• State Verified Answer
  • Replies 7 replies
  • Subscribers 71 subscribers
  • Views 3566 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 114333
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Does the MPU limit code running in RAM?

Branden Ghena

Looking at Table 40 in the nRF51 Series Reference Manual v3.0, the Memory Protection Unit prevents request sources in Code R1 from writing to RAM R0. But if the request source is in RAM R1, it is allowed full read and write access to RAM R0.

On the nRF51822, does this mean that a program running in Code R1 could copy a routine into RAM R1 and then execute it in order to write RAM R0?

Update 14.06.2016:

In the below table from the Reference Manual, RAM R1 is shown to have Full Access to RAM R0 regardless of MPU configuration. Is this correct?

image description

  • FormerMember
    0 FormerMember

    A memory protect region cannot be accessed by others, but it will have full access to the system. The reference manual says the following regarding memory protection of region 0:

    When memory protection is enabled, these regions will be used by the Memory Protection Unit to enforce runtime protection and readback protection of resources classified as region 0.

    ...

    Independent of protection settings, code region R0 (CR0) will always have full access to the system.

    ...

    When enabled, only code running from code region 0 will be able to access the code in code region 0. Accesses generated by code running from code region 1 or from RAM, as well as accesses generated by the debugger (SWD), will not be granted when code region 0 is protected. Independent of readback protection configuration of code

    Did this clearify how MPU work?

    Update 14.06.16: The UICR register description show that 0x00 enables and 0xFF disables readback protection. Therefore the "request source RAM R0/R1" with setting 0xFF disables readback protection, and hence, there will be full access to all request targets.

    When the "request source RAM R0/R1" is set to 0x00 for readback protection on code region 0, there is no access to code region 0.

  • 0 in reply to FormerMember

    Thanks for the response, but it's not quite the question I was asking. As you cited, the MPU protects Code R0 (in Flash) from accesses by Code R1 and RAM R1. But I'm interested in how it protects RAM R0.

    In Table 40 in the reference manual, it states that if the request source is RAM R0/R1 and the request target is RAM R0, Full Access is granted (regardless of MPU state). Does this mean that an access from RAM R1 can modify data in RAM R0 even if the MPU is on?

  • 0 in reply to FormerMember

    Thank you for clarifying. I think I have not explained my question well enough. I added an update to the original question with the parts I am confused about circled in red. Table 40 seems to show that RAM R0 is not protected from RAM R1.

  • 0 in reply to FormerMember

    I think the question is clear and I don't know why the answers keep talking about Code Region protection when you're asking about RAM region protection.

    As far as I can see RAM R0 is not protected from code running in RAM R1 so you can write RAM R0 as you suggest. However I'm not sure how much of a security hole that actually is, writing to RAM R0 doesn't let you get any further.

Related
Terms of service