Gaurav-Aggarwal-AWS [Thu, 23 Nov 2023 05:15:58 +0000 (10:45 +0530)]
Add Access Control List to MPU ports (#897)
This PR adds Access Control to kernel objects on a per task basis to MPU
ports. The following needs to be defined in the `FreeRTOSConfig.h` to
enable this feature:
An unprivileged task by default has access to itself only and no other
kernel object. The application writer needs to explicitly grant an
unprivileged task access to all the kernel objects it needs. The best
place to do that is before starting the scheduler when all the kernel
objects are created.
For example, let's say an unprivileged tasks needs access to a queue and
an event group, the application writer needs to do the following:
The application writer MUST revoke all the accesses before deleting a
task. Failing to do so will result in undefined behavior. In the above
example, the application writer needs to make the following 2 calls
before deleting the task:
Gaurav-Aggarwal-AWS [Tue, 21 Nov 2023 13:12:23 +0000 (18:42 +0530)]
Update system call entry mechanism (#896)
Earlier the System Call entry from an unprivileged task looked like:
1. SVC for entering system call.
2. System call implementation.
3. SVC for exiting system call.
Now, the system call entry needs to make only one system call
and everything else is handled internally.
This PR also makes the following small changes:
1. Add one struct param for system calls with 5 parameters. This
removes the need for special handling for system calls with 5
parameters.
2. Remove raise privilege SVC when MPU wrapper v2 is used.
3. Add additional run time parameter checks to MPU wrappers
for xTaskGenericNotify and xQueueTakeMutexRecursive APIs.
These changes are tested on the following platforms:
1. STM32H743ZI (Cortex-M7)
2. STM32L152RE (Cortex-M3)
3. Nuvoton M2351 (Cortex-M23)
4. NXP LPC55S69 (Cortex-M33)
kar-rahul-aws [Thu, 17 Aug 2023 13:23:42 +0000 (18:53 +0530)]
Add runtime parameter checks (#758)
* Add runtime parameter checks
This commit adds runtime checks for function parameters
to mpu_wrappers_v2 file. The same checks are performed
in the API implementation using asserts.
This commit introduces a new MPU wrapper that places additional
restrictions on unprivileged tasks. The following is the list of changes
introduced with the new MPU wrapper:
1. Opaque and indirectly verifiable integers for kernel object handles:
All the kernel object handles (for example, queue handles) are now
opaque integers. Previously object handles were raw pointers.
2. Saving the task context in Task Control Block (TCB): When a task is
swapped out by the scheduler, the task's context is now saved in its
TCB. Previously the task's context was saved on its stack.
3. Execute system calls on a separate privileged only stack: FreeRTOS
system calls, which execute with elevated privilege, now use a
separate privileged only stack. Previously system calls used the
calling task's stack. The application writer can control the size of
the system call stack using new configSYSTEM_CALL_STACK_SIZE config
macro.
4. Memory bounds checks: FreeRTOS system calls which accept a pointer
and de-reference it, now verify that the calling task has required
permissions to access the memory location referenced by the pointer.
5. System call restrictions: The following system calls are no longer
available to unprivileged tasks:
- vQueueDelete
- xQueueCreateMutex
- xQueueCreateMutexStatic
- xQueueCreateCountingSemaphore
- xQueueCreateCountingSemaphoreStatic
- xQueueGenericCreate
- xQueueGenericCreateStatic
- xQueueCreateSet
- xQueueRemoveFromSet
- xQueueGenericReset
- xTaskCreate
- xTaskCreateStatic
- vTaskDelete
- vTaskPrioritySet
- vTaskSuspendAll
- xTaskResumeAll
- xTaskGetHandle
- xTaskCallApplicationTaskHook
- vTaskList
- vTaskGetRunTimeStats
- xTaskCatchUpTicks
- xEventGroupCreate
- xEventGroupCreateStatic
- vEventGroupDelete
- xStreamBufferGenericCreate
- xStreamBufferGenericCreateStatic
- vStreamBufferDelete
- xStreamBufferReset
Also, an unprivileged task can no longer use vTaskSuspend to suspend
any task other than itself.
We thank the following people for their inputs in these enhancements:
- David Reiss of Meta Platforms, Inc.
- Lan Luo, Xinhui Shao, Yumeng Wei, Zixia Liu, Huaiyu Yan and Zhen Ling
of School of Computer Science and Engineering, Southeast University,
China.
- Xinwen Fu of Department of Computer Science, University of
Massachusetts Lowell, USA.
- Yuequi Chen, Zicheng Wang, Minghao Lin of University of Colorado
Boulder, USA.
