riscv: pmp: Support custom entries from Device Tree for memory attributes

The Physical Memory Protection (PMP) initialization is updated to support
custom entries defined in the Device Tree (DT) using the `zephyr,memattr`
property, contingent on `CONFIG_MEM_ATTR` being enabled. A new function,
`set_pmp_mem_attr()`, iterates over DT-defined regions and programs PMP
entries in `z_riscv_pmp_init()`, allowing for early, flexible, and
hardware-specific R/W/X protection for critical memory areas. DT-based
entries are also installed in `z_riscv_pmp_kernelmode_prepare()` for
thread-specific configuration. The logic for the temporary PMP "catch-all"
entry is adjusted to account for new DT entries. Furthermore, the PMP
domain resync logic now masks user partition permissions against DT-defined
region permissions, preventing privilege escalation. `CONFIG_RISCV_PMP` is
updated to select `PMP_KERNEL_MODE_DYNAMIC` if `MEM_ATTR`. Finally, the
`pmp_cfg` array in `z_riscv_pmp_init()` is initialized to zero to prevent
writing uninitialized stack data to unused PMP entries.

Signed-off-by: Firas Sammoura <fsammoura@google.com>

Author: fsammoura1980

arch/riscv/Kconfig

@@ -361,6 +361,7 @@ config RISCV_PMP
 	select THREAD_LOCAL_STORAGE if USERSPACE
 	select ARCH_MEM_DOMAIN_SUPPORTS_ISOLATED_STACKS
 	select MEM_DOMAIN_ISOLATED_STACKS
+	select PMP_KERNEL_MODE_DYNAMIC if MEM_ATTR
 	help
 	  MCU implements Physical Memory Protection.
 

arch/riscv/core/pmp.c

@@ -26,12 +26,15 @@
  * modified.
  */
 
+#include "zephyr/toolchain.h"
 #include <zephyr/kernel.h>
 #include <kernel_internal.h>
 #include <zephyr/linker/linker-defs.h>
 #include <pmp.h>
 #include <zephyr/arch/arch_interface.h>
 #include <zephyr/arch/riscv/csr.h>
+#include <zephyr/dt-bindings/memory-attr/memory-attr-riscv.h>
+#include <zephyr/mem_mgmt/mem_attr.h>
 
 #define LOG_LEVEL CONFIG_MPU_LOG_LEVEL
 #include <zephyr/logging/log.h>
@@ -383,6 +386,58 @@ static void write_pmp_entries(unsigned int start, unsigned int end,
 				  pmp_addr, pmp_cfg);
 }
 
+#ifdef CONFIG_MEM_ATTR
+/**
+ * @brief Install PMP entries from devicetree mem-attr regions.
+ *
+ * Iterates over devicetree-provided memory-attr regions and programs PMP
+ * via set_pmp_entry(). Ordering matters because PMP checks entries from lowest
+ * to highest index and uses the first entry that matches the address.
+ *
+ * @param index_p Location of the current PMP slot index to use. This index
+ *                will be updated according to the number of slots used.
+ * @param pmp_addr Array of pmpaddr values (starting at entry 0).
+ * @param pmp_cfg Array of pmpcfg values (starting at entry 0).
+ * @param index_limit Index value representing the size of the provided arrays.
+ * @return Number of PMP slots consumed by installed mem-attr regions.
+ *
+ * @note DT_MEM_RISCV_TYPE_IO_X Limitation:
+ * Since the current PMP entries are non-locked, the eXecute (X)
+ * permission restriction applied by DT_MEM_RISCV_TYPE_IO_X does
+ * not prevent execution in higher privilege modes (M-mode/kernel).
+ * This is because the mstatus.MPRV register bit only affects
+ * M-mode load/store operations, not instruction fetches.
+ * The execute restriction still applies to User mode because PMP
+ * is always enforced for lower privilege modes.
+ */
+static unsigned int set_pmp_mem_attr(unsigned int *index_p,
+				     unsigned long *pmp_addr, unsigned long *pmp_cfg,
+				     unsigned int index_limit)
+{
+	const struct mem_attr_region_t *region;
+	unsigned int entry_cnt = *index_p;
+	size_t num_regions;
+
+	num_regions = mem_attr_get_regions(&region);
+
+	for (size_t idx = 0; idx < num_regions; ++idx) {
+
+		uint8_t perm = DT_MEM_RISCV_TO_PMP_PERM(region[idx].dt_attr);
+
+		if (perm || (region[idx].dt_attr & DT_MEM_RISCV_TYPE_EMPTY)) {
+			set_pmp_entry(index_p, perm,
+				(uintptr_t)(region[idx].dt_addr),
+				(size_t)(region[idx].dt_size),
+				pmp_addr, pmp_cfg, index_limit);
+		}
+	}
+
+	entry_cnt = *index_p - entry_cnt;
+
+	return entry_cnt;
+}
+#endif /* CONFIG_MEM_ATTR */
+
 /**
  * @brief Abstract the last 3 arguments to set_pmp_entry() and
  *        write_pmp_entries( for m-mode.
@@ -427,14 +482,22 @@ static unsigned long global_pmp_last_addr[MODE_TOTAL];
 /* End of global PMP entry range for each mode (M or U). */
 static unsigned int global_pmp_end_index[MODE_TOTAL];
 
