Add deprivilege/print/reprivilege flow

api/inc/box_config.h

@@ -173,19 +173,20 @@ UVISOR_EXTERN void const * const public_box_cfg_ptr;
 
 /* Use this macro after calling the box configuration macro, in order to register your box as a debug box.
  * It will create a valid debug driver struct with the halt_error_func parameter as its halt_error() function */
-#define UVISOR_DEBUG_DRIVER(box_name, halt_error_func) \
+#define UVISOR_DEBUG_DRIVER(box_name, halt_error_func, debug_print_func) \
         UVISOR_EXTERN TUvisorDebugDriver const __uvisor_debug_driver; \
         TUvisorDebugDriver const __uvisor_debug_driver = { \
             UVISOR_DEBUG_BOX_MAGIC, \
             UVISOR_DEBUG_BOX_VERSION, \
             &box_name ## _cfg, \
-            halt_error_func \
+            halt_error_func, \
+            debug_print_func \
         };
 
 /* Use this macro after calling the box configuration macro, in order to
  * register the public box as a debug box. */
-#define UVISOR_PUBLIC_BOX_DEBUG_DRIVER(halt_error_func) \
-        UVISOR_DEBUG_DRIVER(public_box, halt_error_func)
+#define UVISOR_PUBLIC_BOX_DEBUG_DRIVER(halt_error_func, debug_print_func) \
+        UVISOR_DEBUG_DRIVER(public_box, halt_error_func, debug_print_func)
 
 
 #endif /* __UVISOR_API_BOX_CONFIG_H__ */

api/inc/debug_exports.h

@@ -33,6 +33,7 @@ typedef struct TUvisorDebugDriver {
     const uint32_t version;
     const UvisorBoxConfig * const box_cfg_ptr;
     void (*halt_error)(THaltError, const THaltInfo *);
+    void (*debug_print)(const char *);
 } TUvisorDebugDriver;
 
 /* Number of handlers in the debug box driver */

api/inc/svc_exports.h

@@ -91,13 +91,14 @@
 
 /* SVC immediate values for hardcoded table (call from unprivileged) */
 #define UVISOR_SVC_ID_UNVIC_OUT           UVISOR_SVC_FIXED_TABLE(0, 0)
-/* Deprecated: UVISOR_SVC_ID_CX_IN(nargs) UVISOR_SVC_FIXED_TABLE(1, nargs) */
+#define UVISOR_SVC_ID_RETURN              UVISOR_SVC_FIXED_TABLE(1, 0)
 /* Deprecated: UVISOR_SVC_ID_CX_OUT       UVISOR_SVC_FIXED_TABLE(2, 0) */
 #define UVISOR_SVC_ID_REGISTER_GATEWAY    UVISOR_SVC_FIXED_TABLE(3, 0)
 #define UVISOR_SVC_ID_BOX_INIT_FIRST      UVISOR_SVC_FIXED_TABLE(4, 0)
 #define UVISOR_SVC_ID_BOX_INIT_NEXT       UVISOR_SVC_FIXED_TABLE(5, 0)
 
 /* SVC immediate values for hardcoded table (call from privileged) */
 #define UVISOR_SVC_ID_UNVIC_IN         UVISOR_SVC_FIXED_TABLE(0, 0)
+#define UVISOR_SVC_ID_DEPRIVILEGE      UVISOR_SVC_FIXED_TABLE(1, 0)
 
 #endif /* __UVISOR_API_SVC_EXPORTS_H__ */

core/debug/inc/debug.h

@@ -39,6 +39,7 @@ void debug_sau_config(void);
 void debug_fault(THaltError reason, uint32_t lr, uint32_t sp);
 
 /* Debug box */
+void debug_print(const uint8_t * message_buffer, uint32_t size);
 void debug_halt_error(THaltError reason, const THaltInfo *halt_info);
 void debug_reboot(TResetReason reason);
 
@@ -50,10 +51,18 @@ void debug_reboot(TResetReason reason);
 uint32_t debug_box_enter_from_priv(uint32_t lr);
 
 void debug_die(void);
+void debug_deprivilege_and_die(void * debug_handler, void * return_handler,
+                               uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3);
 void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
                                   uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3);
+void debug_return(void);
 bool debug_collect_halt_info(uint32_t lr, uint32_t sp, THaltInfo *halt_info);
 