Patrick Cook [Mon, 10 Jul 2023 22:08:59 +0000 (15:08 -0700)]
Fix circular dependency in CMake project (#700)
* Fix circular dependency in cmake project
Fix for https://github.com/FreeRTOS/FreeRTOS-Kernel/issues/687
In order for custom ports to also break the cycle, they must link
against freertos_kernel_include instead of freertos_kernel.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Armv8-M: Add support for interrupt priority check
FreeRTOS provides `FromISR` system calls which can be called directly
from interrupt service routines. It is crucial that the priority of
these ISRs is set to same or lower value (numerically higher) than that
of `configMAX_SYSCALL_INTERRUPT_PRIORITY`. For more information refer
to https://www.FreeRTOS.org/RTOS-Cortex-M3-M4.html.
Add a check to trigger an assert when an ISR with priority higher
(numerically lower) than `configMAX_SYSCALL_INTERRUPT_PRIORITY` calls
`FromISR` system calls if `configASSERT` macro is defined.
In addition, add a config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` to disable interrupt
priority check while running on QEMU. Based on the discussion
https://gitlab.com/qemu-project/qemu/-/issues/1122, The interrupt
priority bits in QEMU do not match the real hardware. Therefore the
assert that checks the number of implemented bits and __NVIC_PRIO_BITS
will always fail. The config option
`configQEMU_DISABLE_INTERRUPT_PRIO_BITS_CHECK` should be defined in the
`FreeRTOSConfig.h` for QEMU targets.
Signed-off-by: Devaraj Ranganna <devaraj.ranganna@arm.com>
* Use SHPR2 for calculating interrupt priority bits
This removes the dependency on the secure software to mark the interrupt
as non-secure.
Paul Bartell [Thu, 20 Apr 2023 05:24:54 +0000 (22:24 -0700)]
ARMv7M: Adjust implemented priority bit assertions (#665)
Adjust assertions related to the CMSIS __NVIC_PRIO_BITS and FreeRTOS
configPRIO_BITS configuration macros such that these macros specify the
minimum number of implemented priority bits supported by a config
build rather than the exact number of implemented priority bits.
Vo Trung Chi [Tue, 4 Apr 2023 15:10:54 +0000 (22:10 +0700)]
fix conversion warning (#658)
FreeRTOS-Kernel/portable/GCC/ARM_CM4F/port.c:399:41: error: conversion from 'uint32_t' {aka 'long unsigned int'} to 'uint8_t' {aka 'unsigned char'} may change value [-Werror=conversion]
Signed-off-by: Vo Trung Chi <chi.votrung@vn.bosch.com>
Gaurav-Aggarwal-AWS [Tue, 28 Mar 2023 11:31:37 +0000 (17:01 +0530)]
Only add alignment padding when needed (#650)
Heap 4 and Heap 5 add some padding to ensure that the allocated blocks
are always aligned to portBYTE_ALIGNMENT bytes. The code until now was
adding padding always even if the resulting block was already aligned.
This commits updates the code to only add padding if the resulting block
is not aligned.
Darian [Wed, 22 Mar 2023 22:27:57 +0000 (06:27 +0800)]
Add functions to get the buffers of statically created objects (#641)
Added various ...GetStaticBuffer() functions to get the buffers of statically
created objects.
--------- Co-authored-by: Paul Bartell <pbartell@amazon.com> Co-authored-by: Nikhil Kamath <110539926+amazonKamath@users.noreply.github.com> Co-authored-by: Gaurav Aggarwal <aggarg@amazon.com>
Gaurav-Aggarwal-AWS [Fri, 17 Mar 2023 02:52:34 +0000 (08:22 +0530)]
Run kernel demos and unit tests for PR changes (#645)
* Run kernel demos and unit tests for PR changes
Kernel demos check builds multiple demos from FreeRTOS/FreeRTOS and
unit tests check runs unit tests in FreeRTOS/FreeRTOS. Both of these
checks currently use main branch of FreeRTOS-Kernel. This commits
updates these checks to use the changes in the PR.
Signed-off-by: Gaurav Aggarwal <aggarg@amazon.com>
* Do not specify PR SHA explicitly as that is default
Kody Stribrny [Tue, 7 Mar 2023 04:04:15 +0000 (20:04 -0800)]
Fix freertos_kernel cmake property, Posix Port (#640)
* Fix freertos_kernel cmake property, Posix Port
* Moves the `set_property()` call below the target definition in top level CMakeLists file
* Corrects billion value from `ULL` suffix (not C90 compliant) to `UL` suffix with cast to uint64_t
Paul Bartell [Mon, 6 Mar 2023 16:19:28 +0000 (08:19 -0800)]
Enable building the GCC Cortex-R5 port without an FPU (#586)
* Ensure configUSE_TASK_FPU_SUPPORT option is set correctly
If one does enable the FPU of the Cortex-R5 processor, then the GCC
compiler will define the macro __ARM_FP. This can be used to ensure,
that the configUSE_TASK_FPU_SUPPORT is set accordingly.
