uVisor: Import RTX5-capable uVisor

Imported from 20170407_v7-M tag, commit e33f2739e961 "Make function in
transition macro match target".

Author: Patater

features/FEATURE_UVISOR/AUTHORS.txt

@@ -1,15 +1,16 @@
    592	Milosch Meriac
-   544	Alessandro Angelino
-    98	Jaeden Amero
-    64	Niklas Hauser
-     4	Irit Arkin
+   547	Alessandro Angelino
+   105	Jaeden Amero
+    65	Niklas Hauser
+     5	Irit Arkin
      3	Hugo Vincent
-     3	JaredCJR
      3	Jim Huang
+     3	JaredCJR
+     2	tonyyanxuan
      2	Jan Jongboom
      2	Nathan Chong
      2	Vincenzo Frascino
-     2	tonyyanxuan
-     1	Aksel Skauge Mellbye
      1	Amanda Butler
+     1	Aksel Skauge Mellbye
+     1	AnotherButler
      1	ccli8

features/FEATURE_UVISOR/README.md

@@ -1 +1 @@
-v0.27.0
+20170407_v7-M

features/FEATURE_UVISOR/VERSION.txt

@@ -17,7 +17,8 @@
 #ifndef __RTX_BOX_INDEX_H__
 #define __RTX_BOX_INDEX_H__
 
-#include "cmsis_os.h"
+#include "cmsis_os2.h"
+#include "rtx_os.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -28,12 +29,14 @@ typedef struct
     /* The uvisor box index must be placed at the beginning */
     UvisorBoxIndex index;
 
-    /* Id of the mutex */
-    osMutexId mutex_id;
-    /* Pointer to the data of the mutex */
-    osMutexDef_t mutex;
+    /* ID of the mutex */
+    osMutexId_t mutex_id;
+
+    /* Attribute of the mutex */
+    osMutexAttr_t mutex_attr;
+
     /* Internal data of the mutex */
-    int32_t mutex_data[4];
+    osRtxMutex_t mutex_data;
 } RtxBoxIndex;
 
 #ifdef __cplusplus

features/FEATURE_UVISOR/includes/uvisor-lib/rtx/rtx_box_index.h

@@ -26,6 +26,12 @@
 UVISOR_EXTERN const uint32_t __uvisor_mode;
 UVISOR_EXTERN void const * const public_box_cfg_ptr;
 
+typedef struct {
+    void (*function)(void *);
+    size_t priority;
+    size_t stack_size;
+} uvisor_box_main_t;
+
 #define UVISOR_DISABLED   0
 #define UVISOR_PERMISSIVE 1
 #define UVISOR_ENABLED    2
@@ -145,8 +151,12 @@ UVISOR_EXTERN void const * const public_box_cfg_ptr;
  * thread of your box will use for its body. If you don't want a main thread,
  * too bad: you have to have one. */
 #define UVISOR_BOX_MAIN(function, priority, stack_size) \
-    static osThreadDef(function, priority, stack_size); \
-    static const void * const __uvisor_box_lib_config = osThread(function);
+    static const uvisor_box_main_t __uvisor_box_main = { \
+        function, \
+        priority, \
+        stack_size, \
+    }; \
+    static const void * const __uvisor_box_lib_config = &__uvisor_box_main;
 
 #define UVISOR_BOX_HEAPSIZE(heap_size) \
     static const uint32_t __uvisor_box_heapsize = heap_size;

features/FEATURE_UVISOR/includes/uvisor/api/inc/box_config.h

@@ -29,7 +29,7 @@ typedef struct uvisor_semaphore UvisorSemaphore;
  * These functions will be run by unprivileged code only. */
 typedef struct {
     void (*box_init)(void * lib_config);
-    int (*semaphore_init)(UvisorSemaphore * semaphore, int32_t count);
+    int (*semaphore_init)(UvisorSemaphore * semaphore, uint32_t initial_count, uint32_t max_count);
     int (*semaphore_pend)(UvisorSemaphore * semaphore, uint32_t timeout_ms);
 } UvisorLibHooks;
 

features/FEATURE_UVISOR/includes/uvisor/api/inc/lib_hook_exports.h

@@ -19,7 +19,9 @@
 
 #include "api/inc/uvisor_semaphore_exports.h"
 
