Merge pull request #3817 from AlessandroA/update_uvisor

Update uVisor to v0.27.0

Author: sg-

cmsis/core_cmSecureAccess.h

@@ -53,15 +53,15 @@
  * @param value[in]    Value to write at the address location.
  */
 #define SECURE_WRITE(address, value) \
-    uvisor_write(main, UVISOR_RGW_SHARED, address, value, UVISOR_RGW_OP_WRITE, 0xFFFFFFFFUL)
+    uvisor_write(public_box, UVISOR_RGW_SHARED, address, value, UVISOR_RGW_OP_WRITE, 0xFFFFFFFFUL)
 
 /** Get the value at the target address.
  *
  * @param address[in]  Target address
  * @returns The value `*address`.
  */
 #define SECURE_READ(address) \
-    uvisor_read(main, UVISOR_RGW_SHARED, address, UVISOR_RGW_OP_READ, 0xFFFFFFFFUL)
+    uvisor_read(public_box, UVISOR_RGW_SHARED, address, UVISOR_RGW_OP_READ, 0xFFFFFFFFUL)
 
 /** Get the selected bits at the target address.
  *
@@ -70,7 +70,7 @@
  * @returns The value `*address & mask`.
  */
 #define SECURE_BITS_GET(address, mask) \
-    UVISOR_BITS_GET(main, UVISOR_RGW_SHARED, address, mask)
+    UVISOR_BITS_GET(public_box, UVISOR_RGW_SHARED, address, mask)
 
 /** Check the selected bits at the target address.
  *
@@ -79,7 +79,7 @@
  * @returns The value `((*address & mask) == mask)`.
  */
 #define SECURE_BITS_CHECK(address, mask) \
-    UVISOR_BITS_CHECK(main, UVISOR_RGW_SHARED, address, mask)
+    UVISOR_BITS_CHECK(public_box, UVISOR_RGW_SHARED, address, mask)
 
 /** Set the selected bits to 1 at the target address.
  *
@@ -88,7 +88,7 @@
  * @param mask[in]     Bits to select out of the target address
  */
 #define SECURE_BITS_SET(address, mask) \
-    UVISOR_BITS_SET(main, UVISOR_RGW_SHARED, address, mask)
+    UVISOR_BITS_SET(public_box, UVISOR_RGW_SHARED, address, mask)
 
 /** Clear the selected bits at the target address.
  *
@@ -97,7 +97,7 @@
  * @param mask[in]     Bits to select out of the target address
  */
 #define SECURE_BITS_CLEAR(address, mask) \
-    UVISOR_BITS_CLEAR(main, UVISOR_RGW_SHARED, address, mask)
+    UVISOR_BITS_CLEAR(public_box, UVISOR_RGW_SHARED, address, mask)
 
 /** Set the selected bits at the target address to the given value.
  *
@@ -108,7 +108,7 @@
  *                     must be already shifted to the correct bit position
  */
 #define SECURE_BITS_SET_VALUE(address, mask, value) \
-    UVISOR_BITS_SET_VALUE(main, UVISOR_RGW_SHARED, address, mask, value)
+    UVISOR_BITS_SET_VALUE(public_box, UVISOR_RGW_SHARED, address, mask, value)
 
 /** Toggle the selected bits at the target address.
  *
@@ -117,7 +117,7 @@
  * @param mask[in]     Bits to select out of the target address
  */
 #define SECURE_BITS_TOGGLE(address, mask) \
-    UVISOR_BITS_TOGGLE(main, UVISOR_RGW_SHARED, address, mask)
+    UVISOR_BITS_TOGGLE(public_box, UVISOR_RGW_SHARED, address, mask)
 
 #else
 

features/FEATURE_UVISOR/AUTHORS.txt

@@ -1,13 +1,15 @@
-   588	Milosch Meriac
-   506	Alessandro Angelino
-    95	Jaeden Amero
-    61	Niklas Hauser
+   592	Milosch Meriac
+   544	Alessandro Angelino
+    98	Jaeden Amero
+    64	Niklas Hauser
      4	Irit Arkin
      3	Hugo Vincent
      3	JaredCJR
      3	Jim Huang
+     2	Jan Jongboom
+     2	Nathan Chong
      2	Vincenzo Frascino
      2	tonyyanxuan
      1	Aksel Skauge Mellbye
-     1	Nathan Chong
+     1	Amanda Butler
      1	ccli8

features/FEATURE_UVISOR/README.md

@@ -1 +1 @@
-v0.26.2
+v0.27.0

features/FEATURE_UVISOR/VERSION.txt

@@ -45,6 +45,10 @@ TARGET_LIST_DIR_DST:=$(addprefix $(TARGET_SUPPORTED)/,$(TARGET_LIST))
 TARGET_LIST_RELEASE:=$(addsuffix /release,$(TARGET_LIST_DIR_DST))
 TARGET_LIST_DEBUG:=$(addsuffix /debug,$(TARGET_LIST_DIR_DST))
 
