diff --git a/arch/arm/core/mpu/Kconfig b/arch/arm/core/mpu/Kconfig index 67baee979c9b..ff48692ec65f 100644 --- a/arch/arm/core/mpu/Kconfig +++ b/arch/arm/core/mpu/Kconfig @@ -1,6 +1,7 @@ # Memory Protection Unit (MPU) configuration options # Copyright (c) 2017 Linaro Limited +# Copyright 2025 Arm Limited and/or its affiliates # SPDX-License-Identifier: Apache-2.0 if CPU_HAS_MPU @@ -68,6 +69,15 @@ config CUSTOM_SECTION_MIN_ALIGN_SIZE size is configured by users, it must also respect the power of two regulation if hardware requires. +config ARM_MPU_PXN + bool + depends on ARMV8_1_M_MAINLINE + help + Enable support for Armv8.1-m MPU's Privileged Execute Never (PXN) attr. + An MPU region marked with PXN attribute can only be executed from an + unprivileged mode and executing such region from privileged mode will + result in a Memory Management fault. + endif # ARM_MPU endif # CPU_HAS_MPU diff --git a/arch/arm/core/mpu/arm_core_mpu.c b/arch/arm/core/mpu/arm_core_mpu.c index dde98c0b07fa..03d02e9b6ea9 100644 --- a/arch/arm/core/mpu/arm_core_mpu.c +++ b/arch/arm/core/mpu/arm_core_mpu.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2017 Linaro Limited. + * Copyright 2025 Arm Limited and/or its affiliates * * SPDX-License-Identifier: Apache-2.0 */ @@ -64,53 +65,61 @@ extern char __ram_text_reloc_size[]; static const struct z_arm_mpu_partition static_regions[] = { #if defined(CONFIG_COVERAGE_GCOV) && defined(CONFIG_USERSPACE) - { + { /* GCOV code coverage accounting area. Needs User permissions * to function */ .start = (uint32_t)&__gcov_bss_start, .size = (uint32_t)&__gcov_bss_size, .attr = K_MEM_PARTITION_P_RW_U_RW, - }, + }, #endif /* CONFIG_COVERAGE_GCOV && CONFIG_USERSPACE */ #if defined(CONFIG_NOCACHE_MEMORY) - { + { /* Special non-cacheable RAM area */ .start = (uint32_t)&_nocache_ram_start, .size = (uint32_t)&_nocache_ram_size, .attr = K_MEM_PARTITION_P_RW_U_NA_NOCACHE, - }, + }, #endif /* CONFIG_NOCACHE_MEMORY */ #if defined(CONFIG_ARCH_HAS_RAMFUNC_SUPPORT) - { + { /* Special RAM area for program text */ .start = (uint32_t)&__ramfunc_start, .size = (uint32_t)&__ramfunc_size, +#if defined(CONFIG_ARM_MPU_PXN) && defined(CONFIG_USERSPACE) + .attr = K_MEM_PARTITION_P_R_U_RX, +#else .attr = K_MEM_PARTITION_P_RX_U_RX, - }, +#endif + }, #endif /* CONFIG_ARCH_HAS_RAMFUNC_SUPPORT */ #if defined(CONFIG_CODE_DATA_RELOCATION_SRAM) - { + { /* RAM area for relocated text */ .start = (uint32_t)&__ram_text_reloc_start, .size = (uint32_t)&__ram_text_reloc_size, +#if defined(CONFIG_ARM_MPU_PXN) && defined(CONFIG_USERSPACE) + .attr = K_MEM_PARTITION_P_R_U_RX, +#else .attr = K_MEM_PARTITION_P_RX_U_RX, - }, +#endif + }, #endif /* CONFIG_CODE_DATA_RELOCATION_SRAM */ #if !defined(CONFIG_MULTITHREADING) && defined(CONFIG_MPU_STACK_GUARD) - /* Main stack MPU guard to detect overflow. - * Note: - * FPU_SHARING and USERSPACE are not supported features - * under CONFIG_MULTITHREADING=n, so the MPU guard (if - * exists) is