Enable PMP for memory isolation #32
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduces RISC-V Physical Memory Protection (PMP) support for hardware-enforced memory isolation. TOR mode is adopted as the addressing scheme for its flexibility in supporting arbitrary address ranges without alignment requirements, simplifying region management for task stacks of varying sizes. Adds CSR definitions for PMP registers, permission encodings, and hardware constants. Provides structures for region configuration and state tracking, with priority-based management to handle the 16-region hardware limit. Includes error codes and functions for region configuration and access verification.
jserv
reviewed
Oct 29, 2025
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
d2552a5 to
319ba96
Compare
jserv
reviewed
Oct 31, 2025
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
e264a35 to
4a62d5b
Compare
Got it! Thanks for the correction and the L4 X.2 reference. |
Introduces three abstractions that build upon the PMP infrastructure for managing memory protection at different granularities. Flexpages represent contiguous physical memory regions with protection attributes, providing arbitrary base addresses and sizes without alignment constraints. Memory spaces implement the address space concept but use distinct terminology to avoid confusion with virtual address spaces, as this structure represents a task's memory protection domain in a physical-address-only system. They organize flexpages into task memory views and support sharing across multiple tasks without requiring an MMU. Memory pools define static regions for boot-time initialization of kernel memory protection. Field naming retains 'as_' prefix (e.g., as_id, as_next) to reflect the underlying address space concept, while documentation uses "memory space" terminology for clarity in physical-memory-only contexts. Structures are used to enable runtime iteration, simplify debugging, and maintain consistency with other subsystems. Macro helpers reduce initialization boilerplate while maintaining type safety.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
4a62d5b to
598821c
Compare
Defines static memory pools for boot-time PMP initialization using linker symbols to identify kernel memory regions. Linker symbol declarations are updated to include text segment boundaries and match actual linker script definitions for stack regions. Five kernel memory pools protect text as read-execute, data and bss as read-write, heap and stack as read-write without execute to prevent code injection. Macro helpers reduce initialization boilerplate while maintaining debuggability through struct arrays. Priority-based management handles the 16-region hardware constraint.
Extends TCB with a memory space pointer to enable per-task memory isolation. Each task can now reference its own memory protection domain through the flexpage mechanism.
Adds creation and destruction functions for flexpages, which are software abstractions representing contiguous physical memory regions with hardware-enforced protection attributes. These primitives will be used by higher-level memory space management to construct per-task memory views for PMP-based isolation. Function naming follows kernel conventions to reflect that these operations manage abstract memory protection objects rather than just memory allocation.
Makes flex page management functions available to user applications by adding the memory protection header to the public API collection.
Adds centralized management of PMP hardware state through a global configuration instance. This enables the memory protection subsystem to track and coordinate PMP register usage across the kernel without requiring each component to maintain its own state. Provides controlled access to the configuration through a dedicated accessor function, maintaining encapsulation while supporting dynamic region allocation and eviction during task switching.
Add flexpage selection algorithm that identifies eviction candidates when hardware PMP regions are exhausted. The algorithm selects the flexpage with the highest priority value (lowest importance), while protecting kernel regions (priority 0) from eviction.
Add functions to dynamically load flexpages into hardware PMP regions and evict them when no longer needed. These operations bridge the software flexpage abstraction with hardware PMP configuration, enabling runtime memory protection management.
Add functions to create and destroy memory spaces, which serve as containers for flexpages. A memory space can be dedicated to a single task or shared across multiple tasks, supporting both isolated and shared memory models.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
598821c to
035d688
Compare
Provide helper functions for runtime-indexed access to PMP control and status registers alongside existing compile-time CSR macros. RISC-V CSR instructions encode register addresses as immediate values in the instruction itself, making dynamic selection impossible through simple arithmetic. These helpers use switch-case dispatch to map runtime indices to specific CSR instructions while preserving type safety. This enables PMP register management code to iterate over regions without knowing exact register numbers at compile-time, supporting features with multiple registers of the same type. PMP implementation is now included in the build system to make these helpers and future PMP functionality available at link time.
Clear all PMP regions and initialize shadow configuration state. Sets up hardware and software state for subsequent region configuration.
Implements region configuration that validates addresses, constructs configuration bytes with proper addressing mode and permission bits, and synchronizes both hardware CSRs and shadow state. Supports optional region locking to prevent further modification.
Refactors the computation of configuration register index and bit offset into a reusable helper to reduce code duplication and improve maintainability. Updates existing code to use the new helper.
Implements region disabling which clears configuration to remove protection, and region locking which sets the lock bit to prevent further modification without hardware reset. Both operations preserve other regions in their respective configuration registers.
Retrieves the address range, permissions, priority, and lock status of a configured region from the shadow configuration state.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
035d688 to
f484ff0
Compare
Checks if a memory access falls within a configured region by comparing the requested address and size against the region boundaries. When a matching region is found, validates that the region's permissions match the requested operation type. Address register read helpers are marked unused as the current implementation maintains shadow state in memory rather than reading hardware registers. They remain available for potential future use cases requiring hardware state verification.
When a task accesses memory that is not currently loaded in a PMP region, the hardware raises an access fault. Rather than immediately panicking, we now attempt to recover by dynamically loading the required region. This enables a task to access more memory than can fit simultaneously in the 16 available hardware regions. If all regions are in use, we select a victim region and evict it to make space. This requires exposing internal region management functions in the public header so the handler can invoke them. Simplify function documentation at implementation sites since detailed documentation now resides in headers.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
f484ff0 to
109259d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements PMP (Physical Memory Protection) support for RISC-V to enable hardware-enforced memory isolation in Linmo, addressing #30.
Currently Phase 1 (infrastructure) is complete. This branch will continue development through the remaining phases. Phase 1 adds the foundational structures and declarations: PMP hardware layer in arch/riscv with CSR definitions and region management structures, architecture-independent memory abstractions (flex pages, address spaces, memory pools), kernel memory pool declarations from linker symbols, and TCB extension for address space linkage.
The actual PMP operations including region configuration, CSR manipulation, and context switching integration are not yet implemented.
TOR mode is used for its flexibility with arbitrary address ranges without alignment constraints, simplifying region management for task stacks of varying sizes. Priority-based eviction allows the system to manage competing demands when the 16 hardware regions are exhausted, ensuring critical kernel and stack regions remain protected while allowing temporary mappings to be reclaimed as needed.
Summary by cubic
Adds RISC-V Physical Memory Protection (PMP) for hardware memory isolation (Phase 1 of #30). Uses TOR mode with hardware init and region ops, boot-time protection for kernel text/data/bss/heap/stack, and trap-time recovery for PMP access faults.
Written for commit 109259d. Summary will update automatically on new commits.