• State Verified Answer
  • Replies 13 replies
  • Subscribers 74 subscribers
  • Views 1946 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 310906
Options

Protect RAM from unwanted writes

colar

Hi,

I'd like to have a memory region with some data that should only be written by some special functions, but can be read by the whole system.

This is to make sure that no bugs in other parts can accidentally corrupt this data. In previous projects on STMs I achieved this by using the MPU and a priviledged mode to write.

What is the recommended way to do this with Nordic Connect SDK / Zephyr RTOS on the nRF5340?

I saw that using the User mode can do that, but this adds a lot of overhead to system calls and is probably not the right choice.

Best regards,

Lars

  • 0 in reply to colar

    TF-M levearges the SPU for its memory protection.

    You could maybe implement SPU functionality for the SPU to do RAM access control.
    To control this, I think you can have a look at SPU hal.

    TF-M uses the SPU as well, so you might have to be careful if you intend to use both at the same time.

    For the record, I recommend that you use TF-M application RoT Services instead

  • 0 in reply to Sigurd Hellesvik

    Hi,

    I've already looked into that and think it is a bit too much overhead.

    With the STM32L4 it was as simple as configuring the MPU to only allow writing in priviledged mode, so I could read my "variables" from everywhere but only write to them by switching to priviledged mode first. This induced almost no overhead and is what I intend to do with the nRF5340.

    With the SPU in nRF5340, I only see the option to specifiy permissions for secure and non-secure domains, not for priviledged/inpriviledged, so to use that feature I MUST use secure/non-secure domains. Am I right with that?

    And to read/write from non-secure code (no matter if with the application RoT services or not), all accesses have to go over an API, then IPC from non-secure to secure image and then back, right? This sounds like a lot of runtime overhead.

    Are there other options to that or have I misunderstood some aspect of the nRF5340's features?

    Best regards,

    Lars

  • 0 in reply to colar

    Seems the MPU is a feature of our chips I did not know so much about yet.
    Thank you for giving some pushback here, so I found out about this feature.

    From what I understand, we have not documented the MPU in our Product Specification.
    That is because we still use a Cortex-M. So I asked a collegue about this and he says that the MPU in our chips should be the same as the one in STM, since both use Cortex-M.
    However, we have an MPU HAL available.

    In addition, have a look at Zephyrs Memory map and MPU considerations.
    Also see the Memory Protection Unit (MPU) Sample for this.

    Then I think you should be able to use one of those, whichever you find fits you best.

    Is this what you are looking for?

    colar said:
    With the SPU in nRF5340, I only see the option to specifiy permissions for secure and non-secure domains, not for priviledged/inpriviledged, so to use that feature I MUST use secure/non-secure domains. Am I right with that?

    I think that the SPU does not have to depend on domains. From https://infocenter.nordicsemi.com/topic/ps_nrf5340/spu.html?cp=4_0_0_6_31_8_21#register.RAMREGION.PERM:

    So the Secure/Non-secure attribute is separate from the Write attribute.
    Therefore, I think you can use this for only Write protect.

    By the way, If you build without TF-M, the whole application runs as "Secure" from the SPUs perspective.

    colar said:
    And to read/write from non-secure code (no matter if with the application RoT services or not), all accesses have to go over an API, then IPC from non-secure to secure image and then back, right?

    Yes, but only if you have TF-M enabled. See my previous sentence.

    colar said:
    Are there other options to that or have I misunderstood some aspect of the nRF5340's features?

    I started this comment with describing the MPU, see that.

  • 0 in reply to Sigurd Hellesvik

    Hi,

    Sigurd Hellesvik said:
    In addition, have a look at Zephyrs Memory map and MPU considerations.
    Also see the Memory Protection Unit (MPU) Sample for this.

    so the nRF5340 actually has an MPU and a SPU? I thought, since it was not documented, only the SPU was available in this Chip (HAL may be for other chips?).

    When using the MPU as I did in the STM32, I would have to enable/disable priviledged mode. How would I do that in Zephyr?

    Sigurd Hellesvik said:

    So the Secure/Non-secure attribute is separate from the Write attribute.
    Therefore, I think you can use this for only Write protect.

    By the way, If you build without TF-M, the whole application runs as "Secure" from the SPUs perspective.

    And when using the SPU, how would I then write to the protected memory? Simply temporarily disable the protection?

    Best regards,

    Lars

  • 0 in reply to colar
    colar said:
    so the nRF5340 actually has an MPU and a SPU? I thought, since it was not documented, only the SPU was available in this Chip (HAL may be for other chips?).

    It is documented exactly here, as far as I know: CPU and support module configuration.

    colar said:
    And when using the SPU, how would I then write to the protected memory? Simply temporarily disable the protection?

    I think so yes. Might not be that easy, but probably worth a try.
    From SPU docs, I see they specify "For each region, permissions can be set and then locked to prevent subsequent modifications by using the RAMREGION[n].PERM.LOCK bit.".
    This implies that as long as you do not lock this, you can change permissions.

    colar said:
    When using the MPU as I did in the STM32, I would have to enable/disable priviledged mode. How would I do that in Zephyr?

    I will look into this and return with more info early next week.

Related
Terms of service