riscv: pmp: Support custom entries from device tree

When CONFIG_MEM_ATTR is enabled, the PMP initialization process
in z_riscv_pmp_init() now scans the Device Tree for memory regions
tagged with the 'zephyr,memattr' property. For each such region
found, a corresponding PMP entry is programmed with the base address,
size, and permissions (R/W/X) specified in the Device Tree node.
This is facilitated by the mem_attr API.

This change allows for more flexible and hardware-specific memory
protection schemes, ideal for safeguarding critical areas like
firmware rollback segments or sensitive configuration data early in
the boot process.

Additionally, various checks for PMP usage throughout the RISC-V
port, previously conditional only on CONFIG_PMP_STACK_GUARD, have
been updated to also include CONFIG_MEM_ATTR. This ensures that
PMP-aware code paths (e.g., in ISRs, context switching) are
correctly activated when PMP is configured via Device Tree
attributes, even if the stack guard feature is not enabled.

Signed-off-by: Firas Sammoura <[email protected]>

Author: fsammoura1980

arch/riscv/core/fatal.c

@@ -224,7 +224,7 @@ void z_riscv_fault(struct arch_esf *esf)
 	unsigned int reason = K_ERR_CPU_EXCEPTION;
 
 	if (bad_stack_pointer(esf)) {
-#ifdef CONFIG_PMP_STACK_GUARD
+#if (defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR))
 		/*
 		 * Remove the thread's PMP setting to prevent triggering a stack
 		 * overflow error again due to the previous configuration.

arch/riscv/core/isr.S

@@ -366,7 +366,7 @@ no_fp:	/* increment _current->arch.exception_depth */
 	li t1, RISCV_EXC_ECALLU
 	beq t0, t1, is_user_syscall
 
-#if defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_MEM_ATTR)
 	/*
 	 * Determine if we come from user space. If so, reconfigure the PMP for
 	 * kernel mode stack guard.
@@ -378,7 +378,7 @@ no_fp:	/* increment _current->arch.exception_depth */
 	lr a0, ___cpu_t_current_OFFSET(s0)
 	call z_riscv_pmp_kernelmode_enable
 1:
-#endif /* CONFIG_PMP_STACK_GUARD */
+#endif /* CONFIG_PMP_STACK_GUARD, CONFIG_MEM_ATTR */
 
 #endif /* CONFIG_USERSPACE */
 
@@ -407,7 +407,7 @@ is_kernel_syscall:
 	addi t0, t0, 4
 	sr t0, __struct_arch_esf_mepc_OFFSET(sp)
 
-#if defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_MEM_ATTR)
 	/* Re-activate PMP for m-mode */
 	li t1, MSTATUS_MPP
 	csrc mstatus, t1
@@ -518,7 +518,7 @@ do_irq_offload:
 #ifdef CONFIG_USERSPACE
 is_user_syscall:
 
-#if defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_MEM_ATTR)
 	/*
 	 * We came from userspace and need to reconfigure the
 	 * PMP for kernel mode stack guard.
@@ -588,7 +588,7 @@ valid_syscall_id:
 
 is_interrupt:
 
-#if defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_MEM_ATTR)
 #ifdef CONFIG_USERSPACE
 	/*
 	 * If we came from userspace then we need to reconfigure the
@@ -772,7 +772,7 @@ fp_trap_exit:
 	and t0, t2, t1
 	bnez t0, 1f
 
-#if defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_MEM_ATTR)
 	/* Remove kernel stack guard and Reconfigure PMP for user mode */
 	lr a0, ___cpu_t_current_OFFSET(s0)
 	call z_riscv_pmp_usermode_enable

arch/riscv/core/pmp.c

@@ -31,6 +31,7 @@
 #include <pmp.h>
 #include <zephyr/arch/arch_interface.h>
 #include <zephyr/arch/riscv/csr.h>
+#include <zephyr/mem_mgmt/mem_attr.h>
 
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
@@ -270,7 +271,7 @@ static bool set_pmp_entry(unsigned int *index_p, uint8_t perm,
 	return ok;
 }
 