+# mbed OS paths
+MBED_OS_ROOT:=../../..
+MBED_OS_CMSIS:=$(MBED_OS_ROOT)/cmsis
+
 .PHONY: all deploy rsync publish uvisor uvisor-compile clean cache update
 
 all: uvisor
@@ -75,6 +79,10 @@ rsync:
 	cp $(UVISOR_DIR)/core/system/inc/page_allocator_config.h $(TARGET_LIB_SRC)/page_allocator_config.h
 	rsync -a --delete $(UVISOR_API)/rtx/src/ $(TARGET_LIB_SRC)/rtx
 	#
+	# Copying the secure API header file...
+	# Note: This will not be needed when we upstream the file to CMSIS.
+	cp $(UVISOR_DIR)/core/cmsis/inc/core_cmSecureAccess.h $(MBED_OS_CMSIS)/
+	#
 	# Copying the documentation...
 	cp $(UVISOR_DIR)/docs/api/QUICKSTART.md $(TARGET_PREFIX)/README.md
 	#

features/FEATURE_UVISOR/importer/Makefile

@@ -18,7 +18,6 @@
 #define __RTX_BOX_INDEX_H__
 
 #include "cmsis_os.h"
-#include "api/inc/vmpu_exports.h"
 
 #ifdef __cplusplus
 extern "C" {

features/FEATURE_UVISOR/includes/uvisor-lib/rtx/rtx_box_index.h

@@ -24,7 +24,7 @@
 #include <stdint.h>
 
 UVISOR_EXTERN const uint32_t __uvisor_mode;
-UVISOR_EXTERN void const * const main_cfg_ptr;
+UVISOR_EXTERN void const * const public_box_cfg_ptr;
 
 #define UVISOR_DISABLED   0
 #define UVISOR_PERMISSIVE 1
@@ -41,32 +41,30 @@ UVISOR_EXTERN void const * const main_cfg_ptr;
     \
     UVISOR_EXTERN const uint32_t __uvisor_mode = (mode); \
     \
-    static const __attribute__((section(".keep.uvisor.cfgtbl"), aligned(4))) UvisorBoxConfig main_cfg = { \
+    static const __attribute__((section(".keep.uvisor.cfgtbl"), aligned(4))) UvisorBoxConfig public_box_cfg = { \
         UVISOR_BOX_MAGIC, \
         UVISOR_BOX_VERSION, \
-        0, \
-        0, \
-        sizeof(RtxBoxIndex), \
         { \
+            sizeof(RtxBoxIndex), \
+            0, \
+            sizeof(uvisor_rpc_t), \
             0, \
-            sizeof(uvisor_rpc_outgoing_message_queue_t), \
-            sizeof(uvisor_rpc_incoming_message_queue_t), \
-            sizeof(uvisor_rpc_fn_group_queue_t), \
         }, \
+        0, \
         NULL, \
         NULL, \
         acl_list, \
         acl_list_count \
     }; \
     \
-    UVISOR_EXTERN const __attribute__((section(".keep.uvisor.cfgtbl_ptr_first"), aligned(4))) void * const main_cfg_ptr = &main_cfg;
+    UVISOR_EXTERN const __attribute__((section(".keep.uvisor.cfgtbl_ptr_first"), aligned(4))) void * const public_box_cfg_ptr = &public_box_cfg;
 
 /* Creates a global page heap with at least `minimum_number_of_pages` each of size `page_size` in bytes.
  * The total page heap size is at least `minimum_number_of_pages * page_size`. */
 #define UVISOR_SET_PAGE_HEAP(page_size, minimum_number_of_pages) \
     const uint32_t __uvisor_page_size = (page_size); \
     uint8_t __attribute__((section(".keep.uvisor.page_heap"))) \
-        main_page_heap_reserved[ (page_size) * (minimum_number_of_pages) ]
+        public_page_heap_reserved[ (page_size) * (minimum_number_of_pages) ]
 
