December 3 - 6, 2018

Santa Clara Convention Center

CA, USA

REVOLUTIONIZING THE COMPUTING LANDSCAPE AND BEYOND. https://tmt.knect365.com/risc-v-summit @risc_v

Using the RISC-V PMP (Physical Memory Protection) with an embedded RTOS to achieve process separation and isolation J E A N J . L A B R O S S E , S O F T W A R E A R C H I T E C T

Introduction

Author µC/OS series of software and books Numerous articles and blogs

Lecturer Conferences Training

Entrepreneur

Micrium founder (acquired by Silicon Labs in 2016)

Embedded Systems Innovator

Embedded Computer Design Innovator of the Year award (2015)

Jean.Labrosse@SiLabs.com

Distinguished Engineer and Software Architect

3

Software that manages the time of a CPU

Application is split into multiple tasks

The RTOS’s job is to run the most important task that is ready-to-run

An RTOS provides Services to your application

Task management

Time management

Resource management

Message passing

Soft Timer Management

Etc.

What Is an RTOS? - Multitasking

4

RTOS(Code)

Task(Code+Data+Stack)

Task(Code+Data+Stack)

Task(Code+Data+Stack)

Task(Code+Data+Stack)

Task(Code+Data+Stack)

HighPriority

LowPriority

EventsSignals/Messages from Tasks or ISRs

RISC-V CPU(32 or 64-bit)

SelectHighest Priority Task

What Is an RTOS? – Preemptive Scheduling

5

High Priority Task

Low Priority Task Low Priority Task

Event Occurs

Signal Task

RTOS Resumes Task

RTOS Resumes Task

Wait For Event

ISR

void Low_Prio_Task (void)

{

Task initialization;

while (1) {

Setup to wait for event;

Wait for event to occur;

Perform task operation;

}

}

void High_Prio_Task (void)

{

Task initialization;

while (1) {

Setup to wait for event;

Wait for event to occur;

Perform task operation;

}

}

void ISR (void)

{

Entering ISR;

Perform Work;

Signal or Send Message to Task;

Perform Work; // Optional

Leaving ISR;

}

Time

RTOS Overhead

Each task:

Is assigned a priority based on its importance

Has its own set of CPU registers (Thinks it has the CPU all to itself)

Requires a stack

Manages its own variables, arrays and structures

Possibly manages I/O devices

Is typically an infinite loop waiting for an event:

Contains mostly the application code

What Is an RTOS? – Tasks

6

Task (Priority)

Stack (RAM) Variables

Arrays Structures

(RAM)

CPU Registers

(CPU+FPU)

I/O Device(s)

(Optional) void Task (void)

{

Task initialization;

while (1) {

Wait for event to occur;

Perform task operation;

}

}

Without a PMP, RTOS tasks run in MACHINE-mode

Access to all resources

Done for performance reasons

Drawbacks:

Reliability of the system is in the hands of the application code

ISRs and tasks have full access to the memory address space

Tasks can disable interrupts

Task stacks can overflow without detection

Code can execute out of RAM

Susceptible to code injection attacks

A misbehaved task can take the whole system down

Expensive to get safety certification for the whole product

What is an RTOS? – Typical RTOS without Physical Memory Protection

7

What is an RTOS? – Context Switch (without a PMP)

8

Tasks are grouped by processes

Can have multiple tasks per process

ISRs have full access to memory

Would be very complex otherwise

Benefits:

Memory of one process is not accessible to other processes

Unless they share a common memory space

Some processes might not need to be safety certified

Less expensive and faster time-to-market

User tasks can’t disable interrupts

Task stack overflows can be detected by the PMP

RTOS with a PMP – Process Model

9

Task

Task

Task

Task

Task

Task

Task

Task

Task

Task

Task

Task

Task

Process 1

Process 3

Process 2

Memory

ISR

ISR

ISRShared Memory

Memory Memory

Memory

I/O

I/O

I/O

I/O

USER-mode MACHINE-mode

PMP – Each Task requires a Process table

10

4567

pmpcfg0

pmpcfg1

pmpcfg2

pmpcfg3

pmpaddr0

pmpaddr1

pmpaddr2

pmpaddr3

pmpaddr4

pmpaddr5

pmpaddr6

pmpaddr7

pmpaddr8

pmpaddr9

pmpaddr10

pmpaddr11

pmpaddr12

pmpaddr13

pmpaddr14

pmpaddr15

0123

9 81011

12131415

Process Table(One per Task)

CSR #0x3A0

CSR #0x3A1

CSR #0x3A2

CSR #0x3A3

CSR #0x3B0

CSR #0x3B1

CSR #0x3B2

CSR #0x3B3

CSR #0x3B4

CSR #0x3B5

CSR #0x3B6

CSR #0x3B7

CSR #0x3B8

CSR #0x3B9

CSR #0x3BA

CSR #0x3BB

CSR #0x3BC

CSR #0x3BD

CSR #0x3BE

CSR #0x3BF

32 Bit(RV32)

L 0 0 A A X W R

1: Read enabled

1: Write enabled

1: Execute enabled

00: OFF, PMP region disabled01: TOR, Top-Of-Range10: NA4, Naturally Aligned 4-byte region11: NAPOT, Naturally Aligned, Power-Of-Two region (> 8 bytes)

1: Region Locked, RESET to unlock

07

Application Shutdown Callback

RTOS with PMP – Context Switch – Only the OS can update the PMP

11

CPUFPUPMP

Task Stack(RAM)

