 - Stack § (3) One region to access the RAM for the process (RAM) 4 § On ARMv7-M, size must be a power of 2 Task 2 - Stack

§ On ARMv8-M, size doesn’t have to be a power of 2 Task 1 - Stack § (4) One region stack overflow detection § … see next slide Shared RAM 6 § Not needed for ARMv8-M § (5) This is unused area § On ARMv8-M, this can be as small as 32 bytes Code § (6) Memory to be shared with other processes Space 1 § If needed

silabs.com | @silabs Stack Overflow Detection – Two Methods

Task Stack Initial Top-of-Stack

Stack Growth

Used Stack Current SP Stack Size (Size must be a Power-of-Two)

Free Stack

Base Address (Aligned on Power-Of-Two Boundary)

MPU Region

silabs.com | @silabs User Tasks Should Run in Non-Privileged Mode

silabs.com | @silabs Memory Access Faults – What to Do

§ What happens when a task accesses data outside a valid region? § The MPU issues an exception called the MemManage Fault § What can we do when a fault is detected? § Depends greatly on the application § The RTOS should save information about the offending task § To help developers correct the problem § The RTOS should provide a callback function for each task § To allow the application to perform a Controlled Shutdown sequence § Actuators to be placed in a safe state

silabs.com | @silabs Memory Access Faults – What to Do

§ What can we do when a fault is detected? § Report the fault? § To a display? § To a storage device (i.e. file system) § Through a communications port? § Sound an alarm? § Etc. § Terminate the offending task? § Do we also need to terminate other tasks associated with the process? § What happens to the resources owned by the task(s)? § Restart the application?

silabs.com | @silabs When Using an MPU with an RTOS

§ As a MINIMUM: set the XN (eXecute Never) bit § Reduce code injection attacks § Except possibly for code that runs software updates § As a MINIMUM: on v7M, use a region for stack overflow detection § Run User code in Non-Privileged mode § User code running in non-privileged mode cannot disable interrupts § This is basically a NO OP § Use RTOS services to access shared resources § ISRs should have full access to the memory § Greatly simplifies the ISR design § Keep ISRs short § Limit peripheral access to its process § Reduce inter-process communications § Processes should be isolated from one another

silabs.com | @silabs When Using an MPU with an RTOS

§ Avoid having a global heap § Virtually impossible to setup the MPU for a global heap § Limit the RTOS APIs available to the user SVC Jump Table (Allowed RTOS Services) § Don’t allow to create and delete tasks in non-privileged mode N RTOS Service § Allocate RTOS objects in RTOS space 0 OSSemPost() 1 OSSemPend() § Access objects by reference 2 OSQPost() 3 OSQPend() § Determine what to do when you get an MPU fault 4 OSMutexPost() 5 OSMutexPend() § Callback to execute an optional shutdown sequence 6 OSTimeDly() : : § Have a way to log and report faults : : § Helps developers correct issues N-1 OSVersion()

silabs.com | @silabs Using an MPU with an RTOS - Summary

§ Tasks are grouped by process § A process can consist of one or more tasks § Each task must define a process table § Task within a process use the same process table § The process table defines regions § Each region gives permission to access a range of memory or I/O space § The RTOS loads the process table into the MPU during a context switch § Adds overhead § An SVC handler is needed to prevent user task from changing the MPU § Adds overhead § ISRs have full access to memory § You need to determine what happens when you get an MPU fault § The developer is responsible for creating the process tables and splitting the memory in regions § A tedious job!

silabs.com | @silabs Development Tools and Books

§ Silicon Labs Integrated Development Environment (FREE): § https://www.silabs.com/products/development-tools/software/simplicity-studio § Silicon Labs Development Boards: § https://www.silabs.com/products/development-tools/mcu § Silicon Labs / Micrium OS Kernel (FREE when using Silicon Labs chips): § https://www.silabs.com/products/development-tools/software/micrium-os § Micrium’s µC/Probe, Graphical Live Watch® (FREE Educational Version): § https://www.micrium.com/ucprobe/trial/ § Segger’s SystemView (FREE Evaluation Version): § https://www.segger.com/downloads/free-utilities/ § Micrium Books (FREE PDF downloads): § https://www.micrium.com/books/ucosiii/

silabs.com | @silabs Thank you! SILABS.COM