uVisor: Import v0.29.0

Author: Patater

features/FEATURE_UVISOR/AUTHORS.txt

@@ -1,7 +1,7 @@
-   597	Alessandro Angelino
+   600	Alessandro Angelino
    592	Milosch Meriac
-   144	Jaeden Amero
-    80	Niklas Hauser
+   155	Jaeden Amero
+    89	Niklas Hauser
      5	Irit Arkin
      3	JaredCJR
      3	AnotherButler
@@ -12,5 +12,6 @@
      2	Jan Jongboom
      2	Nathan Chong
      2	Vincenzo Frascino
-     1	ccli8
      1	Aksel Skauge Mellbye
+     1	ccli8
+     1	Michael Schwarcz

features/FEATURE_UVISOR/README.md

@@ -197,7 +197,8 @@ typedef struct {
 
 /* ACLs list for the secure box: Timer (PIT). */
 static const UvisorBoxAclItem g_private_button_acls[] = {
-    {PORTC, sizeof(*PORTC), UVISOR_TACLDEF_PERIPH},     /* Private peripheral */
+    {PORTC,               sizeof(*PORTC), UVISOR_TACLDEF_PERIPH},     /* Private peripheral */
+    {(void *) PORTC_IRQn,              0, UVISOR_TACL_IRQ},           /* Private IRQ */
 };
 
 static void private_button_main_thread(const void *);
@@ -257,8 +258,9 @@ static void private_button_main_thread(const void *)
 {
     /* Allocate serial port to ensure that code in this secure box
      * won't touch handle in the default security context when printing */
-    if (!(uvisor_ctx->pc = new RawSerial(USBTX, USBRX)))
+    if (!(uvisor_ctx->pc = new RawSerial(USBTX, USBRX))) {
         return;
+    }
 
     /* Create the buffer and cache its pointer to the private static memory. */
     uvisor_ctx->buffer = (uint32_t *) malloc(PRIVATE_BUTTON_BUFFER_COUNT * sizeof(uint32_t));
@@ -286,7 +288,7 @@ A few things to note in the code above:
 
 - If code runs in the context of `private_button`, then any object instantiated inside that code belongs to the `private_button` heap and stack. This means that in the example above, the `InterruptIn` object is private to the `private_button` box. The same applies to the dynamically allocated buffer `uvisor_ctx->buffer`.
 - You can access the content of the private memory `PrivateButtonStaticMemory` using the `void * const __uvisor_ctx` pointer, which uVisor maintains. You need to cast this pointer to your own context type. In this example we used a pre-processor symbol to improve readability.
-- The `InterruptIn` object triggers the registration of an interrupt slot. Because that code runs in the context of the `private_button` box, the push-button IRQ belongs to that box. If you want to use the IRQ APIs directly, read the [NVIC APIs section](#the-nvic-apis) below.
+- The `InterruptIn` object triggers the registration of an interrupt slot using the NVIC APIs. If you want to use the IRQ APIs directly, read the [NVIC APIs section](#the-nvic-apis) below. We registered the push-button IRQ to the `private_button` box through an IRQ ACL, and hence only code from this box can access it. Changing the push-button IRQ state from the public box causes a uVisor fault.
 - Even if the `private_button_on_press` function runs in the context of `private_button`, you can still use the `printf` function, which accesses the `UART0` peripheral, owned by the public box. This is because all ACLs declared in the public box are by default shared with all the other secure boxes. This also means that the messages we are printing on the serial port are not secure because other boxes have access to that peripheral.
 
 > **Warning**: Instantiating an object in the `secure_box.cpp` global scope automatically maps it to the public box context, not the `private_button` one. If you want an object to be private to a box, you need to instantiate it inside the code that runs in the context of that box (such as the `InterruptIn` object), or alternatively statically initialize it in the box private static memory (such as the `buffer`, `index` and `counter` variables in `PrivateButtonStaticMemory`).
@@ -422,26 +424,12 @@ When the uVisor is enabled, all NVIC APIs are rerouted to the corresponding uVis
 
 - The uVisor owns the interrupt vector table.
 - All ISRs are relocated to SRAM.
-- Code in a box can only change the state of an IRQ (enable it, change its priority, etc.) if the box registered that IRQ with uVisor at runtime, using the `NVIC_SetVector` API.
+- Code in a box can only change the state of an IRQ (enable it, change its priority and so on) if the box registered that IRQ with uVisor through an IRQ ACL.
 - An IRQ that belongs to a box can only be modified when that box context is active.
 
