Quality RTOS & Embedded Software

 Real time embedded FreeRTOS RSS feed 
Real time embedded FreeRTOS mailing list 
Quick Start Supported MCUs PDF Books Trace Tools Ecosystem TCP & FAT Training




Loading

FreeRTOS MPU behavior and threat model

Posted by yan-i on January 7, 2015

Hello,

I've been struggling to understand FreeRTOS-MPU port's threat model, as documented and as developed. I am referring to a few points that are seemingly exclusive:

  • All of MPU-ported FreeRTOS functions first raise the privilege of the calling task, then call to the actual function, then revert their privilege back to what it was.
  • The following line from MPU docs: "A Privileged mode task can call portSWITCHTOUSER_MODE() to set itself into User mode. A task that is running in User mode cannot set itself into Privileged mode."

portSWITCHTOUSERMODE() simply removes the privileged bit, and prvRaisePrivilege() calls through to the portSVCRAISE_PRIVILEGE svc call, which unconditionally raises a task privilege. This seems to be counter to a task not being able to set itself into privilege mode after dropping privileges.

While I understand that the FreeRTOS-MPU port isn't specifically designed to be a MAC-like mechanism, but I'd still like to be able to provide slightly stricter control over unprivileged tasks.

Ideally, I'd like to be able to to remove the privilege bit and only allow raising of privilege for a heavily-restricted set of FreeRTOS functions. Is this a supported use case? One way we're currently thinking of implementing this is to add a bit more logic to to the portSVCRAISEPRIVIELGE svc call.

Thanks!


FreeRTOS MPU behavior and threat model

Posted by edwards3 on January 7, 2015

I don't think it is possible to stop a task calling SVC, which will automatically set it into privileged mode. All you could do then is have the kernel check if it is a privileged task before you let it do anything else, returning it to user mode if necessary. Is that the extra logic you mention?


FreeRTOS MPU behavior and threat model

Posted by yan-i on January 7, 2015

Yep, the idea was to add a check in the 'raise privilege' handler to either limit the conditions under which a task can increase privileges, or to make sure that the lr register points inside the privileged_functions section.

On another note, I'm not sure what the sentence in the docs was referring to (can only drop privileges, not raise them). I guess it implied that only with code that doesn't call a svc routine can you not increase your privileges.


FreeRTOS MPU behavior and threat model

Posted by rtel on January 7, 2015

The idea was to provide a method for a task to transition itself from being privileged to unprivileged, which is safe, but not the reverse (other than when legitimately calling an API function), which would not be safe.

It is sometimes easier to create a task with full privileges, then once the task has done whatever it needs at start up, to drop to its run-time state of being unprivileged. It is purely a convenience thing.

Regards.


[ Back to the top ]    [ About FreeRTOS ]    [ Sitemap ]    [ ]




Copyright (C) 2004-2010 Richard Barry. Copyright (C) 2010-2016 Real Time Engineers Ltd.
Any and all data, files, source code, html content and documentation included in the FreeRTOSTM distribution or available on this site are the exclusive property of Real Time Engineers Ltd.. See the files license.txt (included in the distribution) and this copyright notice for more information. FreeRTOSTM and FreeRTOS.orgTM are trade marks of Real Time Engineers Ltd.

Latest News:

FreeRTOS V9.0.0 is now available for download.


Free TCP/IP and file system demos for the RTOS


Sponsored Links

⇓ Now With No Code Size Limit! ⇓
⇑ Free Download Without Registering ⇑


FreeRTOS Partners

ARM Connected RTOS partner for all ARM microcontroller cores

Renesas Electronics Gold Alliance RTOS Partner.jpg

Microchip Premier RTOS Partner

RTOS partner of NXP for all NXP ARM microcontrollers

Atmel RTOS partner supporting ARM Cortex-M3 and AVR32 microcontrollers

STMicro RTOS partner supporting ARM7, ARM Cortex-M3, ARM Cortex-M4 and ARM Cortex-M0

Xilinx Microblaze and Zynq partner

Silicon Labs low power RTOS partner

Altera RTOS partner for Nios II and Cortex-A9 SoC

Freescale Alliance RTOS Member supporting ARM and ColdFire microcontrollers

Infineon ARM Cortex-M microcontrollers

Texas Instruments MCU Developer Network RTOS partner for ARM and MSP430 microcontrollers

Cypress RTOS partner supporting ARM Cortex-M3

Fujitsu RTOS partner supporting ARM Cortex-M3 and FM3

Microsemi (previously Actel) RTOS partner supporting ARM Cortex-M3

Atollic Partner

IAR Partner

Keil ARM Partner

Embedded Artists