-UVISOR_EXTERN int __uvisor_semaphore_init(UvisorSemaphore * semaphore, int32_t count);
+/* Initialize a semaphore with the specified initial count. This function is
+ * not safe to call from interrupt context. */
+UVISOR_EXTERN int __uvisor_semaphore_init(UvisorSemaphore * semaphore, uint32_t initial_count, uint32_t max_count);
 
 /* This function is not safe to call from interrupt context, even if the
  * timeout is zero. */

features/FEATURE_UVISOR/includes/uvisor/api/inc/uvisor_semaphore.h

@@ -20,7 +20,7 @@
 #include "api/inc/uvisor_exports.h"
 
 /* This must be big enough for all operating systems uVisor runs on. */
-#define UVISOR_SEMAPHORE_INTERNAL_SIZE (16)
+#define UVISOR_SEMAPHORE_INTERNAL_SIZE (36)
 
 /* An opaque structure, that one knows the size of so that they can allocate
  * memory. */

features/FEATURE_UVISOR/includes/uvisor/api/inc/uvisor_semaphore_exports.h

@@ -18,18 +18,19 @@
 #include "api/inc/pool_queue_exports.h"
 #include "api/inc/rpc_exports.h"
 #include "api/inc/uvisor_semaphore.h"
+#include "api/inc/box_config.h"
 #include "mbed_interface.h"
-#include "cmsis_os.h"
+#include "cmsis_os2.h"
 #include <stdint.h>
 #include <string.h>
 
 /* Register the OS with uVisor */
 extern void SVC_Handler(void);
 extern void PendSV_Handler(void);
 extern void SysTick_Handler(void);
-extern uint32_t rt_suspend(void);
+extern uint32_t svcRtxKernelLock(void);
 
-UVISOR_SET_PRIV_SYS_HOOKS(SVC_Handler, PendSV_Handler, SysTick_Handler, rt_suspend, __uvisor_semaphore_post);
+UVISOR_SET_PRIV_SYS_HOOKS(SVC_Handler, PendSV_Handler, SysTick_Handler, svcRtxKernelLock, __uvisor_semaphore_post);
 
 extern RtxBoxIndex * const __uvisor_ps;
 
@@ -56,15 +57,7 @@ void __uvisor_initialize_rpc_queues(void)
     /* Initialize all the result semaphores. */
     for (i = 0; i < UVISOR_RPC_OUTGOING_MESSAGE_SLOTS; i++) {
         UvisorSemaphore * semaphore = &rpc_outgoing_msg_queue->messages[i].semaphore;
-        if (__uvisor_semaphore_init(semaphore, 1)) {
-            uvisor_error(USER_NOT_ALLOWED);
-        }
-
-        /* Semaphores are created with their value initialized to count. We
-         * want the semaphore to start at zero. Decrement the semaphore, so it
-         * starts with a value of zero. This will allow the first pend to
-         * block. */
-        if (__uvisor_semaphore_pend(semaphore, 0)) {
+        if (__uvisor_semaphore_init(semaphore, 1, 0)) {
             uvisor_error(USER_NOT_ALLOWED);
         }
     }
@@ -102,15 +95,7 @@ void __uvisor_initialize_rpc_queues(void)
     /* Initialize all the function group semaphores. */
     for (i = 0; i < UVISOR_RPC_FN_GROUP_SLOTS; i++) {
         UvisorSemaphore * semaphore = &rpc_fn_group_queue->fn_groups[i].semaphore;
-        if (__uvisor_semaphore_init(semaphore, 1)) {
-            uvisor_error(USER_NOT_ALLOWED);
-        }
-
-        /* Semaphores are created with their value initialized to count. We
-         * want the semaphore to start at zero. Decrement the semaphore, so it
-         * starts with a value of zero. This will allow the first pend to
-         * block. */
-        if (__uvisor_semaphore_pend(semaphore, 0)) {
+        if (__uvisor_semaphore_init(semaphore, 1, 0)) {
             uvisor_error(USER_NOT_ALLOWED);
         }
     }
@@ -120,16 +105,14 @@ void __uvisor_initialize_rpc_queues(void)
  * create box main threads for the box. */
 void __uvisor_lib_box_init(void * lib_config)
 {
-    osThreadId thread_id;
-    osThreadDef_t * flash_thread_def = lib_config;
-    osThreadDef_t thread_def;
+    osThreadId_t thread_id;
+    uvisor_box_main_t * box_main = lib_config;
+    osThreadAttr_t thread_attr = { 0 };
 
