rv32i::pmp::kernel_protection

Struct KernelProtectionPMP

Source 
pub struct KernelProtectionPMP<const AVAILABLE_ENTRIES: usize>;
Expand description

A RISC-V PMP implementation which supports machine-mode (kernel) memory protection, with a fixed number of “kernel regions” (such as .text, flash, RAM and MMIO).

This implementation will configure the PMP in the following way:

|-------+-----------------------------------------+-------+---+-------|
| ENTRY | REGION / ADDR                           | MODE  | L | PERMS |
|-------+-----------------------------------------+-------+---+-------|
|     0 | /                                     \ | OFF   |   |       |
|     1 | \ Userspace TOR region #0             / | TOR   |   | ????? |
|       |                                         |       |   |       |
|     2 | /                                     \ | OFF   |   |       |
|     3 | \ Userspace TOR region #1             / | TOR   |   | ????? |
|       |                                         |       |   |       |
| 4 ... | /                                     \ |       |   |       |
| n - 8 | \ Userspace TOR region #x             / |       |   |       |
|       |                                         |       |   |       |
| n - 7 | "Deny-all" user-mode rule (all memory)  | NAPOT |   | ----- |
|       |                                         |       |   |       |
| n - 6 | --------------------------------------- | OFF   | X | ----- |
| n - 5 | Kernel .text section                    | TOR   | X | R/X   |
|       |                                         |       |   |       |
| n - 4 | FLASH (spanning kernel & apps)          | NAPOT | X | R     |
|       |                                         |       |   |       |
| n - 3 | RAM (spanning kernel & apps)            | NAPOT | X | R/W   |
|       |                                         |       |   |       |
| n - 2 | MMIO                                    | NAPOT | X | R/W   |
|       |                                         |       |   |       |
| n - 1 | "Deny-all" machine-mode    (all memory) | NAPOT | X | ----- |
|-------+-----------------------------------------+-------+---+-------|

This implementation does not use any mseccfg protection bits (ePMP functionality). To protect machine-mode (kernel) memory regions, regions must be marked as locked. However, locked regions apply to both user- and machine-mode. Thus, region n - 7 serves as a “deny-all” user-mode rule, which prohibits all accesses not explicitly allowed through rules < n - 7. Kernel memory is made accessible underneath this “deny-all” region, which does not apply to machine-mode.

This PMP implementation supports the TORUserPMP interface with MPU_REGIONS <= ((AVAILABLE_ENTRIES - 7) / 2), to leave sufficient space for the “deny-all” and kernel regions. This constraint is enforced through the KernelProtectionPMP::CONST_ASSERT_CHECK associated constant, which MUST be evaluated by the consumer of the TORUserPMP trait (usually the PMPUserMPU implementation).

Implementations§

Source§

impl<const AVAILABLE_ENTRIES: usize> KernelProtectionPMP<AVAILABLE_ENTRIES>

Source

pub unsafe fn new( flash: FlashRegion, ram: RAMRegion, mmio: MMIORegion, kernel_text: KernelTextRegion, ) -> Result<Self, ()>

Trait Implementations§

Source§

impl<const AVAILABLE_ENTRIES: usize> Display for KernelProtectionPMP<AVAILABLE_ENTRIES>

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<const AVAILABLE_ENTRIES: usize, const MPU_REGIONS: usize> TORUserPMP<MPU_REGIONS> for KernelProtectionPMP<AVAILABLE_ENTRIES>

Source§

const CONST_ASSERT_CHECK: ()

Ensure that the MPU_REGIONS (starting at entry, and occupying two entries per region) don’t overflow the available entires, excluding the 7 entires used for implementing the kernel memory protection.

Source§

fn available_regions(&self) -> usize

The number of TOR regions currently available for userspace memory protection. Within [0; MAX_REGIONS]. Read more
Source§

fn configure_pmp( &self, regions: &[(TORUserPMPCFG, *const u8, *const u8); MPU_REGIONS], ) -> Result<(), ()>

Configure the user-mode memory protection. Read more
Source§

fn enable_user_pmp(&self) -> Result<(), ()>

Enable the user-mode memory protection. Read more
Source§

fn disable_user_pmp(&self)

Disable the user-mode memory protection. Read more

Auto Trait Implementations§

§

impl<const AVAILABLE_ENTRIES: usize> Freeze for KernelProtectionPMP<AVAILABLE_ENTRIES>

§

impl<const AVAILABLE_ENTRIES: usize> RefUnwindSafe for KernelProtectionPMP<AVAILABLE_ENTRIES>

§

impl<const AVAILABLE_ENTRIES: usize> Send for KernelProtectionPMP<AVAILABLE_ENTRIES>

§

impl<const AVAILABLE_ENTRIES: usize> Sync for KernelProtectionPMP<AVAILABLE_ENTRIES>

§

impl<const AVAILABLE_ENTRIES: usize> Unpin for KernelProtectionPMP<AVAILABLE_ENTRIES>

§

impl<const AVAILABLE_ENTRIES: usize> UnwindSafe for KernelProtectionPMP<AVAILABLE_ENTRIES>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.