riscv: pmp: Add custom entries from device tree

Introduce CONFIG_CUSTOM_PMP_ENTRY to enable configuring custom Physical
Memory Protection (PMP) regions directly from the Device Tree.

When this option is enabled, the PMP initialization process in
z_riscv_pmp_init() will scan the Device Tree for memory regions
tagged with the 'zephyr,memattr' property. For each such region
found, a corresponding PMP entry is programmed with the base address,
size, and permissions (R/W/X) specified in the Device Tree node.
This is facilitated by the mem_attr API.

This change allows for more flexible and hardware-specific memory
protection schemes, ideal for safeguarding critical areas like
firmware rollback segments or sensitive configuration data early in
the boot process.

Additionally, this patch introduces z_riscv_custom_pmp_entry_enable()
to manage the Machine Status Register (mstatus) MPRV bit when custom
PMP entries are used without the PMP stack guard. This function is
called during context switch to ensure correct privilege levels for
memory access.

Signed-off-by: Firas Sammoura <[email protected]>

Author: fsammoura1980

arch/riscv/Kconfig

@@ -432,6 +432,15 @@ config PMP_STACK_GUARD_MIN_SIZE
 	  wiggle room to accommodate the eventual overflow exception
 	  stack usage.
 
+config CUSTOM_PMP_ENTRY
+	bool "Use PMP for custom protection region"
+	depends on RISCV_PMP && MEM_ATTR
+	help
+	  Enable custom Physical Memory Protection (PMP) entries to protect
+	  user-defined memory regions. These regions are defined in the Device
+	  Tree using the "zephyr,memattr" property. This allows for hardware-
+	  specific protection of critical data or firmware rollback segments.
+
 # Implement the null pointer detection using the Physical Memory Protection
 # (PMP) Unit.
 config NULL_POINTER_EXCEPTION_DETECTION_PMP

arch/riscv/core/pmp.c

@@ -31,6 +31,7 @@
 #include <pmp.h>
 #include <zephyr/arch/arch_interface.h>
 #include <zephyr/arch/riscv/csr.h>
+#include <zephyr/mem_mgmt/mem_attr.h>
 
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
@@ -204,7 +205,7 @@ static bool set_pmp_entry(unsigned int *index_p, uint8_t perm,
 	return ok;
 }
 
-#ifdef CONFIG_PMP_STACK_GUARD
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_CUSTOM_PMP_ENTRY)
 static inline bool set_pmp_mprv_catchall(unsigned int *index_p,
 					 unsigned long *pmp_addr, unsigned long *pmp_cfg,
 					 unsigned int index_limit)
@@ -354,6 +355,19 @@ void z_riscv_pmp_init(void)
 	unsigned long pmp_cfg[CONFIG_PMP_SLOTS / PMPCFG_STRIDE];
 	unsigned int index = 0;
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+	const struct mem_attr_region_t *region;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	for (size_t idx = 0; idx < num_regions; ++idx) {
+		set_pmp_entry(&index, region[idx].dt_attr, (uintptr_t)(region[idx].dt_addr),
+			      (size_t)(region[idx].dt_size), pmp_addr, pmp_cfg,
+			      ARRAY_SIZE(pmp_addr));
+	}
+#endif
+
 	/* The read-only area is always there for every mode */
 	set_pmp_entry(&index, PMP_R | PMP_X | PMP_L,
 		      (uintptr_t)__rom_region_start,
@@ -371,6 +385,17 @@ void z_riscv_pmp_init(void)
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+#ifndef CONFIG_PMP_STACK_GUARD
+	/*
+	 * This early, the kernel init code uses the custom entry and we want to
+	 * safeguard it as soon as possible. But we need a temporary default
+	 * "catch all" PMP entry for MPRV to work.
+	 */
+	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+#endif
+#endif
+
 #ifdef CONFIG_PMP_STACK_GUARD
 #ifdef CONFIG_MULTITHREADING
 	/*
@@ -446,6 +471,20 @@ void z_riscv_pmp_init(void)
 	}
 }
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY)
+/**
+ * @brief Prepare M-mode for custom PMP entry handling.
+ *
+ * Configures the Machine Status Register (mstatus) by clearing MPP and setting MPRV to control
+ * the memory privilege context for PMP access or configuration.
+ */
+void z_riscv_custom_pmp_entry_enable(void)
+{
+	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
+	csr_set(mstatus, MSTATUS_MPRV);
+}
+#endif
+
 /**
  * @Brief Initialize the per-thread PMP register copy with global values.
  */

arch/riscv/core/switch.S

@@ -61,6 +61,12 @@ SECTION_FUNC(TEXT, z_riscv_switch)
 	mv a0, s0
 #endif
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY) && !defined(CONFIG_PMP_STACK_GUARD)
+	mv s0, a0
+	call z_riscv_custom_pmp_entry_enable
+	mv a0, s0
+#endif
+
 #if defined(CONFIG_PMP_STACK_GUARD)
 	/* Stack guard has priority over user space for PMP usage. */
 	mv s0, a0

arch/riscv/include/pmp.h

@@ -14,5 +14,6 @@ void z_riscv_pmp_stackguard_disable(void);
 void z_riscv_pmp_usermode_init(struct k_thread *thread);
 void z_riscv_pmp_usermode_prepare(struct k_thread *thread);
 void z_riscv_pmp_usermode_enable(struct k_thread *thread);
+void z_riscv_custom_pmp_entry_enable(void);
 
 #endif /* PMP_H_ */