Quality RTOS & Embedded Software

 Real time embedded FreeRTOS RSS feed 
Quick Start Supported MCUs PDF Books Trace Tools Ecosystem


FreeRTOS MPU behavior and threat model

Posted by yan-i on January 7, 2015


I've been struggling to understand FreeRTOS-MPU port's threat model, as documented and as developed. I am referring to a few points that are seemingly exclusive:

  • All of MPU-ported FreeRTOS functions first raise the privilege of the calling task, then call to the actual function, then revert their privilege back to what it was.
  • The following line from MPU docs: "A Privileged mode task can call portSWITCHTOUSER_MODE() to set itself into User mode. A task that is running in User mode cannot set itself into Privileged mode."

portSWITCHTOUSERMODE() simply removes the privileged bit, and prvRaisePrivilege() calls through to the portSVCRAISE_PRIVILEGE svc call, which unconditionally raises a task privilege. This seems to be counter to a task not being able to set itself into privilege mode after dropping privileges.

While I understand that the FreeRTOS-MPU port isn't specifically designed to be a MAC-like mechanism, but I'd still like to be able to provide slightly stricter control over unprivileged tasks.

Ideally, I'd like to be able to to remove the privilege bit and only allow raising of privilege for a heavily-restricted set of FreeRTOS functions. Is this a supported use case? One way we're currently thinking of implementing this is to add a bit more logic to to the portSVCRAISEPRIVIELGE svc call.


FreeRTOS MPU behavior and threat model

Posted by edwards3 on January 7, 2015

I don't think it is possible to stop a task calling SVC, which will automatically set it into privileged mode. All you could do then is have the kernel check if it is a privileged task before you let it do anything else, returning it to user mode if necessary. Is that the extra logic you mention?

FreeRTOS MPU behavior and threat model

Posted by yan-i on January 7, 2015

Yep, the idea was to add a check in the 'raise privilege' handler to either limit the conditions under which a task can increase privileges, or to make sure that the lr register points inside the privileged_functions section.

On another note, I'm not sure what the sentence in the docs was referring to (can only drop privileges, not raise them). I guess it implied that only with code that doesn't call a svc routine can you not increase your privileges.

FreeRTOS MPU behavior and threat model

Posted by rtel on January 7, 2015

The idea was to provide a method for a task to transition itself from being privileged to unprivileged, which is safe, but not the reverse (other than when legitimately calling an API function), which would not be safe.

It is sometimes easier to create a task with full privileges, then once the task has done whatever it needs at start up, to drop to its run-time state of being unprivileged. It is purely a convenience thing.


[ Back to the top ]    [ About FreeRTOS ]    [ Privacy ]    [ Sitemap ]    [ ]

Copyright (C) Amazon Web Services, Inc. or its affiliates. All rights reserved.

Latest News

NXP tweet showing LPC5500 (ARMv8-M Cortex-M33) running FreeRTOS.

Version 10.1.1 of the FreeRTOS kernel is available for immediate download. MIT licensed.

View a recording of the "OTA Update Security and Reliability" webinar, presented by TI and AWS.


FreeRTOS and other embedded software careers at AWS.

FreeRTOS Partners

ARM Connected RTOS partner for all ARM microcontroller cores

Espressif ESP32

IAR Partner

Microchip Premier RTOS Partner

RTOS partner of NXP for all NXP ARM microcontrollers


STMicro RTOS partner supporting ARM7, ARM Cortex-M3, ARM Cortex-M4 and ARM Cortex-M0

Texas Instruments MCU Developer Network RTOS partner for ARM and MSP430 microcontrollers

OpenRTOS and SafeRTOS

Xilinx Microblaze and Zynq partner