+/* Two SVC handlers that are used to deprivilege from uVisor and return to it
+ * respectively. */
+void UVISOR_NAKED debug_uvisor_deprivilege(uint32_t svc_sp, uint32_t svc_pc);
+void UVISOR_NAKED debug_uvisor_return(uint32_t svc_sp, uint32_t svc_pc);
+
 #ifdef  NDEBUG
 
 #define DEBUG_INIT(...)          {}

core/debug/src/core_armv7m/debug_box_armv7m.c

@@ -30,8 +30,8 @@ extern uint32_t g_debug_interrupt_sp[];
 /* FIXME: Currently it is not possible to return to a regular execution flow
  *        after the execution of the debug box handler. */
 /* Note: On ARMv7-M the return_handler is executed in NP mode. */
-void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
-                                  uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
+void debug_deprivilege_and_die(void * debug_handler, void * return_handler,
+                               uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
 {
     /* Source box: Get the current stack pointer. */
     /* Note: The source stack pointer is only used to assess the stack
@@ -41,20 +41,13 @@ void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
     /* Destination box: The debug box. */
     uint8_t dst_id = g_debug_box.box_id;
 
-    /* Copy the xPSR from the source exception stack frame. */
-    uint32_t * xpsr_p = &((uint32_t *) src_sp)[7];
-    uint32_t xpsr = xPSR_T_Msk;
-    if (vmpu_buffer_access_is_ok(g_active_box, xpsr_p, sizeof(*xpsr_p))) {
-        xpsr = vmpu_unpriv_uint32_read((uint32_t) xpsr_p);
-    }
-
     /* FIXME: This makes the debug box overwrite the top of the interrupt stack! */
     g_context_current_states[dst_id].sp = g_debug_interrupt_sp[dst_id];
 
     /* Destination box: Forge the destination stack frame. */
     /* Note: We manually have to set the 4 parameters on the destination stack,
      *       so we will set the API to have nargs=0. */
-    uint32_t dst_sp = context_forge_exc_sf(src_sp, dst_id, (uint32_t) debug_handler, (uint32_t) return_handler, xpsr, 0);
+    uint32_t dst_sp = context_forge_exc_sf(src_sp, dst_id, (uint32_t) debug_handler, (uint32_t) return_handler, xPSR_T_Msk, 0);
     ((uint32_t *) dst_sp)[0] = a0;
     ((uint32_t *) dst_sp)[1] = a1;
     ((uint32_t *) dst_sp)[2] = a2;
@@ -75,3 +68,77 @@ void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
      * debug_handler, return_handler will be executed. */
     return;
 }
+
+/* This function is called by the user to return to uvisor after deprivileging. */
+void UVISOR_NAKED UVISOR_NORETURN debug_return(void)
+{
+    asm volatile(
+        "svc %[retn]"
+
+        ::[retn] "i" ((UVISOR_SVC_ID_RETURN) & 0xFF)
+    );
+}
+
+void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
+                                  uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
+{
+    /* We're going to switch into the debug box. */
+    uint8_t dst_id = g_debug_box.box_id;
+
+    /* Use the interrupt stack during deprivileging. */
+    g_context_current_states[dst_id].sp = g_debug_interrupt_sp[dst_id];
+
+    /* Forge the stack frame for deprivileging with up to 4 parameters to
+     * pass. The stack memory is managed by uVisor itself and is supposed to
+     * be accessible by debug box, so there's no need for the access check. */
+    uint32_t dst_sp = context_forge_exc_sf(0, dst_id, (uint32_t)debug_handler, (uint32_t)return_handler, xPSR_T_Msk, 0);
+    ((uint32_t *)dst_sp)[0] = a0;
+    ((uint32_t *)dst_sp)[1] = a1;
+    ((uint32_t *)dst_sp)[2] = a2;
+    ((uint32_t *)dst_sp)[3] = a3;
+
+    context_switch_in(CONTEXT_SWITCH_FUNCTION_DEBUG, dst_id, __get_PSP(), dst_sp);
+
+    /* Save the current context on the stack, deprivilege and restore the context upon return. */
+    asm volatile(
+        /* Save general purpose registers that won't be saved by the following SVC. */
+        "push {r4 - r11}\n"
+
+        /* Remember the current active bit settings. The values are located in
+         * SCB->SHCSR register (address 0xe000ed24). */
+        "ldr r4, =0xe000ed24\n"
+        "ldr r5, [r4]\n"
+        "push {r5}\n"
+
+        /* Clear active bits for exceptions with priority above or equal to
+         * SVC. */
+        "bic r5, %[excp_msk]\n"
+        "str r5, [r4]\n"
+
+        /* Execute SVC that will perform the deprivileging. We'll return to
+         * the next instruction after reprivileging. */
+        "svc %[depriv]\n"
+
+        /* Read the current value of SCB->SHCSR. */
+        "ldr r4, =0xe000ed24\n"
+        "ldr r5, [r4]\n"
+
+        /* Find the active bits we cleaned before the deprivileging. */
+        "pop {r6}\n"
+        "and r6, r6, %[excp_msk]\n"
+
+        /* Restore the active bits. */
+        "orr r5, r6\n"
+        "str r5, [r4]\n"
+
+        /* At this moment a part of the context will be restored from the
+         * stack frame created by the above SVC. The remaining general purpose
+         * registers will be restored now. */
+        "pop {r4 - r11}\n"
+
+        ::[depriv] "i" ((UVISOR_SVC_ID_DEPRIVILEGE) & 0xFF),
+          [excp_msk] "i" (SCB_SHCSR_SVCALLACT_Msk | SCB_SHCSR_USGFAULTACT_Msk | SCB_SHCSR_BUSFAULTACT_Msk | SCB_SHCSR_MEMFAULTACT_Msk)
+    );
+
+    context_switch_out(CONTEXT_SWITCH_FUNCTION_DEBUG);
+}