-#ifdef CONFIG_PMP_STACK_GUARD
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR)
 static inline bool set_pmp_mprv_catchall(unsigned int *index_p,
 					 unsigned long *pmp_addr, unsigned long *pmp_cfg,
 					 unsigned int index_limit)
@@ -382,6 +383,49 @@ static void write_pmp_entries(unsigned int start, unsigned int end,
 				  pmp_addr, pmp_cfg);
 }
 
+#ifdef CONFIG_MEM_ATTR
+/**
+ * @brief Install PMP entries from devicetree mem-attr regions.
+ *
+ * Iterates over devicetree-provided memory-attr regions and programs PMP
+ * via set_pmp_entry(). Ordering matters because PMP checks entries from lowest
+ * to highest index and uses the first entry that matches the address.
+ *
+ * @param index_p Location of the current PMP slot index to use. This index
+ *                will be updated according to the number of slots used.
+ * @param pmp_addr Array of pmpaddr values (starting at entry 0).
+ * @param pmp_cfg Array of pmpcfg values (starting at entry 0).
+ * @param index_limit Index value representing the size of the provided arrays.
+ * @return Number of PMP slots consumed by installed mem-attr regions.
+ */
+static unsigned int set_pmp_mem_attr(unsigned int *index_p,
+				     unsigned long *pmp_addr, unsigned long *pmp_cfg,
+				     unsigned int index_limit)
+{
+	const struct mem_attr_region_t *region;
+	unsigned int entry_cnt = *index_p;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	for (size_t idx = 0; idx < num_regions; ++idx) {
+
+		uint8_t perm = DT_MEM_RISCV_TO_PMP_PERM(region[idx].dt_attr);
+
+		if (perm) {
+			set_pmp_entry(index_p, perm,
+				(uintptr_t)(region[idx].dt_addr),
+				(size_t)(region[idx].dt_size),
+				pmp_addr, pmp_cfg, index_limit);
+		}
+	}
+
+	entry_cnt = *index_p - entry_cnt;
+
+	return entry_cnt;
+}
+#endif /* CONFIG_MEM_ATTR */
+
 /**
  * @brief Abstract the last 3 arguments to set_pmp_entry() and
  *        write_pmp_entries( for m-mode.
@@ -441,6 +485,9 @@ void z_riscv_pmp_init(void)
 
 #ifdef CONFIG_PMP_STACK_GUARD
 #ifdef CONFIG_MULTITHREADING
+#ifdef CONFIG_SMP
+	unsigned int irq_stack_pmp_index = index;
+#endif
 	/*
 	 * Set the stack guard for this CPU's IRQ stack by making the bottom
 	 * addresses inaccessible. This will never change so we do it here
@@ -450,23 +497,6 @@ void z_riscv_pmp_init(void)
 		      (uintptr_t)z_interrupt_stacks[_current_cpu->id],
 		      Z_RISCV_STACK_GUARD_SIZE,
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	/*
-	 * This early, the kernel init code uses the IRQ stack and we want to
-	 * safeguard it as soon as possible. But we need a temporary default
-	 * "catch all" PMP entry for MPRV to work. Later on, this entry will
-	 * be set for each thread by z_riscv_pmp_kernelmode_prepare().
-	 */
-	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	 /* Write those entries to PMP regs. */
-	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	/* Activate our non-locked PMP entries for m-mode */
-	csr_set(mstatus, MSTATUS_MPRV);
-
-	/* And forget about that last entry as we won't need it later */
-	index--;
 #else
 	/* Without multithreading setup stack guards for IRQ and main stacks */
 	set_pmp_entry(&index, PMP_NONE | PMP_L,
@@ -479,12 +509,31 @@ void z_riscv_pmp_init(void)
 		      Z_RISCV_STACK_GUARD_SIZE,
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 
+#endif /* CONFIG_MULTITHREADING */
+#endif
+
+#ifdef CONFIG_MEM_ATTR
+	unsigned int attr_cnt = set_pmp_mem_attr(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+
+	/*
+	 * This early, we want to protect unlock PMP entries as soon as
+	 * possible. But we need a temporary default "catch all" PMP entry for
+	 * MPRV to work. Later on, this entry will be set for each thread by
+	 * z_riscv_pmp_kernelmode_prepare().
+	 */
+	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+
 	/* Write those entries to PMP regs. */
 	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-#endif /* CONFIG_MULTITHREADING */
+
+	/* Activate our non-locked PMP entries for m-mode */
+	csr_set(mstatus, MSTATUS_MPRV);
+
+	/* And forget about that tempory entries as we won't need it later */
+	index -= attr_cnt + 1;
 #else
-	 /* Write those entries to PMP regs. */
-	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+	/* Write those entries to PMP regs. */
+ 	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif
 
