stack declaration macros for ARM MPU

[zephyrbot]

Reported by Andrew Boie:

#392 landed which defines a set of macros for declaring and referencing stacks.

At this point it should be possible to create the versions of these macros on ARM side to work with ARM or NXP MPU requirements. If I remember correctly talking to [~agross] a small guard region needs to be created before each stack which will trigger the MPU when crossed.

(Imported from Jira ZEP-2265)

[zephyrbot]

by Andy Gross:

This work was implemented by Michel Jaouen from ST as part of his pull request (#500).

When this is merged, this will be closed.

[zephyrbot]

by Chunlin Han:

Hi Andy,

I think the patch might cause problem if we want to enable thread's stack region protection in the future.
This is because the base addres of arm mpu needs to align with it's region size.
It means that if the stack size of a thread is 1KB, then the stack addres of the stack must be 1KB alignment. Or, we cannot protect the whole stack area well with arm mpu region.

Consider the following macros:

#define _ARCH_THREAD_STACK_DEFINE(sym, size) \
	char __noinit __aligned(STACK_ALIGN) sym[size+STACK_ALIGN]

#define _ARCH_THREAD_STACK_BUFFER(sym) (sym + STACK_ALIGN)

It is diffcult to make sure the start addres of the stack buffer aligns with its size.

[zephyrbot]

by Andy Gross:

Chunlin,

The only issue with the ARM MPU regions is the possible waste of memory. Depending on the implementation of the MPU, the start address may or may not have to align to the MPU region size. At a minimum, it usually has to align to at least 32 bytes. This patch will set aside size + align amount of memory, which guarantees at least that the MPU region will work correctly. I'll look through the various chips and see what they require.

[zephyrbot]

by Andrew Boie:

Andy Gross Chunlin Han the code in PR #500 is correct for a policy where stacks are protected with a 32-byte guard region. I don't see a problem with them.

If I understand Chunlin correctly, he is describing an alternate policy where instead of using a small guard region before each stack, the stack itself is an MPU memory region, which is necessarily aligned to its size. We are going to need this for full-blown thread protection, the stack guard really only protects against accidental stack overflow.

You are just gonna need a different set of macros for this kind of policy. Probably involving some preprocessor logic to throw a build error if the size is not a power of 2, or some voodoo to round up the size argument to the next power of 2. It would be a different set of macros.

[zephyrbot]

by Andy Gross:

So for ARM MPU, the alignment needs to be aligned to the region size. However, there is a way to use sub-regions to enable/disable the region on a fraction of the total region size. The NXP MPU, you just need 32 byte alignment, at least as near as I can tell.

I agree on the additional macros. We'll have to cook up something that will work based on the different SoC requirements.

[zephyrbot]

Related to ZEP-2185