OSAP is defined as a collection of OS objects(Task, ISR, Alarm, Schedule Table, Trusted Function, Counter, Application-specific hook). An OSAP is assigned to a specific core, and all of its OS objects run on that core. Multiple OSAPs can be defined and are identified by the OSAP ID.
OSAP type
There are two types of OSAP, trusted OSAP and non-trusted OSAP:
| OSAP type | Description | |||||||||||||
| Trusted | A trusted OSAP is an OSAP that has no restrictions on access to the memory area or hardware. If the target supports privileged mode, operation under privileged mode is also allowed. The trusted OSAP also provides trust functions to other OSAPs. | |||||||||||||
| Non-trusted | An non-trusted OSAP is an OSAP that has restricted access to memory areas and hardware. If the target supports user mode, non-trusted OSAP operates in user mode. | |||||||||||||
As far as supported by hardware, the OS module shall not allow non-trusted OSAP to access control registers managed by the OS.
OSAP specification
OSAP is specified by OsApplication at the time of configuration. In addition, the restart task used by OSAP for processing when protection is violated is also specified by OsRestartTask at the time of configuration. The restart task is one of the tasks belonging to OSAP, and behaves the same as a normal task except that it is started by the OS when OSAP is restarted.
OSAP state
The following figure shows the states and the possible transitions:
| OSAP State | Description | |||||||||||||
| APPLICATION_ACCESSIBLE | A state in which OS objects belonging to OSAP can be used by other OSAPs. Initialize all OSAP to APPLICATION_ACCESSIBLE when OS is initialized. | |||||||||||||
| APPLICATION_RESTARTING | OSAP is restarting and OS objects belonging to OSAP cannot be used by other OSAPs. When the OSAP is forcibly terminated by TerminateApplication() or ProtectionHook() and there is a restart request, this state is entered. | |||||||||||||
| APPLICATION_TERMINATED | OSAP is forcibly terminated by TerminateApplication() or ProtectionHook(), and OS objects belonging to OSAP cannot be used by other OSAP. If there is no restart request, it transitions to this state. OSAP does not transition from this state to another state. | |||||||||||||
Access permissions for each OSAP state
If the OSAP state is other than the available state, access from OS objects belonging to other OSAP is prohibited. If an OS object belonging to another OSAP makes a service call to an OSAP whose OSAP state is not APPLICATION_ACCESSIBLE, E_OS_ACCESS is returned.
OSAP operations
| API | Description | |||||||||||||
| GetApplicationID | This service determines the OS-Application (a unique identifier has to be allocated to each application) where the caller originally belongs to (was configured to). | |||||||||||||
| GetCurrentApplicationID | This service determines the OS-Application where the caller of the service is currently executing. Note that if the caller is not within a CallTrustedFunction() call the value is equal to the result of GetApplicationID(). | |||||||||||||
| CallTrustedFunction | A (trusted or non-trusted) OS-Application uses this service to call a trusted function. | |||||||||||||
| CheckObjectAccess | This service determines if the OS-Applications, given by ApplID, is allowed to use the IDs of a Task, Resource, Counter, Alarm or Schedule Table in API calls. | |||||||||||||
| CheckObjectOwnership | This service determines to which OS-Application a given Task, ISR, Counter, Alarm or Schedule Table belongs. | |||||||||||||
| TerminateApplication | This service terminates the OS-Application to which the calling Task/Category 2 ISR/application specific error hook belongs. | |||||||||||||
| AllowAccess | This service sets the own state of an OS-Application from APPLICATION_RESTARTING to APPLICATION_ACCESSIBLE. | |||||||||||||
| GetApplicationState | This service returns the current state of an OS-Application. | |||||||||||||
TerminateApplication
If the Operating System module terminates an OS-Application, then it shall:
- terminate all running, ready and waiting Tasks/ISRs of the OS-Application AND
- disable all interrupts of the OS-Application AND
- stop all active alarms of the OS-Applications AND
- stop all ScheduleTables of the OS-Application.
Protection of OS objects belonging to OSAP
OS objects belonging to the OSAP are protected by the OS to prevent unauthorized access from other OSAPs.
Access rights to OS objects
The processing unit belonging to OSAP can access all OS objects belonging to the same OSAP. However, access to OS objects that belong to other OSAPs and are not granted access rights is prohibited. In order to access OS objects that belong to other OSAPs, it is necessary to grant access rights at the time of configuration. Tasks are specified by OsTaskAccessingApplication, alarms are specified by OsAlarmAccessingApplication, and counters are specified by OsCounterAccessingApplication. Since the resource does not belong to OSAP, specify the OSAP that can access the resource by OsResourceAccessingApplication.
Trusted Function(TF)
A TF provids a service of a trusted OSAP to another OSAP. Use CallTrustedFunction() to call the provided TF. If the TF is called from a non-trusted OSAP the mode can switch from non-privileged to privileged mode.
