arm: userspace: Add ARM userspace infrastructure

This patch adds support for userspace on ARM architectures.  Arch
specific calls for transitioning threads to user mode, system calls,
and associated handlers.

Signed-off-by: Andy Gross <[email protected]>

Author: Andy Gross

arch/arm/core/CMakeLists.txt

@@ -16,6 +16,7 @@ zephyr_sources_ifdef(CONFIG_GEN_SW_ISR_TABLE isr_wrapper.S)
 zephyr_sources_ifdef(CONFIG_CPLUSPLUS __aeabi_atexit.c)
 zephyr_sources_ifdef(CONFIG_IRQ_OFFLOAD irq_offload.c)
 zephyr_sources_ifdef(CONFIG_CPU_CORTEX_M0 irq_relay.S)
+zephyr_sources_ifdef(CONFIG_USERSPACE userspace.S)
 
 add_subdirectory_ifdef(CONFIG_CPU_CORTEX_M cortex_m)
 add_subdirectory_ifdef(CONFIG_CPU_HAS_MPU  cortex_m/mpu)

arch/arm/core/Kconfig

@@ -23,7 +23,7 @@ config CPU_CORTEX_M
 	select HAS_FLASH_LOAD_OFFSET
 	select HAS_DTS
 	select ARCH_HAS_STACK_PROTECTION if ARM_CORE_MPU
-	select ARCH_HAS_USERSPACE if ARM_USERSPACE
+	select ARCH_HAS_USERSPACE if ARM_CORE_MPU
 	help
 	  This option signifies the use of a CPU of the Cortex-M family.
 
@@ -42,14 +42,6 @@ config ARM_STACK_PROTECTION
 	  This option enables MPU stack guard to cause a system fatal error
 	  if the bounds of the current process stack are overflowed.
 
-config ARM_USERSPACE
-	bool
-	default n
-	help
-	  This option enables APIs to drop a thread's privileges,	supporting
-	  user-level threads that are protected from each other and from
-	  crashing the kernel.
-
 menu "Architectue Floating Point Options"
 depends on CPU_HAS_FPU
 

arch/arm/core/cortex_m/mpu/arm_core_mpu.c

@@ -23,10 +23,18 @@
  */
 void configure_mpu_stack_guard(struct k_thread *thread)
 {
+	u32_t guard_size = MPU_GUARD_ALIGN_AND_SIZE;
+#if defined(CONFIG_USERSPACE)
+	u32_t guard_start = thread->arch.priv_stack_start ?
+			    (u32_t)thread->arch.priv_stack_start :
+			    (u32_t)thread->stack_obj;
+#else
+	u32_t guard_start = thread->stack_info.start;
+#endif
+
 	arm_core_mpu_disable();
-	arm_core_mpu_configure(THREAD_STACK_GUARD_REGION,
-			thread->stack_info.start - MPU_GUARD_ALIGN_AND_SIZE,
-			thread->stack_info.size);
+	arm_core_mpu_configure(THREAD_STACK_GUARD_REGION, guard_start,
+			       guard_size);
 	arm_core_mpu_enable();
 }
 #endif

arch/arm/core/fatal.c

@@ -87,3 +87,14 @@ void _do_kernel_oops(const NANO_ESF *esf)
 {
 	_NanoFatalErrorHandler(esf->r0, esf);
 }
+
+FUNC_NORETURN void _arch_syscall_oops(void *ssf_ptr)
+{
+	u32_t *ssf_contents = ssf_ptr;
+	NANO_ESF oops_esf = { 0 };
+
+	oops_esf.pc = ssf_contents[3];
+
+	_do_kernel_oops(&oops_esf);
+	CODE_UNREACHABLE;
+}

arch/arm/core/offsets/offsets.c

@@ -30,6 +30,7 @@ GEN_OFFSET_SYM(_thread_arch_t, basepri);
 GEN_OFFSET_SYM(_thread_arch_t, swap_return_value);
 