core/debug/src/core_armv7m/mpu_armv7m/debug_armv7m.c

@@ -22,12 +22,12 @@
 static void debug_fault_mpu(void)
 {
     if (VMPU_SCB_MMFSR & 0x80) {
-        dprintf("* MPU FAULT\n\r");
+        dprintf("* MPU FAULT\n");
     }
     else {
-        dprintf("* No MPU violation found\n\r");
+        dprintf("* No MPU violation found\n");
     }
-    dprintf("\n\r");
+    default_putc('\n');
 }
 
 void debug_mpu_config(void)
@@ -36,22 +36,22 @@ void debug_mpu_config(void)
     char dim[][3] = {"B ", "KB", "MB", "GB"};
     int i;
 
-    dprintf("* MPU CONFIGURATION\n\r");
+    dprintf("* MPU CONFIGURATION\n");
 
     /* CTRL */
     ctrl = MPU->CTRL;
-    dprintf("\n\r");
-    dprintf("  Background region %s\n\r", ctrl & MPU_CTRL_PRIVDEFENA_Msk ?
+    default_putc('\n');
+    dprintf("  Background region %s\n", ctrl & MPU_CTRL_PRIVDEFENA_Msk ?
                                           "enabled" : "disabled");
-    dprintf("  MPU %s @NMI, @HardFault\n\r", ctrl & MPU_CTRL_HFNMIENA_Msk ?
+    dprintf("  MPU %s @NMI, @HardFault\n", ctrl & MPU_CTRL_HFNMIENA_Msk ?
                                              "enabled" : "bypassed");
-    dprintf("  MPU %s\n\r", ctrl & MPU_CTRL_PRIVDEFENA_Msk ?
+    dprintf("  MPU %s\n", ctrl & MPU_CTRL_PRIVDEFENA_Msk ?
                                   "enabled" : "disabled");
-    dprintf("\n\r");
+    default_putc('\n');
 
     /* information for each region (RBAR, RASR) */
     dregion = (MPU->TYPE & MPU_TYPE_DREGION_Msk) >> MPU_TYPE_DREGION_Pos;
-    dprintf("  Region Start      Size  XN AP  TEX S C B SRD      Valid\n\r");
+    dprintf("  Region Start      Size  XN AP  TEX S C B SRD      Valid\n");
     for(i = 0; i < dregion; ++i)
     {
         /* select region */
@@ -80,14 +80,14 @@ void debug_mpu_config(void)
                 (rasr & MPU_RASR_C_Msk)   >> MPU_RASR_C_Pos,
                 (rasr & MPU_RASR_B_Msk)   >> MPU_RASR_B_Pos,
                 (rasr & MPU_RASR_SRD_Msk) >> MPU_RASR_B_Pos);
-        dprintf("%d%d%d%d%d%d%d%d %d\n\r",
+        dprintf("%d%d%d%d%d%d%d%d %d\n",
                 (srd & 0x80) >> 0x7, (srd & 0x40) >> 0x6,
                 (srd & 0x20) >> 0x5, (srd & 0x10) >> 0x4,
                 (srd & 0x08) >> 0x3, (srd & 0x04) >> 0x2,
                 (srd & 0x02) >> 0x1, (srd & 0x01) >> 0x0,
                 rasr & MPU_RASR_ENABLE_Msk ? 1 : 0);
     }
-    dprintf("\n\r");
+    default_putc('\n');
 }
 
 void debug_fault_memmanage_hw(void)

core/debug/src/core_armv7m/mpu_kinetis/debug_kinetis.c

@@ -36,9 +36,9 @@ static void debug_fault_mpu(void)
                 ear = MPU->SP[4 - s].EAR;
                 eacd = edr >> 20;
 
