riscv: pmp: Configure entries from Device Tree via memattr

fsammoura1980 · fsammoura1980 · commit e0f1bcb1276d · 2025-10-06T16:47:35.000Z
This commit enables the custom PMP entry feature to source region
information from the Device Tree using the Zephyr `memattr` API,
instead of direct Kconfig definitions.

When `CONFIG_CUSTOM_PMP_ENTRY` is enabled, the system now iterates
through memory regions tagged with `zephyr,memattr` in the Device Tree
during the PMP initialization in `z_riscv_pmp_init()`. For each region
found, a corresponding PMP entry is set up.

This approach allows for more flexible and hardware-specific memory
protection schemes defined within the Device Tree. The region's base
address, size, and access permissions (R/W/X) are now read from the
Device Tree node attributes.

This feature is designed for applications requiring runtime control of
memory permissions for critical areas, such as firmware rollback
segments or sensitive configuration data. This control is established
early in the boot process.

Signed-off-by: Firas Sammoura &lt;fsammoura@google.com&gt;
diff --git a/arch/riscv/Kconfig b/arch/riscv/Kconfig
@@ -432,6 +432,14 @@ config PMP_STACK_GUARD_MIN_SIZE
 	  wiggle room to accommodate the eventual overflow exception
 	  stack usage.
 
+config CUSTOM_PMP_ENTRY
+	bool "Use PMP for custom protection region"
+	depends on RISCV_PMP && MEM_ATTR
+	help
+	  Enable custom Physical Memory Protection (PMP) entries to protect
+	  user-defined memory regions. This is typically used for critical
+	  data or firmware rollback protection.
+
 # Implement the null pointer detection using the Physical Memory Protection
 # (PMP) Unit.
 config NULL_POINTER_EXCEPTION_DETECTION_PMP
diff --git a/arch/riscv/core/pmp.c b/arch/riscv/core/pmp.c
@@ -31,6 +31,7 @@
 #include <pmp.h>
 #include <zephyr/arch/arch_interface.h>
 #include <zephyr/arch/riscv/csr.h>
+#include <zephyr/mem_mgmt/mem_attr.h>
 
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
@@ -204,7 +205,7 @@ static bool set_pmp_entry(unsigned int *index_p, uint8_t perm,
 	return ok;
 }
 
-#ifdef CONFIG_PMP_STACK_GUARD
+#if defined(CONFIG_PMP_STACK_GUARD) || defined(CONFIG_CUSTOM_PMP_ENTRY)
 static inline bool set_pmp_mprv_catchall(unsigned int *index_p,
 					 unsigned long *pmp_addr, unsigned long *pmp_cfg,
 					 unsigned int index_limit)
@@ -354,6 +355,19 @@ void z_riscv_pmp_init(void)
 	unsigned long pmp_cfg[CONFIG_PMP_SLOTS / PMPCFG_STRIDE];
 	unsigned int index = 0;
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+	const struct mem_attr_region_t *region;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	for (size_t idx = 0; idx < num_regions; ++idx) {
+		set_pmp_entry(&index, region[idx].dt_attr, (uintptr_t)(region[idx].dt_addr),
+			      (size_t)(region[idx].dt_size), pmp_addr, pmp_cfg,
+			      ARRAY_SIZE(pmp_addr));
+	}
+#endif
+
 	/* The read-only area is always there for every mode */
 	set_pmp_entry(&index, PMP_R | PMP_X | PMP_L,
 		      (uintptr_t)__rom_region_start,
@@ -371,6 +385,17 @@ void z_riscv_pmp_init(void)
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif
 
+#ifdef CONFIG_CUSTOM_PMP_ENTRY
+#ifndef CONFIG_PMP_STACK_GUARD
+	/*
+	 * This early, the kernel init code uses the custom entry and we want to
+	 * safeguard it as soon as possible. But we need a temporary default
+	 * "catch all" PMP entry for MPRV to work.
+	 */
+	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+#endif
+#endif
+
 #ifdef CONFIG_PMP_STACK_GUARD
 #ifdef CONFIG_MULTITHREADING
 	/*
@@ -446,6 +471,20 @@ void z_riscv_pmp_init(void)
 	}
 }
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY)
+/**
+ * @brief Prepare M-mode for custom PMP entry handling.
+ *
+ * Configures the Machine Status Register (mstatus) by clearing MPP and setting MPRV to control
+ * the memory privilege context for PMP access or configuration.
+ */
+void z_riscv_custom_pmp_entry_enable(void)
+{
+	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
+	csr_set(mstatus, MSTATUS_MPRV);
+}
+#endif
+
 /**
  * @Brief Initialize the per-thread PMP register copy with global values.
  */
diff --git a/arch/riscv/core/switch.S b/arch/riscv/core/switch.S
@@ -61,6 +61,12 @@ SECTION_FUNC(TEXT, z_riscv_switch)
 	mv a0, s0
 #endif
 
+#if defined(CONFIG_CUSTOM_PMP_ENTRY) && !defined(CONFIG_PMP_STACK_GUARD)
+	mv s0, a0
+	call z_riscv_custom_pmp_entry_enable
+	mv a0, s0
+#endif
+
 #if defined(CONFIG_PMP_STACK_GUARD)
 	/* Stack guard has priority over user space for PMP usage. */
 	mv s0, a0
diff --git a/arch/riscv/include/pmp.h b/arch/riscv/include/pmp.h
@@ -14,5 +14,6 @@ void z_riscv_pmp_stackguard_disable(void);
 void z_riscv_pmp_usermode_init(struct k_thread *thread);
 void z_riscv_pmp_usermode_prepare(struct k_thread *thread);
 void z_riscv_pmp_usermode_enable(struct k_thread *thread);
+void z_riscv_custom_pmp_entry_enable(void);
 
 #endif /* PMP_H_ */