 
 /* this macro selects an overloaded macro (variable number of arguments) */
@@ -92,15 +90,13 @@ UVISOR_EXTERN void const * const main_cfg_ptr;
     static const __attribute__((section(".keep.uvisor.cfgtbl"), aligned(4))) UvisorBoxConfig box_name ## _cfg = { \
         UVISOR_BOX_MAGIC, \
         UVISOR_BOX_VERSION, \
-        UVISOR_MIN_STACK(stack_size), \
-        __uvisor_box_heapsize, \
-        sizeof(RtxBoxIndex), \
         { \
+            sizeof(RtxBoxIndex), \
             context_size, \
-            sizeof(uvisor_rpc_outgoing_message_queue_t), \
-            sizeof(uvisor_rpc_incoming_message_queue_t), \
-            sizeof(uvisor_rpc_fn_group_queue_t), \
+            sizeof(uvisor_rpc_t), \
+            __uvisor_box_heapsize, \
         }, \
+        UVISOR_MIN_STACK(stack_size), \
         __uvisor_box_lib_config, \
         __uvisor_box_namespace, \
         acl_list, \
@@ -155,6 +151,6 @@ UVISOR_EXTERN void const * const main_cfg_ptr;
 #define UVISOR_BOX_HEAPSIZE(heap_size) \
     static const uint32_t __uvisor_box_heapsize = heap_size;
 
-#define uvisor_ctx (*__uvisor_ps)
+#define __uvisor_ctx (((UvisorBoxIndex *) __uvisor_ps)->bss.address_of.context)
 
 #endif /* __UVISOR_API_BOX_CONFIG_H__ */

features/FEATURE_UVISOR/includes/uvisor/api/inc/box_config.h

@@ -20,6 +20,7 @@
 #include "api/inc/pool_queue_exports.h"
 #include "api/inc/uvisor_semaphore_exports.h"
 #include "api/inc/rpc_gateway_exports.h"
+#include "api/inc/vmpu_exports.h"
 
 typedef uint32_t (*TFN_Ptr)(uint32_t, uint32_t, uint32_t, uint32_t);
 
@@ -137,4 +138,23 @@ typedef UVISOR_RPC_OUTGOING_MESSAGE_TYPE(UVISOR_RPC_OUTGOING_MESSAGE_SLOTS) uvis
 typedef UVISOR_RPC_INCOMING_MESSAGE_TYPE(UVISOR_RPC_INCOMING_MESSAGE_SLOTS) uvisor_rpc_incoming_message_queue_t;
 typedef UVISOR_RPC_FN_GROUP_TYPE(UVISOR_RPC_FN_GROUP_SLOTS) uvisor_rpc_fn_group_queue_t;
 
+typedef struct uvisor_rpc_t {
+    /* Outgoing message queue */
+    uvisor_rpc_outgoing_message_queue_t outgoing_message_queue;
+
+    /* Incoming message queue */
+    uvisor_rpc_incoming_message_queue_t incoming_message_queue;
+
+    /* Function group queue */
+    uvisor_rpc_fn_group_queue_t fn_group_queue;
+
+    /* Counter to avoid waiting on the same RPC result twice by accident. */
+    uint32_t result_counter;
+} uvisor_rpc_t;
+
+static inline uvisor_rpc_t * uvisor_rpc(UvisorBoxIndex * const index)
+{
+    return (uvisor_rpc_t *) index->bss.address_of.rpc;
+}
+
 #endif

features/FEATURE_UVISOR/includes/uvisor/api/inc/rpc_exports.h

@@ -42,8 +42,8 @@ UVISOR_EXTERN const uint32_t __uvisor_mode;
 
 #define UVISOR_SET_MODE_ACL_COUNT(mode, acl_list, acl_list_count) \
     UVISOR_EXTERN const uint32_t __uvisor_mode = UVISOR_DISABLED; \
-    static const void *main_acl = acl_list; \
-    extern const __attribute__((section(".keep.uvisor.cfgtbl_ptr_first"), aligned(4))) void * const main_cfg_ptr = &main_acl;
+    static const void *public_box_acl = acl_list; \
+    extern const __attribute__((section(".keep.uvisor.cfgtbl_ptr_first"), aligned(4))) void * const public_box_cfg_ptr = &public_box_acl;
 
 #define __UVISOR_BOX_CONFIG_NOCONTEXT(box_name, acl_list, stack_size) \
     static const void *box_acl_ ## box_name = acl_list; \

features/FEATURE_UVISOR/includes/uvisor/api/inc/unsupported.h

@@ -19,14 +19,16 @@
 
 #include "api/inc/uvisor_exports.h"
 #include "api/inc/pool_queue_exports.h"
-#include "api/inc/rpc_exports.h"
 #include <stdint.h>
 
 /* The maximum box namespace length is 37 so that it is exactly big enough for
  * a human-readable hex string GUID (as formatted by RFC 4122) followed by a
  * terminating NULL. */
 #define UVISOR_MAX_BOX_NAMESPACE_LENGTH 37
 
+/** Invalid box id for use in marking objects with invalid ownership. */
+#define UVISOR_BOX_ID_INVALID ((uint8_t) -1)
+
 /* supervisor user access modes */
 #define UVISOR_TACL_UEXECUTE        0x0001UL
 #define UVISOR_TACL_UWRITE          0x0002UL
@@ -150,72 +152,70 @@ typedef struct {
     UvisorBoxAcl acl;
 } UVISOR_PACKED UvisorBoxAclItem;
 