 #ifdef CONFIG_USERSPACE
+GEN_OFFSET_SYM(_thread_arch_t, mode);
 GEN_OFFSET_SYM(_thread_arch_t, priv_stack_start);
 #endif
 

arch/arm/core/swap.S

@@ -23,6 +23,7 @@ GTEXT(__swap)
 GTEXT(__svc)
 GTEXT(__pendsv)
 GTEXT(_do_kernel_oops)
+GTEXT(_arm_do_syscall)
 GDATA(_k_neg_eagain)
 
 GDATA(_kernel)
@@ -176,12 +177,24 @@ _thread_irq_disabled:
 #endif /* CONFIG_MPU_STACK_GUARD */
 
 #ifdef CONFIG_USERSPACE
+    /* restore mode */
+    ldr r0, [r2, #_thread_offset_to_mode]
+    mrs r3, CONTROL
+    bic r3, #1
+    orr r3, r0
+    msr CONTROL, r3
+
     /* r2 contains k_thread */
     add r0, r2, #0
     push {r2, lr}
     blx configure_mpu_mem_domain
     pop {r2, lr}
-#endif /* CONFIG_USERSPACE */
+
+    add r0, r2, #0
+    push {r2, lr}
+    blx configure_mpu_user_context
+    pop {r2, lr}
+#endif
 
     /* load callee-saved + psp from thread */
     add r0, r2, #_thread_offset_to_callee_saved
@@ -268,7 +281,6 @@ _oops:
  */
 
 SECTION_FUNC(TEXT, __svc)
-
     tst lr, #0x4    /* did we come from thread mode ? */
     ite eq  /* if zero (equal), came from handler mode */
         mrseq r0, MSP   /* handler mode, stack frame is on MSP */
@@ -283,10 +295,26 @@ SECTION_FUNC(TEXT, __svc)
     * 0: context switch
     * 1: irq_offload (if configured)
     * 2: kernel panic or oops (software generated fatal exception)
+    * 3: System call
     * Planned implementation of system calls for memory protection will
     * expand this case.
     */
     ands r1, #0xff
+#if CONFIG_USERSPACE
+    mrs r2, CONTROL
+
+    cmp r1, #3
+    beq _do_syscall
+
+    /*
+     * check that we are privileged before invoking other SVCs
+     * oops if we are unprivileged
+     */
+    tst r2, #0x1
+    bne _oops
+
+    cmp r1, #0
+#endif
     beq _context_switch
 
     cmp r1, #2
@@ -324,6 +352,46 @@ _oops:
     blx _do_kernel_oops
     pop {pc}
 
+#if CONFIG_USERSPACE
+    /*
+     * System call will setup a jump to the _do_arm_syscall function
+     * when the SVC returns via the bx lr.
+     *
+     * There is some trickery involved here because we have to preserve
+     * the original LR value so that we can return back to the caller of
+     * the SVC.
+     *
+     * On SVC exeption, the stack looks like the following:
+     * r0 - r1 - r2 - r3 - r12 - LR - PC - PSR
+     * r5 - r6 - call id - saved LR
+     *
+     */
+_do_syscall:
+    ldr r1, [r0, #24]   /* grab address of PC from stack frame */
+    str r1, [r0, #44]   /* store address to use for LR after syscall */
+    ldr r1, =_arm_do_syscall
+    str r1, [r0, #24]   /* overwrite the LR to point to _arm_do_syscall */
+
+    /* validate syscall limit, only set priv mode if valid */
+    ldr ip, =_SYSCALL_LIMIT
+    ldr r1, [r0, #40]
+    cmp r1, ip
+    blt valid_syscall_id
+
+    /* bad syscall id.  Set arg0 to bad id and set call_id to SYSCALL_BAD */
+    str r1, [r0, #0]
+    ldr r1, =_SYSCALL_BAD
+    str r1, [r0, #40]
+
+valid_syscall_id:
+    /* set mode to privileged, r2 still contains value from CONTROL */
+    bic r2, #1
+    msr CONTROL, r2
+
+    /* return from SVC to the modified LR - _arm_do_syscall */
+    bx lr
+#endif
+
 #else
 #error Unknown ARM architecture
 #endif /* CONFIG_ARMV6_M_ARMV8_M_BASELINE */
@@ -381,6 +449,13 @@ SECTION_FUNC(TEXT, __swap)
     ldr r2, [r1, #_kernel_offset_to_current]
     str r0, [r2, #_thread_offset_to_basepri]
 
