OS uses memory protection facilities of a processor to achieve freedom from interference between OS applications and cores. For this purpose it may use the memory protection units (MPU) which are responsible for monitoring all memory accesses made by CPU and/or peripheral devices and triggering an exception upon detection of an illegal memory access.
Illegal memory access by non-trusted OSAP is called a memory protection violation. When a memory protection violation is detected, the ProtectionHook is called with status code E_OS_PROTECTION_MEMORY. [SWS_Os_00044]
Note: Freedom from Interference (FFI) is one of the critical criteria to support coexistence of elements with different criticality in a mixed-criticality system (MCS). The principle of FFI is to ensure an element with lower criticality cannot influence an element with higher criticality.
Memory Protection Unit (MPU)
A Memory Protection Unit (MPU) enables memory partitioning with individual protection attributes. This is distinct from a Memory Management Unit (MMU) that provides a mapping between virtual addresses and physical memory locations at runtime. Note that some devices may realize the functionality of an MPU in an MMU.
Overview of protection for memory areas
The memory area to be accessed is first divided into sections in the object file by the compiler. This is the pre-link section. By defining the MPS to which the section before each link is to be placed in the configuration and inputting it to the OS generator, the OS generator generates an information file (linker script, etc.) used as the input of the linker. Then, the linker arranges each section that should be protected in the same way as a memory protection section based on the information in the linker script. Each memory protection section contains one or more post-link sections. The memory protection function uses the information in this memory protection section for control.
Classification of memory area
| No. | Memory Area | OsAppMpsRef | Writeable | Readable | Executable | ShortData | ||||||||
| a | Private Code Area | VALID | FALSE | PRIVATE | TRUE | FALSE | ||||||||
| e | Shared Code Area | - | FALSE | SHARED | TRUE | FALSE | ||||||||
| b | Private Read-only Data Area | VALID | FALSE | PRIVATE | FALSE | FALSE | ||||||||
| h | Private Read-only Short Data Area | VALID | FALSE | PRIVATE | FALSE | TRUE | ||||||||
| f | Shared Read-only Data Area | - | FALSE | SHARED | FALSE | FALSE | ||||||||
| k | Shared Read-only Short Data Area | - | FALSE | SHARED | FALSE | TRUE | ||||||||
| c | Private Read/Write Data Area | VALID | TRUE | PRIVATE | FALSE | FALSE | ||||||||
| i | Private Read/Write Short Data Area | VALID | TRUE | PRIVATE | FALSE | TRUE | ||||||||
| g | Shared Read/Write Data Area | - | TRUE | SHARED | FALSE | FALSE | ||||||||
| l | Shared Read/Write Short Data Area | - | TRUE | SHARED | FALSE | TRUE | ||||||||
| d | Shared Read Private Write Data Area | VALID | TRUE | SHARED | FALSE | FALSE | ||||||||
| j | Shared Read Private Write Short Data Area | VALID | TRUE | SHARED | FALSE | TRUE | ||||||||
| m | Link Only Section | - | FALSE | NO_READ | FALSE | - | ||||||||
Link Only Section
As a special memory protection section, it is a post-link section that is placed in the memory by the linker and is not protected by the OS (not set in the protected area of the MPU). It is supposed to be used to link startup routines and exception vector tables.
Addressing section
A memory protection section with a specific name used to specify the base address of a short data area. Only OsMemoryProtectSectionStartAddress can be specified.
Memory area type
The memory area to be accessed is explained by dividing it into the following two.
1) OSAP memory area and shared memory area
2) OS memory area
OSAP memory area and shared memory area
| Memory area to be accessed | W | R | X | ||||||||||
| Memory area belonging to the same non-trusted OSAP | Stack of the same task | ✔ | ✔ | × | |||||||||
| Stack of different tasks | × | × | × | ||||||||||
| Private Code Area | × | ※ | ✔ | ||||||||||
| Private Read-only (Short) Data Area | × | ✔ | ※ | ||||||||||
| Private Read/Write (Short) Data Area | ✔ | ✔ | × | ||||||||||
| Shared Read Private Write (Short) Data Area | ✔ | ✔ | × | ||||||||||
| Memory area belonging to a different non-trusted OSAP | Stack | × | × | × | |||||||||
| Private Code Area | × | × | × | ||||||||||
| Private Read-only (Short) Data Area | × | × | × | ||||||||||
| Private Read/Write (Short) Data Area | × | × | × | ||||||||||
| Shared Read Private Write (Short) Data Area | × | ✔ | × | ||||||||||
| Shared memory area | Shared Code Area | × | ※ | ✔ | |||||||||
| Shared Read-only (Short) Data Area | × | ✔ | ※ | ||||||||||
| Shared Read/Write (Short) Data Area | ✔ | ✔ | × | ||||||||||
✔: Access allowed, ×: Access prohibited, ※: Target dependent
OS memory area
The Operating System module shall prevent write access to its own data sections and its own stack from non-trusted OS-Applications. [SWS_Os_00198]
The OS shall offer the possibility to restrict write access of trusted OS-Applications in the same way as it is done for non-trusted OS-Applications. [SWS_Os_00795]
↓
The OS prohibits non-trusted OSAPs read, write, and execute access to the OS memory area.
