hal/arm: pmap_switch full MPU reconfiguration

[etiaro]

This commit introduces full MPU regions reconfiguration on context switch, allowing for more flexibile configuration of memory maps on MPU targets. Performed tests show no memory coherence problems and minor improvements in pmap_switch performance. According to ARM documentation, cache maintenance is not required, as long as memory maps are not overlapping, and that assumption is already present in Phoenix-RTOS.

Changes include

• additional hal_syspage_prog_t structure, initialized in loader, containing program configuration of MPU regions in form of ready-to-copy register values
• pmap_t structure contain pointer to above structure instead of regions bitmask
• pmap_switch disables MPU and performs full reconfiguration, optimized with LDMIA/STMIA assembly operations
• handling of process's kernel-code access is moved to loader
• hal/pmap.c functions update to the new pmap_t structure

JIRA: RTOS-1149

Description

Motivation and Context

This change enables users to define more memory maps, allowing more flexible configuration and better spatial separation of processes, which is first stage of development of partitioning mechanism.
The unchanged restriction is that memory maps are disjoint and have fixed attributes, which allows for a quick context switch without costly cache maintenance operations (hardware tests shown it works slightly faster than before).
Note: Correctness of this change is based on observaiton, that there is no documented influence on memory attributes (caching, shareability, accessibility) by disabled MPU region. Thanks to that, if manual cache maintenance wasn't required before, it shouldn't be required here either.
The only moment of doubt, is during pmap_switch itself, when MPU is disabled and accesses to kernel memory are made to configure it. This is similar to situation in previous implementation, when switching between processes without access to kernel data map. This should not cause problems as long as kernel map has the same attributes as in the system address map (which is also used as MPU "background" map for priviliged accesses).

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Chore (refactoring, style fixes, git/CI config, submodule management, no code logic changes)

How Has This Been Tested?

• Already covered by automatic testing.
• New test added: (add PR link here).
• Tested by hand on: armv8m33-mcxn94x-frdm, armv7m7-imxrt117x-evk

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing linter checks and tests passed.
• My changes generate no new compilation warnings for any of the targets.

Special treatment

• test results available in [DO NOT MERGE] context switch with full MPU reconfiguration phoenix-rtos-project#1483
• This PR needs additional PRs to work (list the PRs, preferably in merge-order).
• hal/arm: per-process MPU configuration plo#407
• I will merge this PR by myself when appropriate.

[gemini-code-assist]

Summary of Changes

Hello @etiaro, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the Memory Protection Unit (MPU) management across various ARM architectures to enable more flexible and robust memory mapping for processes. By implementing a full MPU reconfiguration during every context switch, the system can now support more complex and spatially separated memory configurations, which is a foundational step towards a partitioning mechanism. This change moves away from a region bitmask approach to a comprehensive MPU state loading, improving both flexibility and potentially performance for pmap_switch operations.

Highlights

• MPU Reconfiguration on Context Switch: The pmap_switch function now performs a full Memory Protection Unit (MPU) reconfiguration, disabling the MPU, loading all region configurations from a new hal_syspage_prog_t structure using optimized assembly instructions (LDMIA/STMIA), and then re-enabling the MPU.
• Updated pmap_t Structure: The pmap_t structure has been modified to store a pointer to const hal_syspage_prog_t instead of a bitmask of regions, allowing for more comprehensive MPU state management per process.
• New hal_syspage_prog_t Structure: A new hal_syspage_prog_t structure has been introduced across various ARM architecture syspage.h files. This structure holds the program-specific MPU configuration, including the RBAR/RASR (or RBAR/RLAR for ARMv8M) register values, map IDs, and allocated region count.
• Refactored pmap_create and pmap_isAllowed: The pmap_create function now accepts a syspage_prog_t argument to initialize the MPU configuration for a new process. The pmap_isAllowed function's logic has been updated to check memory access permissions against the new hal_syspage_prog_t data.
• Removal of Dynamic Map Addition: Functions like pmap_addMap and pmap_map2region have been removed, indicating that MPU region configuration is now static per program and loaded entirely during context switch, rather than being built up dynamically.
• Kernel Code Access Handling Shift: The logic for allowing kernel code access, previously handled dynamically within pmap.c, has been removed, implying this responsibility is now shifted to the loader or is implicitly handled by the full MPU configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the MPU handling on ARM targets to allow for more flexible memory map configurations. The core idea of moving to a full MPU reconfiguration on context switch is sound. However, I've identified a critical issue in the pmap_switch function for armv7m and armv8m architectures that could lead to a buffer over-read and system instability. Additionally, there's a minor inefficiency in pmap_isAllowed for armv7m and armv7r. My review provides suggestions to fix these issues, prioritizing correctness.