December 3 - 6, 2018
Santa Clara Convention Center
CA, USA
REVOLUTIONIZING THE COMPUTING LANDSCAPE AND BEYOND. https://tmt.knect365.com/risc-v-summit @risc_v
Using the RISC-V PMP (Physical Memory Protection) with an embedded RTOS to achieve process separation and isolation J E A N J . L A B R O S S E , S O F T W A R E A R C H I T E C T
Introduction
Author µC/OS series of software and books Numerous articles and blogs
Lecturer Conferences Training
Entrepreneur
Micrium founder (acquired by Silicon Labs in 2016)
Embedded Systems Innovator
Embedded Computer Design Innovator of the Year award (2015)
Distinguished Engineer and Software Architect
3
Software that manages the time of a CPU
Application is split into multiple tasks
The RTOS’s job is to run the most important task that is ready-to-run
An RTOS provides Services to your application
Task management
Time management
Resource management
Message passing
Soft Timer Management
Etc.
What Is an RTOS? - Multitasking
4
RTOS(Code)
Task(Code+Data+Stack)
Task(Code+Data+Stack)
Task(Code+Data+Stack)
Task(Code+Data+Stack)
Task(Code+Data+Stack)
HighPriority
LowPriority
EventsSignals/Messages from Tasks or ISRs
RISC-V CPU(32 or 64-bit)
SelectHighest Priority Task
What Is an RTOS? – Preemptive Scheduling
5
High Priority Task
Low Priority Task Low Priority Task
Event Occurs
Signal Task
RTOS Resumes Task
RTOS Resumes Task
Wait For Event
ISR
void Low_Prio_Task (void)
{
Task initialization;
while (1) {
Setup to wait for event;
Wait for event to occur;
Perform task operation;
}
}
void High_Prio_Task (void)
{
Task initialization;
while (1) {
Setup to wait for event;
Wait for event to occur;
Perform task operation;
}
}
void ISR (void)
{
Entering ISR;
Perform Work;
Signal or Send Message to Task;
Perform Work; // Optional
Leaving ISR;
}
Time
RTOS Overhead
Each task:
Is assigned a priority based on its importance
Has its own set of CPU registers (Thinks it has the CPU all to itself)
Requires a stack
Manages its own variables, arrays and structures
Possibly manages I/O devices
Is typically an infinite loop waiting for an event:
Contains mostly the application code
What Is an RTOS? – Tasks
6
Task (Priority)
Stack (RAM) Variables
Arrays Structures
(RAM)
CPU Registers
(CPU+FPU)
I/O Device(s)
(Optional) void Task (void)
{
Task initialization;
while (1) {
Wait for event to occur;
Perform task operation;
}
}
Without a PMP, RTOS tasks run in MACHINE-mode
Access to all resources
Done for performance reasons
Drawbacks:
Reliability of the system is in the hands of the application code
ISRs and tasks have full access to the memory address space
Tasks can disable interrupts
Task stacks can overflow without detection
Code can execute out of RAM
Susceptible to code injection attacks
A misbehaved task can take the whole system down
Expensive to get safety certification for the whole product
What is an RTOS? – Typical RTOS without Physical Memory Protection
7
What is an RTOS? – Context Switch (without a PMP)
8
Tasks are grouped by processes
Can have multiple tasks per process
ISRs have full access to memory
Would be very complex otherwise
Benefits:
Memory of one process is not accessible to other processes
Unless they share a common memory space
Some processes might not need to be safety certified
Less expensive and faster time-to-market
User tasks can’t disable interrupts
Task stack overflows can be detected by the PMP
RTOS with a PMP – Process Model
9
Task
Task
Task
Task
Task
Task
Task
Task
Task
Task
Task
Task
Task
Process 1
Process 3
Process 2
Memory
ISR
ISR
ISRShared Memory
Memory Memory
Memory
I/O
I/O
I/O
I/O
USER-mode MACHINE-mode
PMP – Each Task requires a Process table
10
4567
pmpcfg0
pmpcfg1
pmpcfg2
pmpcfg3
pmpaddr0
pmpaddr1
pmpaddr2
pmpaddr3
pmpaddr4
pmpaddr5
pmpaddr6
pmpaddr7
pmpaddr8
pmpaddr9
pmpaddr10
pmpaddr11
pmpaddr12
pmpaddr13
pmpaddr14
pmpaddr15
0123
9 81011
12131415
Process Table(One per Task)
CSR #0x3A0
CSR #0x3A1
CSR #0x3A2
CSR #0x3A3
CSR #0x3B0
CSR #0x3B1
CSR #0x3B2
CSR #0x3B3
CSR #0x3B4
CSR #0x3B5
CSR #0x3B6
CSR #0x3B7
CSR #0x3B8
CSR #0x3B9
CSR #0x3BA
CSR #0x3BB
CSR #0x3BC
CSR #0x3BD
CSR #0x3BE
CSR #0x3BF
32 Bit(RV32)
L 0 0 A A X W R
1: Read enabled
1: Write enabled
1: Execute enabled
00: OFF, PMP region disabled01: TOR, Top-Of-Range10: NA4, Naturally Aligned 4-byte region11: NAPOT, Naturally Aligned, Power-Of-Two region (> 8 bytes)
1: Region Locked, RESET to unlock
07
Application Shutdown Callback
RTOS with PMP – Context Switch – Only the OS can update the PMP
11
CPUFPUPMP
Task Stack(RAM)
Task Stack(RAM)
PMPProcess Table
(ROM)
CPU Registers+
FPU Registers
Up to 16 Regions
Context Switch
SaveRestore
12
3
Load
RegionBase
Address
(pmpaddr[])
[0][1][2]
[N-1]
TaskControlBlock(TCB)
[3][2][1][0]
RegionAttributes