-                dprintf("* MPU FAULT:\n\r");
-                dprintf("  Slave port:       %d\n\r", 4 - s);
-                dprintf("  Address:          0x%08X\n\r", ear);
+                dprintf("* MPU FAULT:\n");
+                dprintf("  Slave port:       %d\n", 4 - s);
+                dprintf("  Address:          0x%08X\n", ear);
                 dprintf("  Faulting regions: ");
                 found = 0;
                 for(r = 11; r >= 0; r--)
@@ -47,20 +47,20 @@ static void debug_fault_mpu(void)
                     {
                         if(!found)
                         {
-                            dprintf("\n\r");
+                            default_putc('\n');
                             found = 1;
                         }
                         dprintf("    R%02d:", 11 - r);
                         for (i = 0; i < 4; i++) {
                             dprintf(" 0x%08X", MPU->WORD[11 - r][i]);
                         }
-                        dprintf("\n\r");
+                        default_putc('\n');
                     }
                 }
                 if(!found)
-                    dprintf("[none]\n\r");
-                dprintf("  Master port:      %d\n\r", (edr >> 4) & 0xF);
-                dprintf("  Error attribute:  %s %s (%s mode)\n\r",
+                    dprintf("[none]\n");
+                dprintf("  Master port:      %d\n", (edr >> 4) & 0xF);
+                dprintf("  Error attribute:  %s %s (%s mode)\n",
                         edr & 0x2 ? "Data" : "Instruction",
                         edr & 0x1 ? "WRITE" : "READ",
                         edr & 0x4 ? "supervisor" : "user");
@@ -70,9 +70,9 @@ static void debug_fault_mpu(void)
     }
     else
     {
-        dprintf("* No MPU violation found\n\r");
+        dprintf("* No MPU violation found\n");
     }
-    dprintf("\n\r");
+    default_putc('\n');
 }
 
 void debug_mpu_config(void)
@@ -93,17 +93,17 @@ void debug_mpu_config(void)
     for (i = 0; i < 5; i++) {
         dprintf(" 0x%08X", MPU->SP[i].EDR);
     }
-    dprintf("\n");
+    default_putc('\n');
     /* region descriptors */
     dprintf("       Start      End        Perm.      Valid\n");
     for (i = 0; i < 12; i++) {
         dprintf("  R%02d:", i);
         for (j = 0; j < 4; j++) {
             dprintf(" 0x%08X", MPU->WORD[i][j]);
         }
-        dprintf("\n");
+        default_putc('\n');
     }
-    dprintf("\n");
+    default_putc('\n');
     /* the alternate view is not printed */
 }
 

core/debug/src/core_armv8m/debug_box_armv8m.c

@@ -26,8 +26,8 @@ void debug_die(void)
 }
 
 /* Note: On ARMv8-M the return_handler is executed in S mode. */
-void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
-                                  uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
+void debug_deprivilege_and_die(void * debug_handler, void * return_handler,
+                               uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
 {
     /* Switch to the debug box.
      * We use a regular process switch, so we don't need a dedicated stack for
@@ -37,7 +37,21 @@ void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
 
     /* De-privilege, call the debug box handler, re-privilege, call the return
      * handler. */
+    /* FIXME: the below way of deprivileging may be problematic when executed from an exception handler
+     * since we're going to stay in the context of the exception with IPSR reflecting that.
+     * We need to do deprivileging in a way similar to ARMv7 when an exception frame is forged
+     * for that purpose. */
     uint32_t caller = UVISOR_GET_NS_ALIAS(UVISOR_GET_NS_ADDRESS((uint32_t) debug_handler));
     SECURE_TRANSITION_S_TO_NS(caller, a0, a1, a2, a3);
     ((void (*)(void)) return_handler)();
 }
+
+/* FIXME: replace these stubs by the actual implementation. */
+void UVISOR_NAKED UVISOR_NORETURN debug_return(void)
+{
+}
+
+void debug_deprivilege_and_return(void * debug_handler, void * return_handler,
+                                  uint32_t a0, uint32_t a1, uint32_t a2, uint32_t a3)
+{
+}