RV: Protect the .trap section (#4225)

* RV: Protect the .trap section

* Honor a connected debugger

* Refactor

* Fixes and improvements

* Fix feature gate

* Fix

* Make CI happy

* Lock

* Avoid weird behavior

* Remove the .critical_data section

* Fix

* CHANGELOG.md

* Apply `stack_guard_monitoring_with_debugger_connected` also to `write_vec_table_monitoring`

Author: bjoernQ

esp-hal/CHANGELOG.md

@@ -40,6 +40,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `ram(reclaimed)` as an alias for `link_section = ".dram2_uninit"` (#4245)
 - `rmt::MAX_TX_LOOPCOUNT` and `rmt::MAX_RX_IDLE_THRESHOLD` constants have been added (#4276)
 - Added support for `embedded-io 0.7` (#4280)
+- A new option `ESP_HAL_CONFIG_WRITE_VEC_TABLE_MONITORING` (disabled by default) to check that no unintentional writes to a very vital memory area are made. (Only RISC-V)  (#4225)
 
 ### Changed
 

esp-hal/esp_config.yml

@@ -112,8 +112,14 @@ options:
   default:
     - value: true
 
+- name: write-vec-table-monitoring
+  description: Use a data watchpoint to check that the vector table was not unintentionally overwritten.
+  default:
+    - value: false
+  active: 'chip == "esp32c2" || chip == "esp32c3" || chip == "esp32c6" || chip == "esp32h2"'
+
 - name: stack-guard-monitoring-with-debugger-connected
-  description: Enable the stack guard also with a debugger connected.
+  description: Enable the stack guard also with a debugger connected. Also applies to `write-vec-table-monitoring`.
   default:
     - value: true
 

esp-hal/ld/esp32c2/esp32c2.x

@@ -54,4 +54,8 @@ INCLUDE "metadata.x"
 INCLUDE "eh_frame.x"
 /* End of Shared sections */
 
-_dram_origin = ORIGIN( DRAM );
+#IF ESP_HAL_CONFIG_FLIP_LINK
+  _dram_data_start = ORIGIN( DRAM );
+#ELSE
+  _dram_data_start = ORIGIN( DRAM ) + SIZEOF(.trap) + SIZEOF(.rwtext);
+#ENDIF

esp-hal/ld/esp32c3/esp32c3.x

@@ -55,4 +55,8 @@ INCLUDE "metadata.x"
 INCLUDE "eh_frame.x"
 /* End of Shared sections */
 
-_dram_origin = ORIGIN( DRAM );
+#IF ESP_HAL_CONFIG_FLIP_LINK
+  _dram_data_start = ORIGIN( DRAM );
+#ELSE
+  _dram_data_start = ORIGIN( DRAM ) + SIZEOF(.trap) + SIZEOF(.rwtext);
+#ENDIF

esp-hal/ld/esp32c6/esp32c6.x

@@ -39,4 +39,8 @@ INCLUDE "metadata.x"
 INCLUDE "eh_frame.x"
 /* End of Shared sections #2 */
 
-_dram_origin = ORIGIN( RAM );
+#IF ESP_HAL_CONFIG_FLIP_LINK
+  _dram_data_start = ORIGIN( RAM );
+#ELSE
+  _dram_data_start = ORIGIN( RAM ) + SIZEOF(.trap) + SIZEOF(.rwtext);
+#ENDIF

esp-hal/ld/esp32h2/esp32h2.x

@@ -37,4 +37,8 @@ INCLUDE "metadata.x"
 INCLUDE "eh_frame.x"
 /* End of Shared sections #2 */
 
-_dram_origin = ORIGIN( RAM );
+#IF ESP_HAL_CONFIG_FLIP_LINK
+  _dram_data_start = ORIGIN( RAM );
+#ELSE
+  _dram_data_start = ORIGIN( RAM ) + SIZEOF(.trap) + SIZEOF(.rwtext);
+#ENDIF

esp-hal/ld/sections/rwtext.x

@@ -1,6 +1,7 @@
 #IF riscv
 .trap : ALIGN(4)
 {
+  _trap_section_origin = .;
   KEEP(*(.trap));
   *(.trap.*);
 } > RWTEXT
@@ -27,4 +28,6 @@
   *( .wifiextrairam.* )
   *( .coexiram.* )
   . = ALIGN(4);
+
+  _rwtext_len = . - ORIGIN(RWTEXT);
 } > RWTEXT