reserved aside of CONFIG_MAIN_STACK_SIZE - * and there is no requirement for larger guard area (FP - * context is not stacked). - */ - { - .start = (uint32_t)z_main_stack, - .size = (uint32_t)MPU_GUARD_ALIGN_AND_SIZE, - .attr = K_MEM_PARTITION_P_RO_U_NA, - }, + /* Main stack MPU guard to detect overflow. + * Note: + * FPU_SHARING and USERSPACE are not supported features + * under CONFIG_MULTITHREADING=n, so the MPU guard (if + * exists) is reserved aside of CONFIG_MAIN_STACK_SIZE + * and there is no requirement for larger guard area (FP + * context is not stacked). + */ + { + .start = (uint32_t)z_main_stack, + .size = (uint32_t)MPU_GUARD_ALIGN_AND_SIZE, + .attr = K_MEM_PARTITION_P_RO_U_NA, + }, #endif /* !CONFIG_MULTITHREADING && CONFIG_MPU_STACK_GUARD */ }; diff --git a/arch/arm/core/mpu/arm_mpu.c b/arch/arm/core/mpu/arm_mpu.c index e66c02ec067f..f9a5397da464 100644 --- a/arch/arm/core/mpu/arm_mpu.c +++ b/arch/arm/core/mpu/arm_mpu.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2017 Linaro Limited. + * Copyright 2025 Arm Limited and/or its affiliates * * SPDX-License-Identifier: Apache-2.0 */ @@ -111,6 +112,11 @@ static int mpu_configure_regions_from_dt(uint8_t *reg_index) case DT_MEM_ARM_MPU_RAM: region_conf = _BUILD_REGION_CONF(region[idx], REGION_RAM_ATTR); break; +#ifdef CONFIG_ARM_MPU_PXN + case DT_MEM_ARM_MPU_RAM_PXN: + region_conf = _BUILD_REGION_CONF(region[idx], REGION_RAM_ATTR_PXN); + break; +#endif #ifdef REGION_RAM_NOCACHE_ATTR case DT_MEM_ARM_MPU_RAM_NOCACHE: region_conf = _BUILD_REGION_CONF(region[idx], REGION_RAM_NOCACHE_ATTR); diff --git a/arch/arm/core/mpu/arm_mpu_v8_internal.h b/arch/arm/core/mpu/arm_mpu_v8_internal.h index 51ab093d17c5..0716c017ff96 100644 --- a/arch/arm/core/mpu/arm_mpu_v8_internal.h +++ b/arch/arm/core/mpu/arm_mpu_v8_internal.h @@ -1,6 +1,7 @@ /* * Copyright (c) 2017 Linaro Limited. * Copyright (c) 2018 Nordic Semiconductor ASA. + * Copyright 2025 Arm Limited and/or its affiliates * * SPDX-License-Identifier: Apache-2.0 */ @@ -158,6 +159,7 @@ static void mpu_set_region(uint32_t rnr, uint32_t rbar, uint32_t rlar) static void region_init(const uint32_t index, const struct arm_mpu_region *region_conf) { + /* clang-format off */ mpu_set_region( /* RNR */ index, @@ -170,7 +172,11 @@ static void region_init(const uint32_t index, | ((region_conf->attr.mair_idx << MPU_RLAR_AttrIndx_Pos) & MPU_RLAR_AttrIndx_Msk) | MPU_RLAR_EN_Msk +#ifdef CONFIG_ARM_MPU_PXN + | ((region_conf->attr.pxn << MPU_RLAR_PXN_Pos) & MPU_RLAR_PXN_Msk) +#endif ); + /* clang-format on */ LOG_DBG("[%d] 0x%08x 0x%08x 0x%08x 0x%08x", index, region_conf->base, region_conf->attr.rbar, @@ -279,6 +285,9 @@ static inline void mpu_region_get_access_attr(const uint32_t index, (MPU_RBAR_XN_Msk | MPU_RBAR_AP_Msk | MPU_RBAR_SH_Msk); attr->mair_idx = (mpu_get_rlar() & MPU_RLAR_AttrIndx_Msk) >> MPU_RLAR_AttrIndx_Pos; +#ifdef CONFIG_ARM_MPU_PXN + attr->pxn = (mpu_get_rlar() & MPU_RLAR_PXN_Msk) >> MPU_RLAR_PXN_Pos; +#endif } static inline void mpu_region_get_conf(const uint32_t index, @@ -313,6 +322,9 @@ static inline void get_region_attr_from_mpu_partition_info( (MPU_RBAR_XN_Msk | MPU_RBAR_AP_Msk | MPU_RBAR_SH_Msk); p_attr->mair_idx = attr->mair_idx; p_attr->r_limit = REGION_LIMIT_ADDR(base, size); +#ifdef CONFIG_ARM_MPU_PXN + p_attr->pxn = attr->pxn; +#endif } #if defined(CONFIG_USERSPACE) diff --git a/doc/hardware/arch/arm_cortex_m.rst b/doc/hardware/arch/arm_cortex_m.rst index 7eef8e7f2f5d..4bfb05d8026e 100644 --- a/doc/hardware/arch/arm_cortex_m.rst +++ b/doc/hardware/arch/arm_cortex_m.rst @@ -55,6 +55,8 @@ Arm Cortex-M implementation variants. +---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ | | HW-assisted stack limit checking | N | N | N | N | N |Y [#f2]_ | Y | Y | +---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ +| | Privileged Execute Never | N | N | N | N | N | N | N | Y [#f3]_ | ++---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ | HW-assisted null-pointer | | | | | | | | | | | dereference detection | | N | N | Y | Y | Y | Y | Y | Y | +---------------------------------+-----------------------------------+-----------------+---------+--------+-----------+--------+---------+------------+------------+ @@ -86,6 +88,7 @@ Notes .. [#f1] SysTick is optional in Cortex-M1 .. [#f2] Stack limit checking only in Secure builds in Cortex-M23 +.. [#f3] https://developer.arm.com/documentation/107655/100/RTOS-and-Secure-software-design-considerations/Secure-software-development-design-considerations/Security-and-privilege-combination/Using-PXN-bit?lang=en OS features *********** diff --git a/doc/releases/release-notes-4.2.rst b/doc/releases/release-notes-4.2.rst index d4b4fc02dc91..c96a539ec0bb 100644 --- a/doc/releases/release-notes-4.2.rst +++ b/doc/releases/release-notes-4.2.rst @@ -110,3 +110,9 @@ Other notable changes .. Any more descriptive subsystem or driver changes. Do you really want to write a paragraph or is it enough to link to the api/driver/Kconfig/board page above? + +* Added support for Armv8.1-M MPU's PXN (Privileged Execute Never) attribute. + With this, the MPU attributes for ``__ramfunc`` and ``__ram_text_reloc`` were modified such that, + PXN attribute is set for these regions if compiled with ``CONFIG_ARM_MPU_PXN`` and ``CONFIG_USERSPACE``. + This results in a change in behaviour for code being executed from these regions because, + if these regions have pxn attribute set in them, they cannot be executed in privileged mode. diff --git a/include/zephyr/arch/arm/mpu/arm_mpu_v8.h b/include/zephyr/arch/arm/mpu/arm_mpu_v8.h index 0f13bee99be4..25ec225fc6b6 100644 --- a/include/zephyr/arch/arm/mpu/arm_mpu_v8.h +++ b/include/zephyr/arch/arm/mpu/arm_mpu_v8.h @@ -1,6 +1,7 @@ /* * Copyright (c) 2018 Linaro Limited. * Copyright (c) 2018 Nordic Semiconductor ASA. + * Copyright 2025 Arm Limited and/or its affiliates * * SPDX-License-Identifier: Apache-2.0 */ @@ -66,6 +67,9 @@ /* Attribute flag for not-allowing execution (eXecute Never) */ #define NOT_EXEC MPU_RBAR_XN_Msk +/* To prevent execution of MPU region in privileged mode */ +#define PRIV_EXEC_NEVER (1) + /* Attribute flags for share-ability */ #define NON_SHAREABLE 0x0 #define NON_SHAREABLE_Msk ((NON_SHAREABLE << MPU_RBAR_SH_Pos) & MPU_RBAR_SH_Msk) @@ -243,14 +247,28 @@ NON_SHAREABLE_Msk, /* AP, XN, SH */ \ .mair_idx = MPU_MAIR_INDEX_SRAM, /* Cache-ability */ \ .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + IF_ENABLED(CONFIG_ARM_MPU_PXN, (.pxn = !PRIV_EXEC_NEVER,)) \ } -/* clang-format on */ + +#if defined(CONFIG_ARM_MPU_PXN) +/* Use this attr to define an MPU region in RAM that has code intended to be executed in + * un-privileged mode but not in privileged mode. + */ +#define REGION_RAM_ATTR_PXN(base, size) \ + { \ + .rbar = P_RO_U_RO_Msk | NON_SHAREABLE_Msk,/* AP, XN, SH */ \ + .mair_idx = MPU_MAIR_INDEX_SRAM, /* Cache-ability */ \ + .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + .pxn = PRIV_EXEC_NEVER, \ + } +#endif #define REGION_RAM_NOCACHE_ATTR(base, size) \ { \ .rbar = NOT_EXEC | P_RW_U_NA_Msk | NON_SHAREABLE_Msk, /* AP, XN, SH */ \ .mair_idx = MPU_MAIR_INDEX_SRAM_NOCACHE, /* Cache-ability */ \ .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + IF_ENABLED(CONFIG_ARM_MPU_PXN, (.pxn = PRIV_EXEC_NEVER,)) \ } #if defined(CONFIG_MPU_ALLOW_FLASH_WRITE) @@ -262,14 +280,18 @@ .rbar = P_RW_U_RW_Msk | NON_SHAREABLE_Msk, /* AP, XN, SH */ \ .mair_idx = MPU_MAIR_INDEX_FLASH, /* Cache-ability */ \ .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + IF_ENABLED(CONFIG_ARM_MPU_PXN, (.pxn = !PRIV_EXEC_NEVER,)) \ } + #else /* CONFIG_MPU_ALLOW_FLASH_WRITE */ #define REGION_FLASH_ATTR(base, size) \ { \ .rbar = RO_Msk | NON_SHAREABLE_Msk, /* AP, XN, SH */ \ .mair_idx = MPU_MAIR_INDEX_FLASH, /* Cache-ability */ \ .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + IF_ENABLED(CONFIG_ARM_MPU_PXN, (.pxn = !PRIV_EXEC_NEVER,)) \ } + #endif /* CONFIG_MPU_ALLOW_FLASH_WRITE */ #define REGION_DEVICE_ATTR(base, size) \ @@ -277,7 +299,10 @@ .rbar = NOT_EXEC | P_RW_U_NA_Msk | NON_SHAREABLE_Msk, /* AP, XN, SH */ \ .mair_idx = MPU_MAIR_INDEX_DEVICE, /* Cache-ability */ \ .r_limit = REGION_LIMIT_ADDR(base, size), /* Region Limit */ \ + IF_ENABLED(CONFIG_ARM_MPU_PXN, (.pxn = PRIV_EXEC_NEVER,)) \ } + +/* clang-format on */ #endif struct arm_mpu_region_attr { @@ -287,6 +312,10 @@ struct arm_mpu_region_attr { uint8_t mair_idx: 3; /* Region Limit Address value to be written to the RLAR register. */ uint32_t r_limit; +#ifdef CONFIG_ARM_MPU_PXN + /* To prevent execution of MPU region in privileged mode (Privileged Execute Never) */ + uint8_t pxn; +#endif }; typedef struct arm_mpu_region_attr arm_mpu_region_attr_t; @@ -295,6 +324,10 @@ typedef struct arm_mpu_region_attr arm_mpu_region_attr_t; typedef struct { uint16_t rbar; uint16_t mair_idx; +#ifdef CONFIG_ARM_MPU_PXN + /* To prevent execution of MPU