Memory Protection Unit (MPU)

Browse source code on GitHub

Overview

This application provides a set options to check the correct MPU configuration against the following security issues:

  • Read at an address that is reserved in the memory map.

  • Write into the boot Flash/ROM.

  • Run code located in SRAM.

If the MPU configuration is correct each option selected ends up in an MPU fault.

Building and Running

This project can be built and executed as follows:

west build -b v2m_beetle samples/arch/mpu/mpu_test
west flash

To build the single thread version, use the supplied configuration file for single thread: prj_single.conf:

west build -b v2m_beetle samples/arch/mpu/mpu_test -- -DCONF_FILE=prj_single.conf
west build -t run

To build a version that allows writes to the flash device, edit prj.conf, and follow the directions in the comments to enable the proper configs.

Sample Output

When running the above on an ARMv7 or ARMv8 CPU, the output of each command may look like the following.

uart:~$ mpu read
<err> os: ***** BUS FAULT *****
<err> os:   Precise data bus error
<err> os:   BFAR Address: 0x24000000
<err> os: r0/a1:  0x00009a5c  r1/a2:  0x00000008  r2/a3:  0x20001aa8
<err> os: r3/a4:  0x24000000 r12/ip:  0x00000000 r14/lr:  0x000029b7
<err> os:  xpsr:  0x21000000
<err> os: Faulting instruction address (r15/pc): 0x000003c8
<err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0
<err> os: Current thread: 0x20000708 (shell_uart)
<err> os: Halting system
uart:~$ mpu write
write address: 0x4000
<err> os: ***** MPU FAULT *****
<err> os:   Data Access Violation
<err> os:   MMFAR Address: 0x4000
<err> os: r0/a1:  0x00000000  r1/a2:  0x0000000e  r2/a3:  0x0badc0de
<err> os: r3/a4:  0x00004000 r12/ip:  0x00000004 r14/lr:  0x000003ab
<err> os:  xpsr:  0x61000000
<err> os: Faulting instruction address (r15/pc): 0x000003b2
<err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0
<err> os: Current thread: 0x20000708 (shell_uart)
<err> os: Halting system
uart:~$ mpu run
<err> os: ***** MPU FAULT *****
<err> os:   Instruction Access Violation
<err> os: r0/a1:  0x00009a5c  r1/a2:  0x00000001  r2/a3:  0x20001aa8
<err> os: r3/a4:  0x20000000 r12/ip:  0x00000000 r14/lr:  0x00006673
<err> os:  xpsr:  0x60000000
<err> os: Faulting instruction address (r15/pc): 0x20000000
<err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0
<err> os: Current thread: 0x20000708 (shell_uart)
<err> os: Halting system

When running this test on an ARMv6 CPU (specifically on a Cortex-M0+), the output will look different, as ARMv6 handles MPU faults as generic hard faults. Moreover, when running the mpu run command, Zephyr’s hard fault handler for AArch32 tries to dereference the program counter from the exception stack frame, causing a second fault and silently placing the processor into a lockup state.

To verify that the mpu run test in particular is running correctly, one can

  • start the MPU test under gdb with west debug

  • execute mpu run over UART

  • then interrupt gdb with Ctrl-C and show the program counter by running l in gdb.

The program counter should display as 0xfffffffe, indicating a lockup state.

uart:~$ mpu read
<err> os: ***** HARD FAULT *****
<err> os: r0/a1:  0x0800a54c  r1/a2:  0x00000008  r2/a3:  0x08003
<err> os: r3/a4:  0x24000000 r12/ip:  0x00000040 r14/lr:  0x0800d
<err> os:  xpsr:  0x01000000
<err> os: Faulting instruction address (r15/pc): 0x08000486
<err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0
<err> os: Current thread: 0x200006a8 (shell_uart)
<err> os: Halting system
uart:~$ mpu write
<err> os: ***** HARD FAULT *****
<err> os: r0/a1:  0x00000000  r1/a2:  0x0000000e  r2/a3:  0x0000e
<err> os: r3/a4:  0x0badc0de r12/ip:  0x00000000 r14/lr:  0x08009
<err> os:  xpsr:  0x61000000
<err> os: Faulting instruction address (r15/pc): 0x0800046a
<err> os: >>> ZEPHYR FATAL ERROR 0: CPU exception on CPU 0
<err> os: Current thread: 0x200006a8 (shell_uart)
<err> os: Halting system
uart~$ mpu run
<no output>