Add ARM userspace infrastructure

arch/arm/core/CMakeLists.txt

@@ -16,6 +16,7 @@ zephyr_sources_ifdef(CONFIG_GEN_SW_ISR_TABLE isr_wrapper.S)
 zephyr_sources_ifdef(CONFIG_CPLUSPLUS __aeabi_atexit.c)
 zephyr_sources_ifdef(CONFIG_IRQ_OFFLOAD irq_offload.c)
 zephyr_sources_ifdef(CONFIG_CPU_CORTEX_M0 irq_relay.S)
+zephyr_sources_ifdef(CONFIG_USERSPACE userspace.S)
 
 add_subdirectory_ifdef(CONFIG_CPU_CORTEX_M cortex_m)
 add_subdirectory_ifdef(CONFIG_CPU_HAS_MPU  cortex_m/mpu)

arch/arm/core/Kconfig

@@ -23,7 +23,7 @@ config CPU_CORTEX_M
 	select HAS_FLASH_LOAD_OFFSET
 	select HAS_DTS
 	select ARCH_HAS_STACK_PROTECTION if ARM_CORE_MPU
-	select ARCH_HAS_USERSPACE if ARM_USERSPACE
+	select ARCH_HAS_USERSPACE if ARM_CORE_MPU
 	help
 	  This option signifies the use of a CPU of the Cortex-M family.
 
@@ -42,14 +42,6 @@ config ARM_STACK_PROTECTION
 	  This option enables MPU stack guard to cause a system fatal error
 	  if the bounds of the current process stack are overflowed.
 
-config ARM_USERSPACE
-	bool
-	default n
-	help
-	  This option enables APIs to drop a thread's privileges,	supporting
-	  user-level threads that are protected from each other and from
-	  crashing the kernel.
-
 menu "Architectue Floating Point Options"
 depends on CPU_HAS_FPU
 

arch/arm/core/cortex_m/mpu/Kconfig

@@ -27,6 +27,7 @@ config ARM_MPU
 	depends on SOC_FAMILY_ARM || SOC_FAMILY_STM32 || SOC_FAMILY_NRF5 || SOC_FAMILY_IMX
 	select ARM_CORE_MPU
 	select ARCH_HAS_EXECUTABLE_PAGE_BIT
+	select MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT
 	default n
 	help
 	  MCU has ARM MPU

arch/arm/core/cortex_m/mpu/arm_core_mpu.c

@@ -23,15 +23,39 @@
  */
 void configure_mpu_stack_guard(struct k_thread *thread)
 {
+	u32_t guard_size = MPU_GUARD_ALIGN_AND_SIZE;
+#if defined(CONFIG_USERSPACE)
+	u32_t guard_start = thread->arch.priv_stack_start ?
+			    (u32_t)thread->arch.priv_stack_start :
+			    (u32_t)thread->stack_obj;
+#else
+	u32_t guard_start = thread->stack_info.start;
+#endif
+
 	arm_core_mpu_disable();
-	arm_core_mpu_configure(THREAD_STACK_GUARD_REGION,
-			thread->stack_info.start - MPU_GUARD_ALIGN_AND_SIZE,
-			thread->stack_info.size);
+	arm_core_mpu_configure(THREAD_STACK_GUARD_REGION, guard_start,
+			       guard_size);
 	arm_core_mpu_enable();
 }
 #endif
 
 #if defined(CONFIG_USERSPACE)
+/*
+ * @brief Configure MPU user context
+ *
+ * This function configures the thread's user context.
+ * The functionality is meant to be used during context switch.
+ *
+ * @param thread thread info data structure.
+ */
+void configure_mpu_user_context(struct k_thread *thread)
+{
+	SYS_LOG_DBG("configure user thread %p's context", thread);
+	arm_core_mpu_disable();
+	arm_core_mpu_configure_user_context(thread);
+	arm_core_mpu_enable();
+}
+
 /*
  * @brief Configure MPU memory domain
  *

arch/arm/core/cortex_m/mpu/arm_mpu.c

@@ -12,6 +12,7 @@
 #include <arch/arm/cortex_m/mpu/arm_mpu.h>
 #include <arch/arm/cortex_m/mpu/arm_core_mpu.h>
 #include <logging/sys_log.h>
+#include <linker/linker-defs.h>
 
 #define ARM_MPU_DEV ((volatile struct arm_mpu *) ARM_MPU_BASE)
 
@@ -31,18 +32,52 @@ static inline u32_t _get_region_attr(u32_t xn, u32_t ap, u32_t tex,
 		| (c << 17) | (b << 16) | (srd << 5) | (size));
 }
 