esp-hal/src/debugger.rs

@@ -53,26 +53,187 @@ pub unsafe fn set_stack_watchpoint(addr: usize) {
                     );
                 }
             } else {
-                let addr = (addr & !0b11) | 0b01;
-
-                let id = 0; // breakpoint 0
-                let tdata = (1 << 3) | (1 << 6) | (1 << 1); // bits: 0 = load, 1 = store, 6 = m-mode, 3 = u-mode
-                let tcontrol = 1 << 3; // M-mode trigger
-
-                unsafe {
-                    core::arch::asm!(
-                        "
-                        csrw 0x7a0, {id} // tselect
-                        csrrs {tcontrol}, 0x7a5, {tcontrol} // tcontrol
-                        csrrs {tdata}, 0x7a1, {tdata} // tdata1
-                        csrw 0x7a2, {addr} // tdata2
-                        ", id = in(reg) id,
-                        addr = in(reg) addr,
-                        tdata = in(reg) tdata,
-                        tcontrol = in(reg) tcontrol,
-                    );
-                }
+                unsafe { set_watchpoint(0, addr, 4); }
             }
         }
     }
 }
+
+#[cfg(riscv)]
+pub(crate) static DEBUGGER_LOCK: esp_sync::RawMutex = esp_sync::RawMutex::new();
+
+#[cfg(riscv)]
+const NAPOT_MATCH: u8 = 1;
+
+#[cfg(riscv)]
+bitfield::bitfield! {
+    /// Only match type (0x2) triggers are supported.
+    #[derive(Clone, Copy, Default)]
+    pub(crate) struct Tdata1(u32);
+
+    /// Set this for configuring the selected trigger to fire right before a load operation with matching
+    /// data address is executed by the CPU.
+    pub bool, load, set_load: 0;
+
+    /// Set this for configuring the selected trigger to fire right before a store operation with matching
+    /// data address is executed by the CPU.
+    pub bool, store, set_store: 1;
+
+    /// Set this for configuring the selected trigger to fire right before an instruction with matching
+    /// virtual address is executed by the CPU.
+    pub bool, execute, set_execute: 2;
+
+    /// Set this for enabling selected trigger to operate in user mode.
+    pub bool, u, set_u: 3;
+
+    /// Set this for enabling selected trigger to operate in machine mode.
+    pub bool, m, set_m: 6;
+
+    /// Configures the selected trigger to perform one of the available matching operations on a
+    /// data/instruction address. Valid options are:
+    /// 0x0: exact byte match, i.e. address corresponding to one of the bytes in an access must match
+    /// the value of maddress exactly.
+    /// 0x1: NAPOT match, i.e. at least one of the bytes of an access must lie in the NAPOT region
+    /// specified in maddress.
+    /// Note: Writing a larger value will clip it to the largest possible value 0x1.
+    pub u8, _match, set_match: 10, 7;
+
+    /// Configures the selected trigger to perform one of the available actions when firing. Valid
+    /// options are:
+    /// 0x0: cause breakpoint exception.
+    /// 0x1: enter debug mode (only valid when dmode = 1)
+    /// Note: Writing an invalid value will set this to the default value 0x0.
+    pub u8, action, set_action: 15, 12;
+
+    /// This is found to be 1 if the selected trigger had fired previously. This bit is to be cleared manually.
+    pub bool, hit, set_hit: 20;
+
+    /// 0: Both Debug and M mode can write the tdata1 and tdata2 registers at the selected tselect.
+    /// 1: Only Debug Mode can write the tdata1 and tdata2 registers at the selected tselect. Writes from
+    /// other modes are ignored.
+    /// Note: Only writable from debug mode.
+    pub bool, dmode, set_dmode: 27;
+}
+
+#[cfg(riscv)]
+bitfield::bitfield! {
+    /// Only match type (0x2) triggers are supported.
+    #[derive(Clone, Copy, Default)]
+    pub(crate) struct Tcontrol(u32);
+
+    /// Current M mode trigger enable bit
+    pub bool, mte, set_mte: 3;
+
+    /// Previous M mode trigger enable bit
+    pub bool, mpte, set_mpte: 7;
+
+}
+
+#[cfg(riscv)]
+pub(crate) struct WatchPoint {
+    tdata1: u32,
+    tdata2: u32,
+}
+
+/// Clear the watchpoint
+#[cfg(riscv)]
+pub(crate) unsafe fn clear_watchpoint(id: u8) -> WatchPoint {
+    assert!(id < 4);
+
+    // tdata1 is a WARL(write any read legal) register. We can just write 0 to it.
+    let mut tdata1 = 0;
+    let mut tdata2 = 0;
+
+    DEBUGGER_LOCK.lock(|| unsafe {
+        core::arch::asm!(
+            "
+            csrw 0x7a0, {id} // tselect
+            csrrw {tdata1}, 0x7a1, {tdata2} // tdata1
+            csrr {tdata2}, 0x7a2 // tdata2
+            ", id = in(reg) id,
+            tdata1 = inout(reg) tdata1,
+            tdata2 = out(reg) tdata2,
+        );
+    });
+
+    WatchPoint { tdata1, tdata2 }
+}
+
+/// Clear the watchpoint
+#[cfg(riscv)]
+pub(crate) unsafe fn restore_watchpoint(id: u8, watchpoint: WatchPoint) {
+    DEBUGGER_LOCK.lock(|| unsafe {
+        core::arch::asm!(
+            "
+            csrw 0x7a0, {id} // tselect
+            csrw 0x7a1, {tdata1} // tdata1
+            csrw 0x7a2, {tdata2} // tdata2
+            ", id = in(reg) id,
+            tdata1 = in(reg) watchpoint.tdata1,
+            tdata2 = in(reg) watchpoint.tdata2,
+        );
+    });
+}
+
+/// Clear the watchpoint
+#[cfg(all(riscv, feature = "exception-handler"))]
+pub(crate) unsafe fn watchpoint_hit(id: u8) -> bool {
+    assert!(id < 4);
+    let mut tdata = Tdata1::default();
+
+    DEBUGGER_LOCK.lock(|| unsafe {
+        core::arch::asm!(
+            "
+            csrw 0x7a0, {id} // tselect
+            csrr {tdata}, 0x7a1 // tdata1
+            ", id = in(reg) id,
+            tdata = out(reg) tdata.0,
+        );
+    });
+
+    tdata.hit()
+}
+
+/// Set watchpoint and enable triggers.
+#[cfg(riscv)]
+pub(crate) unsafe fn set_watchpoint(id: u8, addr: usize, len: usize) {
+    assert!(id < 4);
+    assert!(len.is_power_of_two());
+    assert!(addr.is_multiple_of(len));
+
+    let z = len.trailing_zeros();
+    let mask = {
+        let mut mask: usize = 0;
+        for i in 0..z {
+            mask |= 1 << i;
+        }
+        mask
+    };
+
+    let napot_encoding = { mask & !(1 << (z - 1)) };
+    let addr = (addr & !mask) | napot_encoding;
+
+    let mut tdata = Tdata1::default();
+    tdata.set_m(true);
+    tdata.set_store(true);
+    tdata.set_match(NAPOT_MATCH);
+    let tdata: u32 = tdata.0;
+
+    let mut tcontrol = Tcontrol::default();
+    tcontrol.set_mte(true);
+    let tcontrol: u32 = tcontrol.0;
+
+    DEBUGGER_LOCK.lock(|| unsafe {
+        core::arch::asm!(
+            "
+            csrw 0x7a0, {id} // tselect
+            csrw 0x7a5, {tcontrol} // tcontrol
+            csrw 0x7a1, {tdata} // tdata1
+            csrw 0x7a2, {addr} // tdata2
+            ", id = in(reg) id,
+            addr = in(reg) addr,
+            tdata = in(reg) tdata,
+            tcontrol = in(reg) tcontrol,
+        );
+    });
+}