-Although this behavior is different from that of the original NVIC, it is backward compatible. Legacy code (such as a device HAL) still works after uVisor is enabled. The general use case is the following:
-
-```C
-#define MY_IRQ 42
-
-/* Set the ISR for MY_IRQ at runtime.
- * Without uVisor: Relocate the interrupt vector table to SRAM and set my_isr as
-                   the ISR for MY_IRQ.
- * With    uVisor: Register MY_IRQ for the current box with my_isr as ISR. */
-NVIC_SetVector(MY_IRQ, &my_isr);
-
-/* Change the IRQ state. */
-NVIC_SetPriority(MY_IRQ, 3);
-NVIC_EnableIRQ(MY_IRQ);
-```
+Although this behavior is different from that of the original NVIC, it is backward compatible. Legacy code (such as a device HAL) still works after uVisor is enabled.
 
-> **Note**: In this model, a call to `NVIC_SetVector` must happen before an IRQ state changes. In platforms that don't relocate the interrupt vector table, such a call might be absent and must be added to work with uVisor.
+All IRQ slots that are not listed in any box ACL list are considered unclaimed. Boxes can gain exclusive ownership of unclaimed IRQs on a first-come first-served basis through the use of the NVIC APIs.
 
 ## The *public box* ACLs
 

features/FEATURE_UVISOR/VERSION.txt

@@ -1 +1 @@
-v0.28.1
+v0.29.0

features/FEATURE_UVISOR/includes/uvisor/api/inc/api.h

@@ -58,6 +58,7 @@ typedef struct {
     int (*page_free)(const UvisorPageTable * const table);
 
     int (*box_namespace)(int box_id, char *box_namespace, size_t length);
+    int (*box_id_for_namespace)(int * const box_id, const char * const box_namespace);
 
     void (*debug_init)(const TUvisorDebugDriver * const driver);
     void (*error)(THaltUserError reason);

features/FEATURE_UVISOR/includes/uvisor/api/inc/box_id.h

@@ -40,6 +40,11 @@ static UVISOR_FORCEINLINE int uvisor_box_namespace(int box_id, char *box_namespa
     return uvisor_api.box_namespace(box_id, box_namespace, length);
 }
 
+static UVISOR_FORCEINLINE int uvisor_box_id_for_namespace(int * const box_id, const char * const box_namespace)
+{
+    return uvisor_api.box_id_for_namespace(box_id, box_namespace);
+}
+
 UVISOR_EXTERN_C_END
 
 #endif /* __UVISOR_API_BOX_ID_H__ */

features/FEATURE_UVISOR/includes/uvisor/api/inc/ipc_exports.h

@@ -46,15 +46,15 @@ typedef enum uvisor_ipc_io_state {
     UVISOR_IPC_IO_STATE_VALID, /* uVisor has copied the message */
 } uvisor_ipc_io_state_t;
 
-/* IPC Descriptor Structure */
-/* When sending:
+/* IPC Descriptor Structure
+ * When sending:
  * @param[in]  box_id  the ID of the destination box
  * @param[in]  port    the port to send the message to
  * @param[in]  len     the length of the message
  * @param[out] token   a token that can be used to wait at a later time for
  *                     the send to complete
- */
-/* When receiving before a message has been received:
+ *
+ * When receiving before a message has been received:
  * @param[in]   box_id  an ID of a box that is allowed to send to this box, or
  *                      UVISOR_BOX_ID_ANY to allow messages from any box
  * @param[in]   port    the port to listen for messages on

features/FEATURE_UVISOR/targets/TARGET_UVISOR_SUPPORTED/TARGET_ARM_BEETLE_SOC/TARGET_DEBUG/TARGET_M3/libconfiguration_beetle_cortex_m3_0x20000000_0x140.a

@@ -0,0 +1 @@
+209b261bb6d34b657fb699eb22669eb5c9055219