riscv: pmp: Add support for custom user-defined PMP entry

This commit introduces configuration and infrastructure to reserve a
dedicated Physical Memory Protection (PMP) slot for a custom memory
region.

This feature is designed for applications requiring **runtime control of
memory permissions** for critical areas, such as firmware rollback
segments or sensitive configuration data. This control is established
early in the boot process and allows the system to **temporarily modify
the privileges granted to the ROM flash** or other protected regions as
necessary during execution.

The new Kconfig options allow the user to define:
- **CONFIG_CUSTOM_PMP_ENTRY_START**: Base address of the protected
  region.
- **CONFIG_CUSTOM_PMP_ENTRY_SIZE**: Size of the protected region.
- **CONFIG_CUSTOM_PMP_ENTRY_PERMISSIONS**: R/W/X access permissions for
  the slot.

The custom PMP entry is configured in `z_riscv_pmp_init()` and
purposefully placed before the locked read-only ROM protection entry to
ensure early enforcement.

The necessary context switch logic (`z_riscv_custom_pmp_entry_enable`)
is added to `switch.S` and `pmp.c` to handle the required MPRV/MPP
register configuration when the custom entry is enabled and the PMP
stack guard is disabled.

Signed-off-by: Firas Sammoura <[email protected]>

Author: fsammoura1980

arch/riscv/Kconfig

@@ -432,6 +432,44 @@ config PMP_STACK_GUARD_MIN_SIZE
 	  wiggle room to accommodate the eventual overflow exception
 	  stack usage.
 
+config CUSTOM_PMP_ENTRY
+	bool "Use PMP for custom protection region"
+	depends on RISCV_PMP
+	help
+	  Enable a custom Physical Memory Protection (PMP) entry to protect
+	  a user-defined memory region. This is typically used for critical
+	  data or firmware rollback protection.
+
+if CUSTOM_PMP_ENTRY
+
+config CUSTOM_PMP_ENTRY_START
+	hex "Custom PMP entry start address"
+	default 0x80000000
+	help
+	  The base address of the memory region to be protected by the custom
+	  PMP entry.
+
+config CUSTOM_PMP_ENTRY_SIZE
+	hex "Custom PMP entry size in bytes"
+	default 0x4000
+	help
+	  The size, in bytes, of the memory region to be protected. The region
+	  will extend from CUSTOM_PMP_ENTRY_START for this many bytes.
+
+config CUSTOM_PMP_ENTRY_PERMISSIONS
+	hex "Custom PMP entry permissions (PMP_R, PMP_W, PMP_X)"
+	default 0x3 # PMP_R | PMP_W (Read and Write)
+	help
+	  The permissions for the PMP region, represented as a bitmask of
+	  PMP attributes:
+	  0x1: PMP_R (Read)
+	  0x2: PMP_W (Write)
+	  0x4: PMP_X (Execute)
+
+	  Example: 0x3 is (Read | Write).
+
+endif # CUSTOM_PMP_ENTRY
+
 # Implement the null pointer detection using the Physical Memory Protection
 # (PMP) Unit.
 config NULL_POINTER_EXCEPTION_DETECTION_PMP

arch/riscv/core/pmp.c

@@ -204,7 +204,7 @@ static bool set_pmp_entry(unsigned int *index_p, uint8_t perm,
 	return ok;
 }
 
-#ifdef CONFIG_PMP_STACK_GUARD
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_CUSTOM_PMP_ENTRY)
 static inline bool set_pmp_mprv_catchall(unsigned int *index_p,
 					 unsigned long *pmp_addr, unsigned long *pmp_cfg,
 					 unsigned int index_limit)
@@ -354,6 +354,13 @@ void z_riscv_pmp_init(void)
 	unsigned long pmp_cfg[CONFIG_PMP_SLOTS / PMPCFG_STRIDE];
 	unsigned int index = 0;
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+	set_pmp_entry(&index, CONFIG_CUSTOM_PMP_ENTRY_PERMISSIONS,
+		      (uintptr_t)(CONFIG_CUSTOM_PMP_ENTRY_START),
+		      (size_t)(CONFIG_CUSTOM_PMP_ENTRY_SIZE), pmp_addr, pmp_cfg,
+		      ARRAY_SIZE(pmp_addr));
+#endif
+
 	/* The read-only area is always there for every mode */
 	set_pmp_entry(&index, PMP_R | PMP_X | PMP_L,
 		      (uintptr_t)__rom_region_start,
@@ -371,6 +378,17 @@ void z_riscv_pmp_init(void)
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+#ifndef CONFIG_PMP_STACK_GUARD
+	/*
+	 * This early, the kernel init code uses the custom entry and we want to
+	 * safeguard it as soon as possible. But we need a temporary default
+	 * "catch all" PMP entry for MPRV to work.
+	 */
+	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+#endif
+#endif
+
 #ifdef CONFIG_PMP_STACK_GUARD
 #ifdef CONFIG_MULTITHREADING
 	/*
@@ -446,6 +464,20 @@ void z_riscv_pmp_init(void)
 	}
 }
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY)
+/**
+ * @brief Prepare M-mode for custom PMP entry handling.
+ *
+ * Configures the Machine Status Register (mstatus) by clearing MPP and setting MPRV to control
+ * the memory privilege context for PMP access or configuration.
+ */
+void z_riscv_custom_pmp_entry_enable(void)
+{
+	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
+	csr_set(mstatus, MSTATUS_MPRV);
+}
+#endif
+
 /**
  * @Brief Initialize the per-thread PMP register copy with global values.
  */

arch/riscv/core/switch.S

@@ -61,6 +61,12 @@ SECTION_FUNC(TEXT, z_riscv_switch)
 	mv a0, s0
 #endif
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY) && !defined(CONFIG_PMP_STACK_GUARD)
+	mv s0, a0
+	call z_riscv_custom_pmp_entry_enable
+	mv a0, s0
+#endif
+
 #if defined(CONFIG_PMP_STACK_GUARD)
 	/* Stack guard has priority over user space for PMP usage. */
 	mv s0, a0

arch/riscv/include/pmp.h

@@ -14,5 +14,6 @@ void z_riscv_pmp_stackguard_disable(void);
 void z_riscv_pmp_usermode_init(struct k_thread *thread);
 void z_riscv_pmp_usermode_prepare(struct k_thread *thread);
 void z_riscv_pmp_usermode_enable(struct k_thread *thread);
+void z_riscv_custom_pmp_entry_enable(void);
 
 #endif /* PMP_H_ */