(pmpcfg[])
RTOS with PMP – User tasks run in USER-mode
12
MACHINE-mode Handler
USER-mode(non-privileged)
RTOS Jump Table(Allowed RTOS Services)
N RTOS Service0 OSSemPost()1 OSSemPend()2 OSQPost()3 OSQPend()4 OSMutexPost()5 OSMutexPend()6 OSTimeDly(): :: :
N-1 OSVersion()
PrivilegedCode
CPU + FPU + PMP
Cannot disable interruptsCannot change the PMP settings
Can disable interruptsCan change the PMP settings
(but should not)
Non-Privileged
Privileged
RTOS(MACHINE-mode)
Request
RTOS Service
Direct OS API calls
RTOS with PMP – Setting regions
13
I/Os
Task 4 - Stack
Task 3 - Stack
Task 2 - Stack
Heap
Task 1 - Stack
ProcessVariables
Process A
Process B
Process D
Process C
Memory(RAM)
Peripherals(I/O)
CodeSpace
System(OS)
RedZone – Stack Overflow Detection
TOR
NA4
TOR
TOR
NA4
TOR
TORNA4
NA4
CommonNA4
TOR
TOR
RedZone:
Small area at the bottom of each task stack
Typically 32 bytes
Removes from available task stack
Larger zone is better but, more wasteful
CPU exception if data is pushed into that area
Not guaranteed to catch every overflows!
RTOS with PMP – Stack overflow detection
14
Red Zone
BaseAddress
InitialTop-of-Stack
Used Stack
Red-Zone Size
Stack Size
Free Stack
CurrentSP
Task Stack
Stack Growth
NA4
TOR
Prevent access(no write or execute)
What happens when a task accesses data outside a valid region?
Based on the region’s attributes, the PMP issues one of three types of an exception:
Instruction Access Fault (i.e. eXecute)
Load Access Fault (i.e. Read)
Store Access Fault (i.e. Write)
What can we do when one of these faults is detected?
Depends greatly on the application
The RTOS should save information about the offending task
To help developers correct the problem
The RTOS should provide a callback function for each task
To allow the application to perform a Controlled Shutdown sequence
e.g. Actuators to be placed in a safe state
RTOS with PMP – Handling Faults
15
What can we do when a fault is detected?
Report the fault:
To a display?
To a storage device (i.e. file system)
Through a communications port?
Sound an alarm?
Etc.
Terminate the offending task:
Do we also need to terminate other tasks associated with the process?
What happens to the resources owned by the task(s)?
Restart the application
RTOS with PMP – Handling Faults
16
RTOS with PMP - Recommendations
Avoid global heap
Virtually impossible to setup the PMP for a global heap
Limit the RTOS APIs available to the user
Prevent creating and deleting tasks in USER-mode
Allocate RTOS objects in RTOS space
Processes can provide references to these objects
Determine what to do when you get a PMP fault
Callback to execute an optional shutdown sequence
Have a way to log and report faults
Helps developers correct issues
As a MINIMUM: clear the X (eXecute) bit
Except possibly for code that runs software updates
As a MINIMUM: use a region for stack overflow detection
i.e. RedZone
Run the application in USER-mode
ISRs should have full access to the memory
Greatly simplifies the ISR design
But ISRs should be kept short
Limit peripheral access to its process
Reduce inter-process communications
Processes should be isolated from one another
17
Tasks are grouped by process
A process can consist of one or more tasks
Each task must define a process table
The process table defines regions
Each region gives permission to access a range of memory or I/O space
The RTOS loads the process table into the PMP during a context switch
Adds overhead
User code gets RTOS services through an MACHINE-mode handler
Adds overhead
ISRs have full access to memory
You need to determine what happens when you get a PMP fault
The developer is responsible for creating the process tables and splitting the memory in regions
A tedious job!
RTOS with PMP - Summary
18
References – Websites, Videos & Articles
Silicon Labs: Micrium OS Kernel (i.e. RTOS) free with Silicon Labs MCUs
www.SiLabs.com
Micrium (a Silicon Labs Business Unit): µC/OS-II and µC/OS-III RTOS and middleware
Home of µC/Probe
www.Micrium.com
Getting Started with Micrium OS, 10 Episode Series
https://www.youtube.com/playlist?list=PL-awFRrdECXu9I7ybAl5tEgwn7BQF6N56
Micrium, Internet of Things
https://www.micrium.com/training/videos/#foobox-3/0/SDJVFr4VUHA
Using an MPU with an RTOS, 4 Parts Series
http://www.embedded-computing.com/hardware/using-a-memory-protection-unit-with-an-rtos#
19
S I L A B S . C O M
Thank you!
RTOS with PMP – Creating Process Tables
Creating process tables is the most difficult part of using an PMP
Requires using #pragmas in C code to define Regions
Toolchain specific
Might mean editing existing code files to add #pragmas
Tedious manual effort because of module dependencies
24
THANK YOU https://tmt.knect365.com/risc-v-summit @risc_v