Thread-level Memory Protection Support

[nashif]

Reported by Anas Nashif:

Run trusted software in privileged mode and run all less-trusted software in unprivileged mode. Examples of trusted code are RTOSs, ISRs, handlers, and low-level drivers. Examples of less-trusted code are untested code third party software, and code that is vulnerable to malware such as protocol stacks and high-level drivers.

• [ ] GH-2415: qemu_cortex_m3: enable MPU
• [ ] GH-2414: memory protection: implict kernel object permissions
• [ ] GH-2343: x86: scope SMAP support in Zephyr
• [ ] GH-2342: x86: scope SMEP support in Zephyr
• [ ] GH-2341: x86: implement option for PAE-formatted page tables with NX bit
• [ ] GH-2252: x86: implement memory domain interface
• [x] GH-2240: design mechanism for kernel object sharing policy
• [ ] GH-2232: ARM: implement API to validate user buffer
• [ ] GH-2210: application/kernel rodata split
• [x] GH-2201: x86: QEMU: enable MMU at boot by default
• [x] GH-2199: implement __kernel attribute
• [ ] GH-2167: reconsider k_mem_pool APIs
• [x] GH-2160: x86: API to validate user buffer
• [ ] GH-2159: reconsider k_mbox APIs
• [x] GH-2140: linker: implement MMU alignment constraints
• [ ] GH-2139: linker: implement MPU alignment constraints
• [ ] GH-2116: define / implement application-facing memory domain APIs
• [ ] GH-2101: xtensa: scope MPU enabling
• [x] GH-2100: stack declaration macros for ARM MPU
• [ ] GH-2073: reconsider k_queue APIs
• [ ] GH-2041: define kernel system calls
• [ ] GH-2039: define network stack system calls
• [ ] GH-2036: Define region data structures exposed by linker script
• [x] GH-2035: Device Driver Access Control
• [ ] GH-2034: ARM: implement NULL pointer protection
• [ ] GH-2032: define set of architecture-specific memory protection APIs
• [ ] GH-2031: program text should be in its own memory region
• [ ] GH-2030: use API to validate user-supplied kernel buffers
• [x] GH-2028: implement APIs for dropping threads to unprivileged mode
• [x] GH-2027: x86: implement system calls
• [x] GH-2026: x86: Implement simple stack memory protection
• [x] GH-2025: Validation mechanism for user-supplied kernel object pointers
• [ ] GH-2024: Memory protection: define allocators for kernel objects
• [x] GH-2023: Stack declarations for memory protection
• [x] GH-2022: Split data, bss, noinit sections into application and kernel areas
• [ ] GH-2021: Design system call interface for drivers
• [x] GH-1931: x86 MMU: implement build-time tool to create boot page table
• [ ] GH-1783: Work up linker-based system call prototype for MPU enabling
• [ ] GH-513: nios2: MPU support

(Imported from Jira ZEP-1466)

[nashif]

by Marcus Shawcroft:

We should give some consideration to using mpu support to fault null pointer accesses.

There is a post on devel The recent post on devel https://lists.zephyrproject.org/pipermail/zephyr-devel/2017-March/007426.html that touches on some of the developer experience issues that arise from the the C standards treatment of null pointers and various related compiler optimizations.

[nashif]

by Andrew Boie:

The scope of this JIRA is way too broad and needs to be decomposed into deliverables. See GH-1931 for one such deliverable.

[nashif]

by Mark Linkmeyer:

Andrew to break up in to stories.

[nashif]

by Andrew Boie:

Survey from Linaro of MPU capabilities across a variety of arches/CPUs

https://wiki.linaro.org/Memory%20Protection%20Device%20Survey

[nashif]

by Andrew Boie:

Notes from Andy on high-level requirements:

So going through the JIRA and through our own documentation, you have all of the major tasks identified. That said, I do agree that a specific list of deliverables that are assigned to separate stories/arcs should be done.

Major tasks:

• privileged/unprivileged section isolation
  • Static tables derived from sections. These would give code and data regions for kernel and apps
  • Define structures to describe regions and implement that
  • Define dynamic region definition for transient regions
    • How does this hook in to k_thread
• Region management
  • APIs
• Stack guard
  • Hardware support. MMU vs MPU
  • API convergence?
• Null ptr protection
• Peripheral device isolation
  • Recognizing device access and proper configuration of peripheral ranges
  • system calls to access device?
• Privileged access escalation / system calls

These are general placeholders and cover a number of your specific cases outlined in the JIRA. When we were divvying up the work between Vincenzo and myself, my thought was to get the isolation of privileged and unprivileged working. Once we got the separation we could then explore the system calls and escalation mechanisms. I see the region management to be the primary thing to do first. Then the isolation, which brings in the section definitions and API work.

We can talk more on this in the morning, but I wanted to get this out tonight to at least condense some of the stuff we've been talking about internally.

Regards,

Andy

[nashif]

by Andrew Boie:

Marcus Shawcroft NULL pointer protection will be tracked in GH-2034, thanks!