+#ifdef CONFIG_USERSPACE
+    mrs r0, CONTROL
+    movs r3, #1
+    ands r0, r3
+    str r0, [r2, #_thread_offset_to_mode]
+#endif
+
     /*
      * Set __swap()'s default return code to -EAGAIN. This eliminates the need
      * for the timeout code to set it itself.

arch/arm/core/thread.c

@@ -19,6 +19,10 @@
 #include <string.h>
 #endif /* CONFIG_INIT_STACKS */
 
+#ifdef CONFIG_USERSPACE
+extern u8_t *_k_priv_stack_find(void *obj);
+#endif
+
 /**
  *
  * @brief Initialize a new thread from its stack space
@@ -58,16 +62,33 @@ void _new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 
 	_ASSERT_VALID_PRIO(priority, pEntry);
 
+#if CONFIG_MPU_REQUIRES_POWER_OF_TWO_ALIGNMENT
+	char *stackEnd = pStackMem + stackSize - MPU_GUARD_ALIGN_AND_SIZE;
+#else
 	char *stackEnd = pStackMem + stackSize;
+#endif
 	struct __esf *pInitCtx;
-	_new_thread_init(thread, pStackMem, stackSize, priority, options);
 
-	/* carve the thread entry struct from the "base" of the stack */
+	_new_thread_init(thread, pStackMem, stackEnd - pStackMem, priority,
+			 options);
 
+	/* carve the thread entry struct from the "base" of the stack */
 	pInitCtx = (struct __esf *)(STACK_ROUND_DOWN(stackEnd -
 						     sizeof(struct __esf)));
 
-	pInitCtx->pc = ((u32_t)_thread_entry) & 0xfffffffe;
+#if CONFIG_USERSPACE
+	if (options & K_USER) {
+		pInitCtx->pc = (u32_t)_arch_user_mode_enter;
+	} else {
+		pInitCtx->pc = (u32_t)_thread_entry;
+	}
+#else
+	pInitCtx->pc = (u32_t)_thread_entry;
+#endif
+
+	/* force ARM mode by clearing LSB of address */
+	pInitCtx->pc &= 0xfffffffe;
+
 	pInitCtx->a1 = (u32_t)pEntry;
 	pInitCtx->a2 = (u32_t)parameter1;
 	pInitCtx->a3 = (u32_t)parameter2;
@@ -78,6 +99,12 @@ void _new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 	thread->callee_saved.psp = (u32_t)pInitCtx;
 	thread->arch.basepri = 0;
 
+#if CONFIG_USERSPACE
+	thread->arch.mode = 0;
+	thread->arch.priv_stack_start = 0;
+	thread->arch.priv_stack_size = 0;
+#endif
+
 	/* swap_return_value can contain garbage */
 
 	/*
@@ -94,3 +121,23 @@ void _new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 	thread_monitor_init(thread);
 #endif
 }
+
+#ifdef CONFIG_USERSPACE
+
+FUNC_NORETURN void _arch_user_mode_enter(k_thread_entry_t user_entry,
+	void *p1, void *p2, void *p3)
+{
+
+	/* Set up privileged stack before entering user mode */
+	_current->arch.priv_stack_start =
+		(u32_t)_k_priv_stack_find(_current->stack_obj);
+	_current->arch.priv_stack_size =
+		(u32_t)CONFIG_PRIVILEGED_STACK_SIZE;
+
+	_arm_userspace_enter(user_entry, p1, p2, p3,
+			     (u32_t)_current->stack_info.start,
+			     _current->stack_info.size);
+	CODE_UNREACHABLE;
+}
+
+#endif