 #ifdef CONFIG_SMP
@@ -494,7 +543,7 @@ void z_riscv_pmp_init(void)
 	 * Make sure TOR entry sharing won't be attempted with it by
 	 * remembering a bogus address for those entries.
 	 */
-	pmp_addr[index - 1] = -1L;
+	pmp_addr[irq_stack_pmp_index] = -1L;
 #endif
 
 	/* Make sure secondary CPUs produced the same values */
@@ -518,7 +567,8 @@ void z_riscv_pmp_init(void)
 /**
  * @Brief Initialize the per-thread PMP register copy with global values.
  */
-#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || defined(CONFIG_USERSPACE)
+#if ((defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || \
+	defined(CONFIG_MEM_ATTR)) || defined(CONFIG_USERSPACE)
 static inline unsigned int z_riscv_pmp_thread_init(unsigned long *pmp_addr,
 						   unsigned long *pmp_cfg,
 						   unsigned int index_limit)
@@ -540,9 +590,8 @@ static inline unsigned int z_riscv_pmp_thread_init(unsigned long *pmp_addr,
 }
 #endif
 
-#ifdef CONFIG_PMP_STACK_GUARD
-
-#ifdef CONFIG_MULTITHREADING
+#if ((defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING)) || \
+	defined(CONFIG_MEM_ATTR))
 /**
  * @brief Prepare the PMP stackguard content for given thread.
  *
@@ -551,6 +600,8 @@ static inline unsigned int z_riscv_pmp_thread_init(unsigned long *pmp_addr,
 void z_riscv_pmp_kernelmode_prepare(struct k_thread *thread)
 {
 	unsigned int index = z_riscv_pmp_thread_init(PMP_M_MODE(thread));
+
+#if (defined(CONFIG_PMP_STACK_GUARD) && defined(CONFIG_MULTITHREADING))
 	uintptr_t stack_bottom;
 
 	/* make the bottom addresses of our stack inaccessible */
@@ -565,6 +616,12 @@ void z_riscv_pmp_kernelmode_prepare(struct k_thread *thread)
 	set_pmp_entry(&index, PMP_NONE,
 		      stack_bottom, Z_RISCV_STACK_GUARD_SIZE,
 		      PMP_M_MODE(thread));
+#endif /* CONFIG_PMP_STACK_GUARD */
+
+#ifdef CONFIG_MEM_ATTR
+	set_pmp_mem_attr(&index, PMP_M_MODE(thread));
+#endif /* CONFIG_MEM_ATTR */
+
 	set_pmp_mprv_catchall(&index, PMP_M_MODE(thread));
 
 	/* remember how many entries we use */
@@ -600,8 +657,9 @@ void z_riscv_pmp_kernelmode_enable(struct k_thread *thread)
 	csr_set(mstatus, MSTATUS_MPRV);
 }
 
-#endif /* CONFIG_MULTITHREADING */
+#endif /* CONFIG_PMP_STACK_GUARD && CONFIG_MULTITHREADING || CONFIG_MEM_ATTR */
 
+#if (defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR))
 /**
  * @brief Remove PMP stackguard content to actual PMP registers
  */
@@ -633,7 +691,7 @@ void z_riscv_pmp_kernelmode_disable(void)
 	}
 }
 
-#endif /* CONFIG_PMP_STACK_GUARD */
+#endif /* CONFIG_PMP_STACK_GUARD || CONFIG_MEM_ATTR */
 
 #ifdef CONFIG_USERSPACE
 
@@ -699,8 +757,34 @@ static void resync_pmp_domain(struct k_thread *thread,
 			continue;
 		}
 