esp-hal/src/exception_handler/mod.rs

@@ -70,10 +70,22 @@ unsafe extern "C" fn ExceptionHandler(context: &TrapFrame) -> ! {
                 mepc, context.ra
             )
         } else {
-            panic!(
-                "Breakpoint exception at 0x{:08x}, mtval=0x{:08x}\n{:?}",
-                mepc, mtval, context
-            );
+            if unsafe { crate::debugger::watchpoint_hit(1) } {
+                panic!(
+                    "Detected a write to the trap/rwtext segment at 0x{:x}, possibly called by 0x{:x}",
+                    mepc, context.ra
+                );
+            } else if unsafe { crate::debugger::watchpoint_hit(0) } {
+                panic!(
+                    "Detected a write to a stack guard value at 0x{:x}, possibly called by 0x{:x}",
+                    mepc, context.ra
+                );
+            } else {
+                panic!(
+                    "Breakpoint exception at 0x{:08x}, mtval=0x{:08x}\n{:?}",
+                    mepc, mtval, context
+                );
+            }
         }
     }
 

esp-hal/src/interrupt/riscv.rs

@@ -260,7 +260,16 @@ pub fn enable_direct(
 
         let instr = encode_jal_x0(handler as usize, int_slot)?;
 
-        core::ptr::write_volatile(int_slot as *mut u32, instr);
+        if crate::debugger::debugger_connected() {
+            core::ptr::write_volatile(int_slot as *mut u32, instr);
+        } else {
+            crate::debugger::DEBUGGER_LOCK.lock(|| {
+                let wp = crate::debugger::clear_watchpoint(1);
+                core::ptr::write_volatile(int_slot as *mut u32, instr);
+                crate::debugger::restore_watchpoint(1, wp);
+            });
+        }
+
         core::arch::asm!("fence.i");
 
         enable_cpu_interrupt(cpu_interrupt);
@@ -452,7 +461,16 @@ mod vectored {
         unsafe {
             let ptr =
                 &pac::__EXTERNAL_INTERRUPTS[interrupt as usize]._handler as *const _ as *mut usize;
-            ptr.write_volatile(handler.raw_value());
+
+            if crate::debugger::debugger_connected() {
+                ptr.write_volatile(handler.raw_value());
+            } else {
+                crate::debugger::DEBUGGER_LOCK.lock(|| {
+                    let wp = crate::debugger::clear_watchpoint(1);
+                    ptr.write_volatile(handler.raw_value());
+                    crate::debugger::restore_watchpoint(1, wp);
+                });
+            }
         }
     }