region in privileged mode (Privileged Execute Never) */ + uint8_t pxn; +#endif } k_mem_partition_attr_t; /* Kernel macros for memory attribution @@ -322,6 +355,11 @@ typedef struct { #define K_MEM_PARTITION_P_RWX_U_RWX ((k_mem_partition_attr_t){(P_RW_U_RW_Msk), MPU_MAIR_INDEX_SRAM}) #define K_MEM_PARTITION_P_RX_U_RX ((k_mem_partition_attr_t){(P_RO_U_RO_Msk), MPU_MAIR_INDEX_SRAM}) +#ifdef CONFIG_ARM_MPU_PXN +#define K_MEM_PARTITION_P_R_U_RX \ + ((k_mem_partition_attr_t){(P_RO_U_RO_Msk), MPU_MAIR_INDEX_SRAM, PRIV_EXEC_NEVER}) +#endif + /* * @brief Evaluate Write-ability * diff --git a/include/zephyr/dt-bindings/memory-attr/memory-attr-arm.h b/include/zephyr/dt-bindings/memory-attr/memory-attr-arm.h index 473c43fc7819..607907d6d5de 100644 --- a/include/zephyr/dt-bindings/memory-attr/memory-attr-arm.h +++ b/include/zephyr/dt-bindings/memory-attr/memory-attr-arm.h @@ -1,5 +1,6 @@ /* * Copyright (c) 2023 Carlo Caione + * Copyright 2025 Arm Limited and/or its affiliates * * SPDX-License-Identifier: Apache-2.0 */ @@ -18,23 +19,25 @@ * This is legacy and it should NOT be extended further. If new MPU region * types must be added, these must rely on the generic memory attributes. */ -#define DT_MEM_ARM_MASK DT_MEM_ARCH_ATTR_MASK -#define DT_MEM_ARM_GET(x) ((x) & DT_MEM_ARM_MASK) -#define DT_MEM_ARM(x) ((x) << DT_MEM_ARCH_ATTR_SHIFT) +#define DT_MEM_ARM_MASK DT_MEM_ARCH_ATTR_MASK +#define DT_MEM_ARM_GET(x) ((x) & DT_MEM_ARM_MASK) +#define DT_MEM_ARM(x) ((x) << DT_MEM_ARCH_ATTR_SHIFT) -#define ATTR_MPU_RAM BIT(0) -#define ATTR_MPU_RAM_NOCACHE BIT(1) -#define ATTR_MPU_FLASH BIT(2) -#define ATTR_MPU_PPB BIT(3) -#define ATTR_MPU_IO BIT(4) -#define ATTR_MPU_EXTMEM BIT(5) +#define ATTR_MPU_RAM BIT(0) +#define ATTR_MPU_RAM_NOCACHE BIT(1) +#define ATTR_MPU_FLASH BIT(2) +#define ATTR_MPU_PPB BIT(3) +#define ATTR_MPU_IO BIT(4) +#define ATTR_MPU_EXTMEM BIT(5) +#define ATTR_MPU_RAM_PXN BIT(6) -#define DT_MEM_ARM_MPU_RAM DT_MEM_ARM(ATTR_MPU_RAM) -#define DT_MEM_ARM_MPU_RAM_NOCACHE DT_MEM_ARM(ATTR_MPU_RAM_NOCACHE) -#define DT_MEM_ARM_MPU_FLASH DT_MEM_ARM(ATTR_MPU_FLASH) -#define DT_MEM_ARM_MPU_PPB DT_MEM_ARM(ATTR_MPU_PPB) -#define DT_MEM_ARM_MPU_IO DT_MEM_ARM(ATTR_MPU_IO) -#define DT_MEM_ARM_MPU_EXTMEM DT_MEM_ARM(ATTR_MPU_EXTMEM) -#define DT_MEM_ARM_MPU_UNKNOWN DT_MEM_ARCH_ATTR_UNKNOWN +#define DT_MEM_ARM_MPU_RAM DT_MEM_ARM(ATTR_MPU_RAM) +#define DT_MEM_ARM_MPU_RAM_NOCACHE DT_MEM_ARM(ATTR_MPU_RAM_NOCACHE) +#define DT_MEM_ARM_MPU_FLASH DT_MEM_ARM(ATTR_MPU_FLASH) +#define DT_MEM_ARM_MPU_PPB DT_MEM_ARM(ATTR_MPU_PPB) +#define DT_MEM_ARM_MPU_IO DT_MEM_ARM(ATTR_MPU_IO) +#define DT_MEM_ARM_MPU_EXTMEM DT_MEM_ARM(ATTR_MPU_EXTMEM) +#define DT_MEM_ARM_MPU_RAM_PXN DT_MEM_ARM(ATTR_MPU_RAM_PXN) +#define DT_MEM_ARM_MPU_UNKNOWN DT_MEM_ARCH_ATTR_UNKNOWN #endif /* ZEPHYR_INCLUDE_DT_BINDINGS_MEM_ATTR_ARM_H_ */ diff --git a/soc/arm/mps3/Kconfig b/soc/arm/mps3/Kconfig index 304e8065fcbd..732cbb5811a1 100644 --- a/soc/arm/mps3/Kconfig +++ b/soc/arm/mps3/Kconfig @@ -1,5 +1,5 @@ # Copyright (c) 2017-2021 Linaro Limited -# Copyright 2024 Arm Limited and/or its affiliates +# Copyright 2024-2025 Arm Limited and/or its affiliates # SPDX-License-Identifier: Apache-2.0 config SOC_SERIES_MPS3 @@ -15,6 +15,7 @@ config SOC_MPS3_CORSTONE300 select ARMV8_1_M_MVEI select ARMV8_1_M_MVEF select ARMV8_1_M_PMU + select ARM_MPU_PXN if ARM_MPU config SOC_MPS3_CORSTONE310 select CPU_CORTEX_M85 @@ -25,6 +26,7 @@ config SOC_MPS3_CORSTONE310 select ARMV8_1_M_MVEI select ARMV8_1_M_MVEF select ARMV8_1_M_PMU + select ARM_MPU_PXN if ARM_MPU config ARMV8_1_M_PMU_EVENTCNT int diff --git a/tests/arch/arm/arm_mpu_pxn/CMakeLists.txt b/tests/arch/arm/arm_mpu_pxn/CMakeLists.txt new file mode 100644 index 000000000000..4eb11b09f204 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/CMakeLists.txt @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: Apache-2.0 + +cmake_minimum_required(VERSION 3.20.0) + +find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) +project(arm_mpu_pxn) + +target_sources(app PRIVATE src/main.c) +zephyr_linker_sources_ifdef(CONFIG_SOC_MPS3_CORSTONE300 RAM_SECTIONS mps3_corstone300.ld) +zephyr_linker_sources_ifdef(CONFIG_SOC_MPS3_CORSTONE310 RAM_SECTIONS mps3_corstone310.ld) diff --git a/tests/arch/arm/arm_mpu_pxn/mps3_corstone300.ld b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300.ld new file mode 100644 index 000000000000..b4c676183a17 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300.ld @@ -0,0 +1,11 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + */ + +SECTION_DATA_PROLOGUE(.customramfunc, , ) +{ + *(.customramfunc) * (".customramfunc.*") +} +GROUP_DATA_LINK_IN(SRAM, SRAM) diff --git a/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_an547.overlay b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_an547.overlay new file mode 100644 index 000000000000..7c5a2c576777 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_an547.overlay @@ -0,0 +1,18 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + + +/ { + sram: sram@11000000 { + compatible = "zephyr,memory-region", "mmio-sram"; + reg = <0x11000000 DT_SIZE_M(1)>; + zephyr,memory-region = "SRAM"; + zephyr,memory-attr = <( DT_MEM_ARM(ATTR_MPU_RAM_PXN) )>; + }; +}; diff --git a/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_fvp.overlay b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_fvp.overlay new file mode 100644 index 000000000000..7c5a2c576777 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/mps3_corstone300_fvp.overlay @@ -0,0 +1,18 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + + +/ { + sram: sram@11000000 { + compatible = "zephyr,memory-region", "mmio-sram"; + reg = <0x11000000 DT_SIZE_M(1)>; + zephyr,memory-region = "SRAM"; + zephyr,memory-attr = <( DT_MEM_ARM(ATTR_MPU_RAM_PXN) )>; + }; +}; diff --git a/tests/arch/arm/arm_mpu_pxn/mps3_corstone310.ld b/tests/arch/arm/arm_mpu_pxn/mps3_corstone310.ld new file mode 100644 index 000000000000..945f0f0cc6ff --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/mps3_corstone310.ld @@ -0,0 +1,11 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + */ + +SECTION_DATA_PROLOGUE(.customramfunc, , ) +{ + *(.customramfunc) * (".customramfunc.