* Enable the implementation of vPortTaskUsesFPU only if configUSE_TASK_FPU_SUPPORT is set to 1
* Remove error case in pxPortInitialiseStack
The case of configUSE_TASK_FPU_SUPPORT is 0 is now handled
* Enable access to FPU registers only if FPU is enabled
Keith Packard [Mon, 6 Mar 2023 06:29:39 +0000 (22:29 -0800)]
Fix TLS and stack alignment when using picolibc (#637)
Both the TLS block and stack must be correctly aligned when using
picolibc. The architecture stack alignment is represented by the
portBYTE_ALIGNMENT_MASK and the TLS block alignment is provided by the
Picolibc _tls_align() inline function for Picolibc version 1.8 and
above. For older versions of Picolibc, we'll assume that the TLS block
requires the same alignment as the stack.
For downward growing stacks, this requires aligning the start of the
TLS block to the maximum of the stack alignment and the TLS
alignment. With this, both the TLS block and stack will now be
correctly aligned.
For upward growing stacks, the two areas must be aligned
independently; the TLS block is aligned from the start of the stack,
then the tls space is allocated, and then the stack is aligned above
that.
It's probably useful to know here that the linker ensures that
variables within the TLS block are assigned offsets that match their
alignment requirements. If the TLS block itself is correctly aligned,
then everything within will also be.
I have only tested the downward growing stack branch of this patch.
Signed-off-by: Keith Packard <keithpac@amazon.com> Co-authored-by: Keith Packard <keithpac@amazon.com> Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
Chris Copeland [Thu, 2 Mar 2023 17:49:56 +0000 (09:49 -0800)]
Interrupt priority assert improvements for CM3/4/7 (#602)
* Interrupt priority assert improvements for CM3/4/7
In the ARM_CM3, ARM_CM4, and ARM_CM7 ports, change the assertion that
`configMAX_SYSCALL_INTERRUPT_PRIORITY` is nonzero to account for the
number of priority bits implemented by the hardware.
Change these ports to also use the lowest priority for PendSV and
SysTick, ignoring `configKERNEL_INTERRUPT_PRIORITY`.
* Remove not needed configKERNEL_INTERRUPT_PRIORITY define
Keith Packard [Thu, 2 Mar 2023 16:26:04 +0000 (08:26 -0800)]
Add Thread Local Storage (TLS) support using Picolibc functions (#343)
* Pass top of stack to configINIT_TLS_BLOCK
Picolibc wants to allocate the per-task TLS block within the stack
segment, so it will need to modify the top of stack value. Pass the
pxTopOfStack variable to make this explicit.
Signed-off-by: Keith Packard <keithpac@amazon.com>
* Move newlib-specific definitions to separate file
This reduces the clutter in FreeRTOS.h caused by having newlib-specific
macros present there.
Signed-off-by: Keith Packard <keithpac@amazon.com>
* Make TLS code depend only on configUSE_C_RUNTIME_TLS_SUPPORT
Remove reference to configUSE_NEWLIB_REENTRANT as that only works
when using newlib. configUSE_C_RUNTIME_TLS_SUPPORT is always
set when configUSE_NEWLIB_REENTRANT is set, so using both was
redundant in that case.
Signed-off-by: Keith Packard <keithpac@amazon.com>
* portable-ARC: Adapt ARC support to use generalized TLS support
With generalized thread local storage (TLS) support present in the
core, the two ARC ports need to have the changes to the TCB mirrored
to them.
Signed-off-by: Keith Packard <keithpac@amazon.com>
* Add Thread Local Storage (TLS) support using Picolibc functions
This patch provides definitions of the general TLS support macros in
terms of the Picolibc TLS support functions.
Picolibc is normally configured to use TLS internally for all
variables that are intended to be task-local, so these changes are
necessary for picolibc to work correctly with FreeRTOS.
The picolibc helper functions rely on elements within the linker
script to arrange the TLS data in memory and define some symbols.
Applications wanting to use this mechanism will need changes in their
linker script when migrating to picolibc.
Signed-off-by: Keith Packard <keithpac@amazon.com>
---------
Signed-off-by: Keith Packard <keithpac@amazon.com> Co-authored-by: Keith Packard <keithpac@amazon.com> Co-authored-by: Gaurav-Aggarwal-AWS <33462878+aggarg@users.noreply.github.com>
Gaurav-Aggarwal-AWS [Thu, 23 Feb 2023 04:07:42 +0000 (09:37 +0530)]
Fix build failure introduced in PR #597 (#629)
The PR #597 introduced a new config option configTICK_TYPE_WIDTH_IN_BITS
which can be defined to one of the following:
* TICK_TYPE_WIDTH_16_BITS - Tick type is 16 bit wide.