Standard ROM/RAM region
In the configuration, the memory region used as the standard ROM area is called the standard ROM region, and the memory region used as the standard RAM area is called the standard RAM region, and each is specified at the time of configuration.
Standard ROM region
The standard ROM region is specified by OsStandardRomRegionRef. It is used for the following purposes.
- Place the initial value area (when neither OsInitialDataMemoryRegionRef nor OsInitialDataStartAddress is set).
- Place a section (.secinfo) containing information for memory initialization [GHS].
Standard RAM region
The standard RAM region is specified by OsStandardRamRegionRef. It is used for the following purposes.
- When allocating the user stack area for non-trusted tasks with the OS generator, allocate it in the standard RAM region.
Maximum number of protected areas
Since the number of protected areas of the MPU has an upper limit, as a result of configuring MPS and MPA, if the number of protected areas required to operate one non-trusted OSAP or the number of protected areas shared by all OSAPs exceeds the upper limit of the target, the OS generator detects an error.
The upper limit of the protected area in ARMv8-R is as follows.
- Cortex-R52_FVP: 16
Optimization of the number of protected areas
When using short data, as an optimization to reduce the number of protected areas of the MPU used, memory protection sections that should be protected in the same way are continuously arranged across the boundary between the short data area and the non-short data area. Specifically, by arranging the "Shared Read-only Data Area" and the "Shared Read-only Short Data Area", and the "Shared Read/Write Data Area" and the "Shared Read/Write Short Data Area" in succession, each is set as one in the protected area of MPU. In addition, the SRPW area of other OSAPs is a data area that can only be read, and is protected in the same way as the shared read-only (short) data area. For this reason, by arranging the SRPW area for each OSAP, and the "Shared Read-only Data Area" and the "Shared Read-only Short Data Area" consecutively, the read-only data area is set to 1 to 3 as the protected area of the MPU. The number of protected areas to be combined depends on whether the microcomputer can overlap the protected areas of the MPU and whether it supports short data.
MPU that can overlap protected areas
If short data is not supported, the entire SRPW area can be combined into one and set as the protected area of the MPU. In this case, when switching OSAP, it is not necessary to switch the setting of the protected area of MPU related to read access, so high-speed processing can be performed. In addition, one MPU protected area is used for write access to its own SRPW area.
When short data is supported, another MPU protection area is required because the SRPW area supports the short data of the own OSAP.
MPU that cannot overlap protected areas
If short data is not supported, the read-only data area can be combined into two and set as the protected area of the MPU. In addition, one MPU protection area is used for the SRPW area of the own OSAP.
When supporting short data, a total of five MPU protection areas are required, three for the read-only data area and two for the SRPW data area and the SRPW short data area of the own OSAP.
ARMv8-R does not support short data and cannot overlap protected areas.
Access right check for memory area
| API / MACRO | Description | |||||||||||||
| CheckISRMemoryAccess | This service checks if a memory region is write/read/execute accessible and also returns information if the memory region is part of the stack space. | |||||||||||||
| CheckTaskMemoryAccess | This service checks if a memory region is write/read/execute accessible and also returns information if the memory region is part of the stack space. | |||||||||||||
| OSMEMORY_IS_READABLE | These macros return a value not equal to zero if the memory is readable / writable / executable or stack space. The argument of the macros must be of type AccessType. Typically the return value of the service CheckTaskMemoryAccess (or CheckISRMemoryAccess) is used as argument for these macros. | |||||||||||||
| OSMEMORY_IS_WRITEABLE | ||||||||||||||
| OSMEMORY_IS_EXECUTABLE | ||||||||||||||
| OSMEMORY_IS_STACKSPACE | ||||||||||||||