*") +} +GROUP_DATA_LINK_IN(DTCM, DTCM) diff --git a/tests/arch/arm/arm_mpu_pxn/mps3_corstone310_fvp.overlay b/tests/arch/arm/arm_mpu_pxn/mps3_corstone310_fvp.overlay new file mode 100644 index 000000000000..cb51331990fa --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/mps3_corstone310_fvp.overlay @@ -0,0 +1,18 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include +#include + + +/ { + dtcm: dtcm@30000000 { + compatible = "zephyr,memory-region"; + reg = <0x30000000 DT_SIZE_K(32)>; + zephyr,memory-region = "DTCM"; + zephyr,memory-attr = <( DT_MEM_ARM(ATTR_MPU_RAM_PXN) )>; + }; +}; diff --git a/tests/arch/arm/arm_mpu_pxn/prj.conf b/tests/arch/arm/arm_mpu_pxn/prj.conf new file mode 100644 index 000000000000..12883f869d75 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/prj.conf @@ -0,0 +1,2 @@ +CONFIG_ZTEST=y +CONFIG_ZTEST_FATAL_HOOK=y diff --git a/tests/arch/arm/arm_mpu_pxn/src/main.c b/tests/arch/arm/arm_mpu_pxn/src/main.c new file mode 100644 index 000000000000..690a0018ab17 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/src/main.c @@ -0,0 +1,118 @@ +/* + * Copyright 2025 Arm Limited and/or its affiliates + * + * SPDX-License-Identifier: Apache-2.0 + * + */ + +#include +#include + +#define __customramfunc \ + __attribute__((noinline)) __attribute__((long_call, section(".customramfunc"))) + +/** + * @brief Simple func to verify PXN via DT config since code with + * __customramfunc falls in an MPU region with PXN set + * + */ +__customramfunc bool custom_ram_func(void) +{ + return true; +} + +/** + * @brief This is a simple solution to execute a code with and without PXN set + * because code that falls in `__ramfunc` section has PXN attr set if + * built with CONFIG_USERSPACE and unset otherwise. + */ +__ramfunc bool ram_function(void) +{ + return true; +} + +#ifdef CONFIG_USERSPACE +/** + * @brief Verify that MPU region with PXN attribute set can be executed from + * unprivileged mode. + */ +ZTEST_USER(arm_mpu_pxn, test_arm_mpu_pxn_static_config_user) +{ + volatile bool ramfunc_called = false; + /* + * With CONFIG_USERSPACE + * - this func is called in unprivileged mode + * - and __ramfunc falls in an MPU region which has PXN attribute set + * + * Calling ram_function shouldn't result in an exception. + * This confirms that ram_function though part of a region with PXN attribute set, + * can be called from an unprivileged code. + */ + ramfunc_called = ram_function(); + zassert_true(true == ramfunc_called, + "Executing code in __ramfunc failed in unprivileged mode."); +} +#endif + +/** + * @brief Verify that region marked with PXN attribute via DT can be executed + * from unprivileged mode but cannot be