-		ok = set_pmp_entry(&index, part->attr.pmp_attr,
-				   part->start, part->size, PMP_U_MODE(thread));
+#ifdef CONFIG_MEM_ATTR
+		const struct mem_attr_region_t *region;
+		uint8_t attr_mask = PMP_R | PMP_W | PMP_X;
+
+		for (int idx = 0; idx < mem_attr_get_regions(&region); idx++) {
+			uintptr_t dt_start = (uintptr_t)(region[idx].dt_addr);
+			uintptr_t dt_end = dt_start + (size_t)(region[idx].dt_size);
+			bool covered = false;
+
+			/* No overlap at all, skip this memory region */
+			if ((part->start + part->size) <= dt_start || part->start >= dt_end) {
+				continue;
+			}
+
+			covered = part->start >= dt_start && (part->start + part->size) <= dt_end;
+			__ASSERT(covered, "No allowed partition partially overlaps memory region");
+
+			attr_mask = DT_MEM_RISCV_TO_PMP_PERM(region[idx].dt_attr);
+			break;
+		}
+
+		ok = set_pmp_entry(&index, part->attr.pmp_attr & attr_mask, part->start, part->size,
+				   PMP_U_MODE(thread));
+#else
+		ok = set_pmp_entry(&index, part->attr.pmp_attr, part->start, part->size,
+				   PMP_U_MODE(thread));
+#endif
+
 		__ASSERT(ok,
 			 "no PMP slot left for %d remaining partitions in domain %p",
 			 remaining_partitions + 1, domain);

arch/riscv/core/switch.S

@@ -61,7 +61,7 @@ SECTION_FUNC(TEXT, z_riscv_switch)
 	mv a0, s0
 #endif
 
-#if defined(CONFIG_PMP_STACK_GUARD)
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR)
 	/* Stack guard has priority over user space for PMP usage. */
 	mv s0, a0
 	call z_riscv_pmp_kernelmode_enable

arch/riscv/core/thread.c

@@ -89,15 +89,15 @@ void arch_new_thread(struct k_thread *thread, k_thread_stack_t *stack,
 		/* Supervisor thread */
 		stack_init->mepc = (unsigned long)z_thread_entry;
 
-#if defined(CONFIG_PMP_STACK_GUARD)
+#if (defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR))
 		/* Enable PMP in mstatus.MPRV mode for RISC-V machine mode
 		 * if thread is supervisor thread.
 		 */
 		stack_init->mstatus |= MSTATUS_MPRV;
 #endif /* CONFIG_PMP_STACK_GUARD */
 	}
 
-#if defined(CONFIG_PMP_STACK_GUARD)
+#if (defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR))
 	/* Setup PMP regions of PMP stack guard of thread. */
 	z_riscv_pmp_kernelmode_prepare(thread);
 #endif /* CONFIG_PMP_STACK_GUARD */

arch/riscv/include/pmp.h

@@ -7,8 +7,15 @@
 #ifndef PMP_H_
 #define PMP_H_
 
+#include <zephyr/dt-bindings/memory-attr/memory-attr-riscv.h>
+
 #define PMPCFG_STRIDE (__riscv_xlen / 8)
 
+#define DT_MEM_RISCV_TO_PMP_PERM(dt_attr) (		\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_R) ? PMP_R : 0) |	\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_W) ? PMP_W : 0) |	\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_X) ? PMP_X : 0))
+
 void z_riscv_pmp_init(void);
 void z_riscv_pmp_kernelmode_prepare(struct k_thread *thread);
 void z_riscv_pmp_kernelmode_enable(struct k_thread *thread);

include/zephyr/arch/riscv/thread.h

@@ -77,7 +77,7 @@ struct _thread_arch {
 	unsigned int u_mode_pmp_end_index;
 	unsigned int u_mode_pmp_update_nr;
 #endif
-#ifdef CONFIG_PMP_STACK_GUARD
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_MEM_ATTR)
 	unsigned int m_mode_pmp_end_index;
 	unsigned long m_mode_pmpaddr_regs[CONFIG_PMP_SLOTS];
 	unsigned long m_mode_pmpcfg_regs[CONFIG_PMP_SLOTS / (__riscv_xlen / 8)];