The Memory Protection Unit

The Memory Protection Unit (MPU) of Cortex-M (ARMv7-M) based derivatives can only protect size-aligned memory regions where the size adheres to a power of two criteria. The smallest memory region that the MPU can protect is 32 bytes. This means regions of size 32 bytes, 64 bytes, 128 bytes, etc. can be protected. Any memory region with a size that is not a power of two or is smaller than 32 bytes or is not size aligned cannot be correctly protected by the MPU.

MPU management by PXROS-HR

The Cortex-M3/M4 architecture supports 8 MPU regions.

  • The first region (0) is used for the global read-only area (is_sys_ro_protection) containing code and constant data.

  • The subsequent pair of MPU regions (1,2) are used for task-context area from taskspec. These memory areas are described in the task specification structure by the member ts_context of type:

Code 1. ts_context type
typedef struct PxTaskContext_T
{
    PxProtectRegion_T protection[2];
} PxTaskContext_T;

  • The next region (3) is used for task stack when task stack is of type PxStackAlloc.

    Whenever any of the 3 task-specific regions (1,2,3) are not defined, the first regions of the additional regions table will be statically assigned to them.

  • The following three MPU regions (4,5,6) are used for dynamically assigned memory areas of tasks like messages and extended memory regions.

  • The last MPU region (7) is used by the kernel for task stack protection.

System memory protection

The PXROS-HR kernel uses the Background region for accessing system memory. Therefore, there is no need to use a dedicated protection register definition for system memory access.

Task stack protection

The PXROS-HR kernel uses the highest-priority MPU region (7) to implement task stack protection. This protection is transparent to the user, i.e., there is no need for additional task setup. However, the following constraints apply:

  1. In case of allocating stack of PxStackFall type, the size must be provided, i.e., it is not allowed to use PxStackDontCheck.

  2. The last 32 bytes are reserved for task stack protection (96 bytes in case of using PXROS-HR libraries with HW FPU support enabled). Those bytes are not usable by the task.

Memory range check

The kernel checks the memory ranges defining global static regions (such as the read-only area), task-specific static regions as well as the dynamically assigned tasks-specific regions. If the MPU requirements are violated, the kernel rejects the region. New error codes PXERR_PROT_ILL_ALIGN and PXERR_PROT_ILL_SIZE have been added to report such situations.

Strict MPU handling

The kernel does not adjust the upper or lower bound of protection regions to meet alignment requirements. If the size or alignment of the protection regions does not meet the MPU requirements, error codes PXERR_PROT_ILL_SIZE and PXERR_PROT_ILL_ALIGN are returned, respectively.

Static MPU regions

Static MPU regions (defined during compile time) must also obey the size and alignment requirements. The LLD linker shipped with the toolchain provides the LOG2CEIL function, which allows to specify such requirements in linker scripts.