+/**
+ * This internal function converts the region size to
+ * the SIZE field value of MPU_RASR.
+ */
+static inline u32_t _size_to_mpu_rasr_size(u32_t size)
+{
+	/* The minimal supported region size is 32 bytes */
+	if (size <= 32) {
+		return REGION_32B;
+	}
+
+	/*
+	 * A size value greater than 2^31 could not be handled by
+	 * round_up_to_next_power_of_two() properly. We handle
+	 * it separately here.
+	 */
+	if (size > (1 << 31)) {
+		return REGION_4G;
+	}
+
+	size = 1 << (32 - __builtin_clz(size - 1));
+	return (32 - __builtin_clz(size) - 2) << 1;
+}
+
+
 /**
  * This internal function is utilized by the MPU driver to parse the intent
  * type (i.e. THREAD_STACK_REGION) and return the correct parameter set.
  */
 static inline u32_t _get_region_attr_by_type(u32_t type, u32_t size)
 {
+	int region_size = _size_to_mpu_rasr_size(size);
+
 	switch (type) {
+	case THREAD_STACK_USER_REGION:
+		return _get_region_attr(1, P_RW_U_RW, 0, 1, 0,
+					1, 0, region_size);
 	case THREAD_STACK_REGION:
-		return 0;
+		return _get_region_attr(1, P_RW_U_RW, 0, 1, 0,
+					1, 0, region_size);
 	case THREAD_STACK_GUARD_REGION:
-		return _get_region_attr(1, P_RO_U_RO, 0, 1, 0,
-					1, 0, REGION_32B);
+		return _get_region_attr(1, P_RO_U_NA, 0, 1, 0,
+					1, 0, region_size);
+	case THREAD_APP_DATA_REGION:
+		return _get_region_attr(1, P_RW_U_RW, 0, 1, 0,
+					1, 0, region_size);
 	default:
 		/* Size 0 region */
 		return 0;
@@ -67,6 +102,7 @@ static void _region_init(u32_t index, u32_t region_addr,
 	ARM_MPU_DEV->rbar = (region_addr & REGION_BASE_ADDR_MASK)
 				| REGION_VALID | index;
 	ARM_MPU_DEV->rasr = region_attr | REGION_ENABLE;
+	SYS_LOG_DBG("[%d] 0x%08x 0x%08x", index, region_addr, region_attr);
 }
 
 /**
@@ -82,64 +118,30 @@ static inline u32_t _get_region_index_by_type(u32_t type)
 	 * index.
 	 */
 	switch (type) {
+	case THREAD_STACK_USER_REGION:
+		return mpu_config.num_regions + THREAD_STACK_REGION - 1;
 	case THREAD_STACK_REGION:
-		return mpu_config.num_regions + type - 1;
 	case THREAD_STACK_GUARD_REGION:
+	case THREAD_APP_DATA_REGION:
 		return mpu_config.num_regions + type - 1;
 	case THREAD_DOMAIN_PARTITION_REGION:
-#if defined(CONFIG_MPU_STACK_GUARD)
+#if defined(CONFIG_USERSPACE)
 		return mpu_config.num_regions + type - 1;
+#elif defined(CONFIG_MPU_STACK_GUARD)
+		return mpu_config.num_regions + type - 2;
 #else
 		/*
 		 * Start domain partition region from stack guard region
 		 * since stack guard is not enabled.
 		 */
-		return mpu_config.num_regions + type - 2;
+		return mpu_config.num_regions + type - 3;
 #endif
 	default:
 		__ASSERT(0, "Unsupported type");
 		return 0;
 	}
 }
 
-static inline u32_t round_up_to_next_power_of_two(u32_t v)
-{
-	v--;
-	v |= v >> 1;
-	v |= v >> 2;
-	v |= v >> 4;
-	v |= v >> 8;
-	v |= v >> 16;
-	v++;
-
-	return v;
-}
-
-/**
- * This internal function converts the region size to
- * the SIZE field value of MPU_RASR.
- */
-static inline u32_t _size_to_mpu_rasr_size(u32_t size)
-{
-	/* The minimal supported region size is 32 bytes */
-	if (size <= 32) {
-		return REGION_32B;
-	}
-
-	/*
-	 * A size value greater than 2^31 could not be handled by
-	 * round_up_to_next_power_of_two() properly. We handle
-	 * it separately here.
-	 */
-	if (size > (1 << 31)) {
-		return REGION_4G;
-	}
-
-	size = round_up_to_next_power_of_two(size);
-
-	return (find_msb_set(size) - 2) << 1;
-}
-
 /**
  * This internal function check if region is enabled or not
  */
@@ -182,6 +184,11 @@ static inline int _is_user_accessible_region(u32_t r_index, int write)
 	ARM_MPU_DEV->rnr = r_index;
 	r_ap = ARM_MPU_DEV->rasr & ACCESS_PERMS_MASK;
 
+	/* always return true if this is the thread stack region */
+	if (_get_region_index_by_type(THREAD_STACK_REGION) == r_index) {
+		return 1;
+	}
+
 	if (write) {
 		return r_ap == P_RW_U_RW;
 	}
@@ -240,6 +247,33 @@ void arm_core_mpu_configure(u8_t type, u32_t base, u32_t size)
 }
 
 #if defined(CONFIG_USERSPACE)
+void arm_core_mpu_configure_user_context(struct k_thread *thread)
+{
+	u32_t base = (u32_t)thread->stack_obj;
+	u32_t size = thread->stack_info.size;
+	u32_t index = _get_region_index_by_type(THREAD_STACK_USER_REGION);
+	u32_t region_attr = _get_region_attr_by_type(THREAD_STACK_USER_REGION,
+						     size);
+
+	if (!thread->arch.priv_stack_start) {
+		ARM_MPU_DEV->rnr = index;
+		ARM_MPU_DEV->rbar = 0;
+		ARM_MPU_DEV->rasr = 0;
+		return;
+	}
+	/* configure stack */
+	_region_init(index, base, region_attr);
+
+#if defined(CONFIG_APPLICATION_MEMORY)
+	/* configure app data portion */
+	index = _get_region_index_by_type(THREAD_APP_DATA_REGION);
+	size = (u32_t)&__app_ram_end - (u32_t)&__app_ram_start;
+	region_attr = _get_region_attr_by_type(THREAD_APP_DATA_REGION, size);
+	if (size > 0)
+		_region_init(index, (u32_t)&__app_ram_start, region_attr);
+#endif
+}
+
 /**
  * @brief configure MPU regions for the memory partitions of the memory domain
  *