* TICK_TYPE_WIDTH_32_BITS - Tick type is 32 bit wide.
* TICK_TYPE_WIDTH_64_BITS - Tick type is 64 bit wide.
Earlier we supported 16 and 32 bit width for tick type which was
controlled using the config option configUSE_16_BIT_TICKS. The PR
tried to maintain backward compatibility by honoring
configUSE_16_BIT_TICKS. The backward compatibility did not work as
expected though, as the macro configTICK_TYPE_WIDTH_IN_BITS was used
before it was defined. This PR addresses it by ensuring that the macro
configTICK_TYPE_WIDTH_IN_BITS is defined before it is used.
Testing
1. configUSE_16_BIT_TICKS is defined to 0.
It is clear from assembly that the tick type is 32 bit.
5. configTICK_TYPE_WIDTH_IN_BITS is defined to TICK_TYPE_WIDTH_64_BITS.
```
#error configTICK_TYPE_WIDTH_IN_BITS set to unsupported tick type width.
```
The testing was done for GCC/ARM_CM3 port which does not support 64 bit
tick type.
6. Neither configUSE_16_BIT_TICKS nor configTICK_TYPE_WIDTH_IN_BITS
defined.
```
#error Missing definition: One of configUSE_16_BIT_TICKS and
configTICK_TYPE_WIDTH_IN_BITS must be defined in FreeRTOSConfig.h.
See the Configuration section of the FreeRTOS API documentation for
details.
```
7. Both configUSE_16_BIT_TICKS and configTICK_TYPE_WIDTH_IN_BITS defined.
```
#error Only one of configUSE_16_BIT_TICKS and
configTICK_TYPE_WIDTH_IN_BITS must be defined in FreeRTOSConfig.h.
See the Configuration section of the FreeRTOS API documentation for
details.
```
Related issue - https://github.com/FreeRTOS/FreeRTOS-Kernel/issues/628
bbain [Mon, 13 Feb 2023 04:58:20 +0000 (15:58 +1100)]
Introduce portMEMORY_BARRIER for Microblaze port. (#621)
The introduction of `portMEMORY_BARRIER` will ensure
the places in the kernel use a barrier will work.
For example, `xTaskResumeAll` has a memory barrier
to ensure its correctness when compiled with optimization
enabled. Without the barrier `xTaskResumeAll` can fail
(e.g. start reading and writing to address 0 and/or
infinite looping) when `xPendingReadyList` contains more
than one task to restore.
In `xTaskResumeAll` the compiler chooses to cache the
`pxTCB` the first time through the loop for use
in every subsequent loop. This is incorrect as the
removal of `pxTCB->xEventListItem` will actually
change the value of `pxTCB` if it was read again
at the top of the loop. The barrier forces the compiler
to read `pxTCB` again at the top of the loop.
The compiler is operating correctly. The removal
`pxTCB->xEventListItem` executes on a `List_t *`
and `ListItem_t *`. This means that the compiler
can assume that any `MiniListItem_t` values are
unchanged by the loop (i.e. "strict-aliasing").
This allows the compiler to cache `pxTCB` as it
is obtained via a `MiniListItem_t`. This is incorrect
in this case because it is possible for a `ListItem_t *`
to actually alias a `MiniListItem_t`. This is technically
a "violation of aliasing rules" so we use the the barrier
to disable the strict-aliasing optimization in this loop.
Chris Copeland [Thu, 19 Jan 2023 22:46:42 +0000 (14:46 -0800)]
Add ulTaskGetRunTimeCounter and ulTaskGetRunTimePercent (#611)
Allow ulTaskGetIdleRunTimeCounter and ulTaskGetIdleRunTimePercent to be
used whenever configGENERATE_RUN_TIME_STATS is enabled, as this is the
only requirement for these functions to work.
Archit Gupta [Thu, 15 Dec 2022 21:46:32 +0000 (21:46 +0000)]
Fix array-bounds compiler warning on gcc11+ in list.h (#580)
listGET_OWNER_OF_NEXT_ENTRY computes `( pxConstList )->pxIndex->pxNext` after
verifying that `( pxConstList )->pxIndex` points to `xListEnd`, which due to
being a MiniListItem_t, can be shorter than a ListItem_t. Thus,
`( pxConstList )->pxIndex` is a `ListItem_t *` that extends past the end of the
`List_t` whose `xListEnd` it points to. This is fixed by accessing `pxNext`
through a `MiniListItem_t` instead.
begriffs.com / projects / freertos / log