arch/riscv: Add API to control write permission for custom PMP entry

fsammoura1980 · fsammoura1980 · commit 61fc4941e52d · 2025-10-06T16:47:35.000Z
Implement the `riscv_pmp_set_write_permission()` API, which allows the
'W' bit in the PMP configuration register (pmpcfg) to be dynamically
enabled or disabled for a memory region defined by
CUSTOM_PMP_ENTRY_START and CUSTOM_PMP_ENTRY_SIZE.

This functionality is crucial for security platforms to protect critical
flash areas, such as rollback data, against accidental or malicious
writes.

Also adds the Kconfig symbol `PLATFORM_EC_ROLLBACK_PMP_PROTECT` which
depends on `RISCV_PMP` and ensures `CUSTOM_PMP_ENTRY` is selected when
rollback protection is desired. The current implementation is limited to
PMP slots 0-7.

Signed-off-by: Firas Sammoura &lt;fsammoura@google.com&gt;
diff --git a/arch/riscv/core/pmp.c b/arch/riscv/core/pmp.c
@@ -33,6 +33,9 @@
 #include <zephyr/arch/riscv/csr.h>
 #include <zephyr/mem_mgmt/mem_attr.h>
 
+#include <errno.h>
+#include <stdint.h>
+
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
 LOG_MODULE_REGISTER(mpu);
@@ -57,6 +60,8 @@ LOG_MODULE_REGISTER(mpu);
 
 #define PMP_NONE 0
 
+#define PMP_CFG_W_BIT 1 /* Write permission bit in the PMP config byte */
+
 static void print_pmp_entries(unsigned int pmp_start, unsigned int pmp_end,
 			      unsigned long *pmp_addr, unsigned long *pmp_cfg,
 			      const char *banner)
@@ -483,6 +488,99 @@ void z_riscv_custom_pmp_entry_enable(void)
 	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
 	csr_set(mstatus, MSTATUS_MPRV);
 }
+
+int riscv_pmp_set_write_permission(bool write_enable, size_t region_idx)
+{
+	if (CONFIG_PMP_SLOTS > 8) {
+		LOG_ERR("This function only supports up to 8 PMP slots.");
+		return -ENOTSUP;
+	}
+
+	const struct mem_attr_region_t *region;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	uintptr_t region_start_address = region[region_idx].dt_addr;
+	size_t region_size = region[region_idx].dt_size;
+
+	int entry_index = -1;
+	uintptr_t target_pmpaddr_start = PMP_ADDR(region_start_address);
+	uintptr_t target_pmpaddr_end = PMP_ADDR(region_start_address + region_size);
+	uintptr_t target_pmpaddr_napot = PMP_ADDR_NAPOT(region_start_address, region_size);
+
+	for (uint8_t i = 0; i < CONFIG_PMP_SLOTS; ++i) {
+		if ((PMPADDR_READ(i) == target_pmpaddr_start) &&
+		    (PMPADDR_READ(i + 1) == target_pmpaddr_end)) {
+			entry_index = i + 1;
+			break;
+		}
+		if (PMPADDR_READ(i) == target_pmpaddr_napot) {
+			entry_index = i;
+			break;
+		}
+	}
+
+	if (entry_index == -1) {
+		LOG_ERR("PMP entry for address 0x%x not found", region_start_address);
+		return -ENOENT;
+	}
+
+	uint8_t cfg_reg_idx = entry_index / PMPCFG_STRIDE;
+	uint8_t entry_in_reg = entry_index % PMPCFG_STRIDE;
+	int bit_position = (entry_in_reg * 8) + PMP_CFG_W_BIT;
+	unsigned long mask = 1UL << bit_position;
+
+	unsigned long pmpcfg_val;
+
+#if defined(CONFIG_64BIT)
+	/*
+	 * RV64: pmpcfg0 holds configurations for entries 0-7.
+	 * On RV64, the PMP configuration registers are even-numbered:
+	 * pmpcfg0, pmpcfg2, pmpcfg4, and so on.
+	 */
+	if (cfg_reg_idx == 0) { /* Entries 0-7 are in pmpcfg0 */
+		pmpcfg_val = csr_read(pmpcfg0);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg0, pmpcfg_val);
+	} else {
+		LOG_ERR("cfg_reg_idx %d unexpected for <= 8 slots on RV64", cfg_reg_idx);
+		return -EINVAL;
+	}
+#else
+	/*
+	 * RV32: pmpcfg0 holds configurations for entries 0-3, pmpcfg1 holds entries 4-7.
+	 * On RV32, all pmpcfg registers are valid: pmpcfg0, pmpcfg1, pmpcfg2, and so on.
+	 */
+	if (cfg_reg_idx == 0) { /* Entries 0-3 */
+		pmpcfg_val = csr_read(pmpcfg0);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg0, pmpcfg_val);
+	} else if (cfg_reg_idx == 1) { /* Entries 4-7 */
+		pmpcfg_val = csr_read(pmpcfg1);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg1, pmpcfg_val);
+	} else {
+		LOG_ERR("cfg_reg_idx %d unexpected for <= 8 slots on RV32", cfg_reg_idx);
+		return -EINVAL;
+	}
+#endif
+
+	return 0;
+}
+
 #endif
 
 /**
diff --git a/arch/riscv/include/pmp.h b/arch/riscv/include/pmp.h
@@ -16,4 +16,30 @@ void z_riscv_pmp_usermode_prepare(struct k_thread *thread);
 void z_riscv_pmp_usermode_enable(struct k_thread *thread);
 void z_riscv_custom_pmp_entry_enable(void);
 
+
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+
+/**
+ * @brief Sets the write permission for a specific PMP entry.
+ *
+ * Searches for the PMP entry matching CUSTOM_PMP_ENTRY_START.
+ * Modifies the Write (W) bit in this entry's PMP configuration.
+ *
+ * @note This function currently supports up to 8 PMP slots (CONFIG_PMP_SLOTS <=
+ * 8). Extending beyond 8 slots in C requires more switch cases or an assembly
+ * helper.
+ *
+ * @param write_enable If true, enables writes to the region (sets W bit).
+ *                     If false, disables writes (clears W bit).
+ * @param region_idx The index of the configured memory attribute region.
+ *
+ * @return 0 on success.
+ *         -ENOENT if the PMP entry for CUSTOM_PMP_ENTRY_START is not found.
+ *         -ENOTSUP if CONFIG_PMP_SLOTS > 8.
+ *         -EINVAL for unexpected internal errors.
+ */
+int riscv_pmp_set_write_permission(bool write_enable, size_t region_idx);
+
+#endif
+
 #endif /* PMP_H_ */