+/* This struct contains all the BSS sections that uVisor allocates for a secure
+ * box. It can be used to keep the sizes of the sections or their pointers. */
+typedef struct uvisor_bss_sections_t {
+    uint32_t index;
+    uint32_t context;
+    uint32_t rpc;
+    uint32_t heap;
+} UVISOR_PACKED UvisorBssSections;
+
+/* The number of per-box BSS sections. */
+#define UVISOR_BSS_SECTIONS_COUNT (sizeof(UvisorBssSections) / sizeof(uint32_t))
+
+/* Compile-time per-box configuration table
+ * Each box has one of this table in flash. Every other data structure that this
+ * table might point to must be in flash as well. The uVisor core must check the
+ * sanity of the table before trusting its fields. */
 typedef struct {
-    /* Contains user provided size of box context without guards of buffers. */
-    uint32_t context_size;
-    /* Contains total memory used by the RPC queues (incl. management and pool). */
-    uint32_t rpc_outgoing_message_size;
-    uint32_t rpc_incoming_message_size;
-    uint32_t rpc_fn_group_size;
-} UVISOR_PACKED uvisor_sizes_t;
-
-/* The number of additional bss sections per box bss.
- * The size of each section is stored in the box config, and uVisor core will
- * iterate over the box bss, split it into sections as defined by the size table
- * and assign a pointer to beginning of that section into the box index pointer table.
- */
-#define UVISOR_BOX_INDEX_SIZE_COUNT (sizeof(uvisor_sizes_t) / sizeof(uint32_t))
-
-typedef struct {
-    uint32_t magic;
-    uint32_t version;
-
-    /* Box stack size includes stack guards and rounding buffer. */
-    uint32_t stack_size;
-    /* Contains user provided size of box heap without guards of buffers. */
-    uint32_t heap_size;
-    /* Contains the size of the index (must be at least sizeof(UvisorBoxIndex)). */
-    uint32_t index_size;
+    const uint32_t magic;
+    const uint32_t version;
 
+    /* The UvisorBssSections struct is union-ed with a size_t array to allow for
+     * loops to scan the sizes of all the BSS sections and allocate the
+     * necessary space for each of them. */
     union {
-        uint32_t bss_size[UVISOR_BOX_INDEX_SIZE_COUNT];
-        uvisor_sizes_t sizes;
-    };
+        size_t sizes[UVISOR_BSS_SECTIONS_COUNT];
+        UvisorBssSections size_of;
+    } const bss;
+
+    /* Contains the size of the secure box static stack. */
+    /* Note: This does not include guards. */
+    /* Note: It is kept separately from the BSS sections as it's implementation
+     *       specific where the stack sits with respect to the BSS. */
+    const uint32_t stack_size;
 
     /* Opaque-to-uVisor data that potentially contains uvisor-lib-specific or
      * OS-specific per-box configuration */
     const void * const lib_config;
 
-    const char * box_namespace;
+    const char * const box_namespace;
     const UvisorBoxAclItem * const acl_list;
-    uint32_t acl_count;
+    const uint32_t acl_count;
 } UVISOR_PACKED UvisorBoxConfig;
 
+/* Enumeration-time per-box index table
+ * Each box has one of this table in SRAM. The index tables are initialized at
+ * box enumeration time and are then managed by the secure boxes themselves. */
+/* Note: Each box is able to read and write its own version of this table. Do
+ *       not trust these pointers in the uVisor core. */
 typedef struct {
+    /* The UvisorSramPointers struct is union-ed with a void * array to allow
+     * for loops to scan the pointers to all the SRAM sections and access them
+     * individually. */
     union {
-        void * bss_ptr[UVISOR_BOX_INDEX_SIZE_COUNT];
-        struct {
-            /* Pointer to the user context */
-            void * ctx;
-            /* Pointer to the RPC queues */
-            uvisor_rpc_outgoing_message_queue_t * rpc_outgoing_message_queue;
-            uvisor_rpc_incoming_message_queue_t * rpc_incoming_message_queue;
-            uvisor_rpc_fn_group_queue_t * rpc_fn_group_queue;
-        };
-    };
-    /* Pointer to the box heap */
-    void * box_heap;
+        void * pointers[UVISOR_BSS_SECTIONS_COUNT];
+        UvisorBssSections address_of;
+    } bss;
+
     /* Size of the box heap */
     uint32_t box_heap_size;
     /* Pointer to the currently active heap.
      * This is set to `NULL` by uVisor, signalling to the user lib that the
      * box heap needs to be initialized before use! */
     void * active_heap;
 
-    /* Counter that helps to avoid waiting on the same RPC message result twice
-     * by accident. */
-    uint32_t rpc_result_counter;
-
     /* Box ID */
     int box_id_self;