arch/riscv: Add API to control write permission for custom PMP entry

Introduce the `riscv_pmp_set_write_permission()` API to dynamically
control the write access to memory regions protected by the RISC-V
Physical Memory Protection (PMP) unit.

This function enables or disables the Write (W) bit in the PMP
configuration register (pmpcfg) for a specific region. The region
is identified by an index (`region_idx`) referencing the list of
memory regions defined in the Device Tree with the "zephyr,memattr"
property.

This API is particularly useful for security-sensitive applications,
such as protecting critical flash sections like firmware rollback
data from accidental or unauthorized writes, while allowing writes
only during specific, controlled operations.

The current implementation supports systems with up to 8 PMP slots
(CONFIG_PMP_SLOTS <= 8) due to the method used to access pmpcfg
registers.

Signed-off-by: Firas Sammoura <[email protected]>

Author: fsammoura1980

arch/riscv/core/pmp.c

@@ -33,6 +33,9 @@
 #include <zephyr/arch/riscv/csr.h>
 #include <zephyr/mem_mgmt/mem_attr.h>
 
+#include <errno.h>
+#include <stdint.h>
+
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
 LOG_MODULE_REGISTER(mpu);
@@ -57,6 +60,8 @@ LOG_MODULE_REGISTER(mpu);
 
 #define PMP_NONE 0
 
+#define PMP_CFG_W_BIT 1 /* Write permission bit in the PMP config byte */
+
 static void print_pmp_entries(unsigned int pmp_start, unsigned int pmp_end,
 			      unsigned long *pmp_addr, unsigned long *pmp_cfg,
 			      const char *banner)
@@ -483,6 +488,114 @@ void z_riscv_custom_pmp_entry_enable(void)
 	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
 	csr_set(mstatus, MSTATUS_MPRV);
 }
+
+int riscv_pmp_set_write_permission(bool write_enable, size_t region_idx)
+{
+	if (CONFIG_PMP_SLOTS > 8) {
+		LOG_ERR("This function only supports up to 8 PMP slots.");
+		return -ENOTSUP;
+	}
+
+	const struct mem_attr_region_t *region;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	if (region_idx >= num_regions) {
+		LOG_ERR("region_idx %zu is out of bounds (num_regions: %zu)", region_idx,
+			num_regions);
+		return -EINVAL;
+	}
+
+	uintptr_t region_start_address = region[region_idx].dt_addr;
+	size_t region_size = region[region_idx].dt_size;
+
+	int entry_index = -1;
+	uintptr_t target_pmpaddr_start = PMP_ADDR(region_start_address);
+	uintptr_t target_pmpaddr_end = PMP_ADDR(region_start_address + region_size);
+	uintptr_t target_pmpaddr_napot = PMP_ADDR_NAPOT(region_start_address, region_size);
+
+	for (uint8_t i = 0; i < CONFIG_PMP_SLOTS; ++i) {
+		uintptr_t current_pmpaddr = PMPADDR_READ(i);
+
+		/* Check for NAPOT match */
+		if (current_pmpaddr == target_pmpaddr_napot) {
+			entry_index = i;
+			break;
+		}
+
+		/* Check for TOR match start */
+		if (current_pmpaddr == target_pmpaddr_start) {
+			if (i < (CONFIG_PMP_SLOTS - 1)) {
+				if (PMPADDR_READ(i + 1) == target_pmpaddr_end) {
+					entry_index =
+						i + 1;
+					break;
+				}
+			}
+		}
+	}
+
+	if (entry_index == -1) {
+		LOG_ERR("PMP entry for address 0x%x not found", region_start_address);
+		return -ENOENT;
+	}
+
+	uint8_t cfg_reg_idx = entry_index / PMPCFG_STRIDE;
+	uint8_t entry_in_reg = entry_index % PMPCFG_STRIDE;
+	int bit_position = (entry_in_reg * 8) + PMP_CFG_W_BIT;
+	unsigned long mask = 1UL << bit_position;
+
+	unsigned long pmpcfg_val;
+
+#if defined(CONFIG_64BIT)
+	/*
+	 * RV64: pmpcfg0 holds configurations for entries 0-7.
+	 * On RV64, the PMP configuration registers are even-numbered:
+	 * pmpcfg0, pmpcfg2, pmpcfg4, and so on.
+	 */
+	if (cfg_reg_idx == 0) { /* Entries 0-7 are in pmpcfg0 */
+		pmpcfg_val = csr_read(pmpcfg0);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg0, pmpcfg_val);
+	} else {
+		LOG_ERR("cfg_reg_idx %d unexpected for <= 8 slots on RV64", cfg_reg_idx);
+		return -EINVAL;
+	}
+#else
+	/*
+	 * RV32: pmpcfg0 holds configurations for entries 0-3, pmpcfg1 holds entries 4-7.
+	 * On RV32, all pmpcfg registers are valid: pmpcfg0, pmpcfg1, pmpcfg2, and so on.
+	 */
+	if (cfg_reg_idx == 0) { /* Entries 0-3 */
+		pmpcfg_val = csr_read(pmpcfg0);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg0, pmpcfg_val);
+	} else if (cfg_reg_idx == 1) { /* Entries 4-7 */
+		pmpcfg_val = csr_read(pmpcfg1);
+		if (write_enable) {
+			pmpcfg_val |= mask;
+		} else {
+			pmpcfg_val &= ~mask;
+		}
+		csr_write(pmpcfg1, pmpcfg_val);
+	} else {
+		LOG_ERR("cfg_reg_idx %d unexpected for <= 8 slots on RV32", cfg_reg_idx);
+		return -EINVAL;
+	}
+#endif
+
+	return 0;
+}
+
 #endif
 
 /**

arch/riscv/include/pmp.h

@@ -16,4 +16,30 @@ void z_riscv_pmp_usermode_prepare(struct k_thread *thread);
 void z_riscv_pmp_usermode_enable(struct k_thread *thread);
 void z_riscv_custom_pmp_entry_enable(void);
 
+
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+
+/**
+ * @brief Sets the write permission for a specific PMP entry.
+ *
+ * Searches for the PMP entry corresponding to the Device Tree memory
+ * region at the given index. Modifies the Write (W) bit in this
+ * entry's PMP configuration.
+ *
+ * @note This function currently supports up to 8 PMP slots (CONFIG_PMP_SLOTS <= 8).
+ *
+ * @param write_enable If true, enables writes to the region (sets W bit).
+ *                     If false, disables writes (clears W bit).
+ * @param region_idx The index of the region in the array returned
+ *                   by mem_attr_get_regions(), for which to modify PMP settings.
+ *
+ * @return 0 on success.
+ *         -EINVAL if region_idx is out of bounds.
+ *         -ENOENT if the matching PMP entry is not found.
+ *         -ENOTSUP if CONFIG_PMP_SLOTS > 8.
+ */
+int riscv_pmp_set_write_permission(bool write_enable, size_t region_idx);
+
+#endif
+
 #endif /* PMP_H_ */