Struct KernelProtectionMMLEPMP

pub struct KernelProtectionMMLEPMP<const AVAILABLE_ENTRIES: usize, const MPU_REGIONS: usize> { /* private fields */ }

A RISC-V ePMP implementation.

Supports machine-mode (kernel) memory protection by using the machine-mode lockdown mode (MML), with a fixed number of “kernel regions” (such as .text, flash, RAM and MMIO).

This implementation will configure the ePMP in the following way:

• mseccfg CSR:

  |-------------+-----------------------------------------------+-------|
  | MSECCFG BIT | LABEL                                         | STATE |
  |-------------+-----------------------------------------------+-------|
  |           0 | Machine-Mode Lockdown (MML)                   |     1 |
  |           1 | Machine-Mode Whitelist Policy (MMWP)          |     1 |
  |           2 | Rule-Lock Bypass (RLB)                        |     0 |
  |-------------+-----------------------------------------------+-------|

• pmpaddrX / pmpcfgX CSRs:

  |-------+-----------------------------------------+-------+---+-------|
  | ENTRY | REGION / ADDR                           | MODE  | L | PERMS |
  |-------+-----------------------------------------+-------+---+-------|
  |     0 | --------------------------------------- | OFF   | X | ----- |
  |     1 | Kernel .text section                    | TOR   | X | R/X   |
  |       |                                         |       |   |       |
  |     2 | /                                     \ | OFF   |   |       |
  |     3 | \ Userspace TOR region #0             / | TOR   |   | ????? |
  |       |                                         |       |   |       |
  |     4 | /                                     \ | OFF   |   |       |
  |     5 | \ Userspace TOR region #1             / | TOR   |   | ????? |
  |       |                                         |       |   |       |
  | 6 ... | /                                     \ |       |   |       |
  | n - 4 | \ Userspace TOR region #x             / |       |   |       |
  |       |                                         |       |   |       |
  | n - 3 | FLASH (spanning kernel & apps)          | NAPOT | X | R     |
  |       |                                         |       |   |       |
  | n - 2 | RAM (spanning kernel & apps)            | NAPOT | X | R/W   |
  |       |                                         |       |   |       |
  | n - 1 | MMIO                                    | NAPOT | X | R/W   |
  |-------+-----------------------------------------+-------+---+-------|

Crucially, this implementation relies on an unconfigured hardware PMP implementing the ePMP (mseccfg CSR) extension, providing the Machine Lockdown Mode (MML) security bit. This bit is required to ensure that any machine-mode (kernel) protection regions (lock bit set) are only accessible to kernel mode.

Implementations

impl<const AVAILABLE_ENTRIES: usize, const MPU_REGIONS: usize> KernelProtectionMMLEPMP<AVAILABLE_ENTRIES, MPU_REGIONS>

pub unsafe fn new( flash: FlashRegion, ram: RAMRegion, mmio: MMIORegion, kernel_text: KernelTextRegion, ) -> Result<Self, ()>

Trait Implementations

impl<const AVAILABLE_ENTRIES: usize, const MPU_REGIONS: usize> Display for KernelProtectionMMLEPMP<AVAILABLE_ENTRIES, MPU_REGIONS>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<const AVAILABLE_ENTRIES: usize, const MPU_REGIONS: usize> TORUserPMP<MPU_REGIONS> for KernelProtectionMMLEPMP<AVAILABLE_ENTRIES, MPU_REGIONS>

const CONST_ASSERT_CHECK: ()

A placeholder to define const-assertions which are evaluated in PMPUserMPU::new. This can be used to, for instance, assert that the number of userspace regions does not exceed the number of hardware regions.

fn available_regions(&self) -> usize

The number of TOR regions currently available for userspace memory protection. Within [0; MAX_REGIONS].

fn configure_pmp( &self, regions: &[(TORUserPMPCFG, *const u8, *const u8); MPU_REGIONS], ) -> Result<(), ()>

Configure the user-mode memory protection.

fn enable_user_pmp(&self) -> Result<(), ()>

Enable the user-mode memory protection.

fn disable_user_pmp(&self)

Disable the user-mode memory protection.