     __uvisor_initialize_rpc_queues();
 
-    /* Copy thread definition from flash to RAM. The thread definition is most
-     * likely in flash, so we need to copy it to box-local RAM before we can
-     * modify it. */
-    memcpy(&thread_def, flash_thread_def, sizeof(thread_def));
+    thread_attr.priority = box_main->priority;
+    thread_attr.stack_size = box_main->stack_size;
 
     /* Note that the box main thread stack is separate from the box stack. This
      * is because the thread must be created to use a different stack than the
@@ -138,17 +121,26 @@ void __uvisor_lib_box_init(void * lib_config)
     /* Allocate memory for the main thread from the process heap (which is
      * private to the process). This memory is never freed, even if the box's
      * main thread exits. */
-    thread_def.stack_pointer = malloc_p(thread_def.stacksize);
+    thread_attr.stack_mem = malloc_p(thread_attr.stack_size);
+    if (thread_attr.stack_mem == NULL) {
+        /* No process heap memory available for thread stack */
+        uvisor_error(USER_NOT_ALLOWED);
+    }
 
-    if (thread_def.stack_pointer == NULL) {
-        /* No process heap memory available */
-        mbed_die();
+    /* Allocate memory for the main thread control block from the process heap
+     * (which is private to the process). This memory is never freed, even if
+     * the box's main thread exits. */
+    thread_attr.cb_size = sizeof(osRtxThread_t);
+    thread_attr.cb_mem = malloc_p(thread_attr.cb_size);
+    if (thread_attr.cb_mem == NULL) {
+        /* No process heap memory available for thread control block. */
+        uvisor_error(USER_NOT_ALLOWED);
     }
 
-    thread_id = osThreadCreate(&thread_def, NULL);
+    thread_id = osThreadNew(box_main->function, NULL, &thread_attr);
 
     if (thread_id == NULL) {
         /* Failed to create thread */
-        mbed_die();
+        uvisor_error(USER_NOT_ALLOWED);
     }
 }

features/FEATURE_UVISOR/source/rtx/box_init.c

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-#include "cmsis_os.h"
+#include "cmsis_os2.h"
 #include "uvisor-lib/uvisor-lib.h"
 
 #include <stdint.h>
@@ -44,7 +44,7 @@ static int is_kernel_initialized()
     if (kernel_running) {
         return 1;
     }
-    if (osKernelRunning()) {
+    if (osKernelGetState() == osKernelRunning) {
         kernel_running = 1;
         return 1;
     }
@@ -64,10 +64,13 @@ static int init_allocator()
     }
 
     if ((__uvisor_ps->mutex_id == NULL) && is_kernel_initialized()) {
-        /* Point the mutex pointer to the data. */
-        __uvisor_ps->mutex.mutex = &(__uvisor_ps->mutex_data);
+        /* Point the mutex attr to the data. */
+        __uvisor_ps->mutex_attr.attr_bits = 0; /* Non-recursive */
+        __uvisor_ps->mutex_attr.cb_mem = &__uvisor_ps->mutex_data;
+        __uvisor_ps->mutex_attr.cb_size = sizeof(__uvisor_ps->mutex_data);
+
         /* Create mutex if not already done. */
-        __uvisor_ps->mutex_id = osMutexCreate(&(__uvisor_ps->mutex));
+        __uvisor_ps->mutex_id = osMutexNew(&__uvisor_ps->mutex_attr);
         /* Mutex failed to be created. */
         if (__uvisor_ps->mutex_id == NULL) {
             return -1;
@@ -80,7 +83,7 @@ static int init_allocator()
             /* Lock the mutex during initialization. */
             int kernel_initialized = is_kernel_initialized();
             if (kernel_initialized) {
-                osMutexWait(__uvisor_ps->mutex_id, osWaitForever);
+                osMutexAcquire(__uvisor_ps->mutex_id, osWaitForever);
             }
             /* Initialize the process heap. */
             SecureAllocator allocator = secure_allocator_create_with_pool(
@@ -123,7 +126,7 @@ static void * memory(void * ptr, size_t size, int heap, int operation)
      * the `rt_alloc_mem` and `rt_free_mem` functions in `uvisor_allocator.c`.
      * However, it is simpler to do it here for now. */
     if (mutexed) {
-        osMutexWait(__uvisor_ps->mutex_id, osWaitForever);
+        osMutexAcquire(__uvisor_ps->mutex_id, osWaitForever);
     }
     /* Perform the required operation. */
     switch(operation)