executed from privileged mode. + */ +ZTEST_USER(arm_mpu_pxn, test_arm_mpu_pxn_dt) +{ + volatile bool ramfunc_called = false; +#ifndef CONFIG_USERSPACE + /* + * It is expected that calling ram_function() should result in an exception + * because with CONFIG_USERSPACE, ram_function falls in region with + * PXN attribute set. + */ + ztest_set_fault_valid(true); +#endif + + ramfunc_called = custom_ram_func(); + +#ifdef CONFIG_USERSPACE + zassert_true(1 == ramfunc_called, + "Executing code in __customramfunc failed in unprivileged mode."); +#else + /* + * If calling ram_function didn't result in an MPU fault then, + * PXN isn't working as expected so, fail the test. + */ + ztest_test_fail(); +#endif +} + +/** + * @brief This func is always called in privileged mode so, verify that: + * - region marked with PXN attribute + * cannot be executed from privileged mode + * - and same region when marked without PXN attribute + * can be executed from privileged mode + */ +ZTEST(arm_mpu_pxn, test_arm_mpu_pxn_static_config) +{ + volatile bool ramfunc_called = false; +#ifdef CONFIG_USERSPACE + /* + * It is expected that calling ram_function() should result in an exception + * because with CONFIG_USERSPACE, ram_function falls in region with + * PXN attribute set. + */ + ztest_set_fault_valid(true); +#endif + ramfunc_called = ram_function(); + +#ifdef CONFIG_USERSPACE + /* + * If calling ram_function didn't result in an MPU fault then, + * PXN isn't working as expected so, fail the test. + */ + ztest_test_fail(); +#else + zassert_true(1 == ramfunc_called, "Executing code in __ramfunc failed in privileged mode."); +#endif +} + +ZTEST_SUITE(arm_mpu_pxn, NULL, NULL, NULL, NULL, NULL); diff --git a/tests/arch/arm/arm_mpu_pxn/testcase.yaml b/tests/arch/arm/arm_mpu_pxn/testcase.yaml new file mode 100644 index 000000000000..5d7155afd953 --- /dev/null +++ b/tests/arch/arm/arm_mpu_pxn/testcase.yaml @@ -0,0 +1,20 @@ +common: + filter: CONFIG_ARM_MPU_PXN + tags: + - arm + - mpu + platform_allow: + - mps3/corstone300/an547 + - mps3/corstone300/fvp + # TODO: enable this after CONFIG_USERSPACE is supported for mps3/corstone310 + # - mps3/corstone310/fvp +tests: + # To verify that region marked with PXN attribute can be executed from unprivileged code + # and cannot be executed from privileged code + arch.arm.pxn_with_userspace: + extra_configs: + - CONFIG_USERSPACE=y + # To verify that region marked *without* PXN attribute can be executed from privileged code + arch.arm.pxn_without_userspace: + extra_configs: + - CONFIG_USERSPACE=n diff --git a/tests/arch/common/ramfunc/testcase.yaml b/tests/arch/common/ramfunc/testcase.yaml index 3fba2d861975..89c221511b53 100644 --- a/tests/arch/common/ramfunc/testcase.yaml +++ b/tests/arch/common/ramfunc/testcase.yaml @@ -1,6 +1,6 @@ tests: arch.common.ramfunc: - filter: CONFIG_ARCH_HAS_RAMFUNC_SUPPORT + filter: CONFIG_ARCH_HAS_RAMFUNC_SUPPORT and not CONFIG_ARM_MPU_PXN tags: - arm - userspace