Task Stack(RAM)

PMPProcess Table

(ROM)

CPU Registers+

FPU Registers

Up to 16 Regions

Context Switch

SaveRestore

12

3

Load

RegionBase

Address

(pmpaddr[])

[0][1][2]

[N-1]

TaskControlBlock(TCB)

[3][2][1][0]

RegionAttributes

(pmpcfg[])

RTOS with PMP – User tasks run in USER-mode

12

MACHINE-mode Handler

USER-mode(non-privileged)

RTOS Jump Table(Allowed RTOS Services)

N RTOS Service0 OSSemPost()1 OSSemPend()2 OSQPost()3 OSQPend()4 OSMutexPost()5 OSMutexPend()6 OSTimeDly(): :: :

N-1 OSVersion()

PrivilegedCode

CPU + FPU + PMP

Cannot disable interruptsCannot change the PMP settings

Can disable interruptsCan change the PMP settings

(but should not)

Non-Privileged

Privileged

RTOS(MACHINE-mode)

Request

RTOS Service

Direct OS API calls

RTOS with PMP – Setting regions

13

I/Os

Task 4 - Stack

Task 3 - Stack

Task 2 - Stack

Heap

Task 1 - Stack

ProcessVariables

Process A

Process B

Process D

Process C

Memory(RAM)

Peripherals(I/O)

CodeSpace

System(OS)

RedZone – Stack Overflow Detection

TOR

NA4

TOR

TOR

NA4

TOR

TORNA4

NA4

CommonNA4

TOR

TOR

RedZone:

Small area at the bottom of each task stack

Typically 32 bytes

Removes from available task stack

Larger zone is better but, more wasteful

CPU exception if data is pushed into that area

Not guaranteed to catch every overflows!

RTOS with PMP – Stack overflow detection

14

Red Zone

BaseAddress

InitialTop-of-Stack

Used Stack

Red-Zone Size

Stack Size

Free Stack

CurrentSP

Task Stack

Stack Growth

NA4

TOR

Prevent access(no write or execute)

What happens when a task accesses data outside a valid region?

Based on the region’s attributes, the PMP issues one of three types of an exception:

Instruction Access Fault (i.e. eXecute)

Load Access Fault (i.e. Read)

Store Access Fault (i.e. Write)

What can we do when one of these faults is detected?

Depends greatly on the application

The RTOS should save information about the offending task

To help developers correct the problem

The RTOS should provide a callback function for each task

To allow the application to perform a Controlled Shutdown sequence

e.g. Actuators to be placed in a safe state

RTOS with PMP – Handling Faults

15

What can we do when a fault is detected?

Report the fault:

To a display?

To a storage device (i.e. file system)

Through a communications port?

Sound an alarm?

Etc.

Terminate the offending task:

Do we also need to terminate other tasks associated with the process?

What happens to the resources owned by the task(s)?

Restart the application

RTOS with PMP – Handling Faults

16

RTOS with PMP - Recommendations

Avoid global heap

Virtually impossible to setup the PMP for a global heap

Limit the RTOS APIs available to the user

Prevent creating and deleting tasks in USER-mode

Allocate RTOS objects in RTOS space

Processes can provide references to these objects

Determine what to do when you get a PMP fault

Callback to execute an optional shutdown sequence

Have a way to log and report faults

Helps developers correct issues

As a MINIMUM: clear the X (eXecute) bit

Except possibly for code that runs software updates

As a MINIMUM: use a region for stack overflow detection

i.e. RedZone

Run the application in USER-mode

ISRs should have full access to the memory

Greatly simplifies the ISR design

But ISRs should be kept short

Limit peripheral access to its process

Reduce inter-process communications

Processes should be isolated from one another

17

Tasks are grouped by process

A process can consist of one or more tasks

Each task must define a process table

The process table defines regions

Each region gives permission to access a range of memory or I/O space

The RTOS loads the process table into the PMP during a context switch

Adds overhead

User code gets RTOS services through an MACHINE-mode handler

Adds overhead

ISRs have full access to memory

You need to determine what happens when you get a PMP fault

The developer is responsible for creating the process tables and splitting the memory in regions

A tedious job!

RTOS with PMP - Summary

18

References – Websites, Videos & Articles

Silicon Labs: Micrium OS Kernel (i.e. RTOS) free with Silicon Labs MCUs

www.SiLabs.com

Micrium (a Silicon Labs Business Unit): µC/OS-II and µC/OS-III RTOS and middleware

Home of µC/Probe

www.Micrium.com

Getting Started with Micrium OS, 10 Episode Series

https://www.youtube.com/playlist?list=PL-awFRrdECXu9I7ybAl5tEgwn7BQF6N56

Micrium, Internet of Things

https://www.micrium.com/training/videos/#foobox-3/0/SDJVFr4VUHA

Using an MPU with an RTOS, 4 Parts Series

http://www.embedded-computing.com/hardware/using-a-memory-protection-unit-with-an-rtos#

19

S I L A B S . C O M

Thank you!

RTOS with PMP – Creating Process Tables

Creating process tables is the most difficult part of using an PMP

Requires using #pragmas in C code to define Regions

Toolchain specific

Might mean editing existing code files to add #pragmas

Tedious manual effort because of module dependencies

24

THANK YOU https://tmt.knect365.com/risc-v-summit @risc_v