+#if defined(CONFIG_MEM_ATTR) && defined(CONFIG_USERSPACE)
+/* Stores the initial pmpaddr values for the memory attribute region. */
+static unsigned long mem_attr_pmp_addr[CONFIG_PMP_SLOTS];
+#endif
+
 /**
  * @Brief Initialize the PMP with global entries on each CPU
  */
 void z_riscv_pmp_init(void)
 {
 	unsigned long pmp_addr[CONFIG_PMP_SLOTS];
-	unsigned long pmp_cfg[CONFIG_PMP_SLOTS / PMPCFG_STRIDE];
+	unsigned long pmp_cfg[CONFIG_PMP_SLOTS / PMPCFG_STRIDE] = {0};
 	unsigned int index = 0;
+	unsigned int attr_cnt = 0;
+
+	ARG_UNUSED(attr_cnt);
 
 #ifdef CONFIG_NULL_POINTER_EXCEPTION_DETECTION_PMP
 	/*
@@ -464,23 +527,6 @@ void z_riscv_pmp_init(void)
 		      (uintptr_t)z_interrupt_stacks[_current_cpu->id],
 		      Z_RISCV_STACK_GUARD_SIZE,
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	/*
-	 * This early, the kernel init code uses the IRQ stack and we want to
-	 * safeguard it as soon as possible. But we need a temporary default
-	 * "catch all" PMP entry for MPRV to work. Later on, this entry will
-	 * be set for each thread by z_riscv_pmp_kernelmode_prepare().
-	 */
-	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	 /* Write those entries to PMP regs. */
-	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
-
-	/* Activate our non-locked PMP entries for m-mode */
-	csr_set(mstatus, MSTATUS_MPRV);
-
-	/* And forget about that last entry as we won't need it later */
-	index--;
 #else
 	/* Without multithreading setup stack guards for IRQ and main stacks */
 	set_pmp_entry(&index, PMP_NONE | PMP_L,
@@ -493,14 +539,39 @@ void z_riscv_pmp_init(void)
 		      Z_RISCV_STACK_GUARD_SIZE,
 		      pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 
-	/* Write those entries to PMP regs. */
-	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif /* CONFIG_MULTITHREADING */
 #ifdef CONFIG_SMP
 	unsigned int irq_index = index;
 #endif /* CONFIG_SMP */
+#endif
+
+#ifdef CONFIG_MEM_ATTR
+	/*
+	 * Set the memory attribute region as temporary PMP entries for early
+	 * kernel initialization. This provides essential protection before
+	 * the kernel mode memory attribute permission is fully operational.
+	 */
+	attr_cnt = set_pmp_mem_attr(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+
+	/*
+	 * This early, we want to protect unlock PMP entries as soon as
+	 * possible. But we need a temporary default "catch all" PMP entry for
+	 * MPRV to work. Later on, this entry will be set for each thread by
+	 * z_riscv_pmp_kernelmode_prepare().
+	 */
+	set_pmp_mprv_catchall(&index, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+
+	/* Write those entries to PMP regs. */
+	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
+
+	/* Activate our non-locked PMP entries for m-mode */
+	csr_clear(mstatus, MSTATUS_MPP);
+	csr_set(mstatus, MSTATUS_MPRV);
+
+	/* And forget about that last entry as we won't need it later */
+	index--;
 #else
-	 /* Write those entries to PMP regs. */
+	/* Write those entries to PMP regs. */
 	write_pmp_entries(0, index, true, pmp_addr, pmp_cfg, ARRAY_SIZE(pmp_addr));
 #endif
 
@@ -528,10 +599,20 @@ void z_riscv_pmp_init(void)
 	global_pmp_end_index[M_MODE] = index;
 
 #ifdef CONFIG_USERSPACE
-	global_pmp_last_addr[U_MODE] = pmp_addr[index - 1];
-	global_pmp_end_index[U_MODE] = index;
+	global_pmp_last_addr[U_MODE] = pmp_addr[index - attr_cnt - 1];
+	global_pmp_end_index[U_MODE] = index - attr_cnt;
 #endif /* CONFIG_USERSPACE */
 
+#if defined(CONFIG_MEM_ATTR) && defined(CONFIG_USERSPACE)
+	/*
+	 * Copy the memory attribute pmpaddr entries to the global buffer.
+	 * These kernel mode pmpaddr entries are saved for restoration when
+	 * switching back from user mode.
+	 */
+	memcpy(mem_attr_pmp_addr, &pmp_addr[global_pmp_end_index[U_MODE]],
+	       attr_cnt * PMPCFG_STRIDE);
+#endif
+
 	if (PMP_DEBUG_DUMP) {
 		dump_pmp_regs("initial register dump");
 	}
@@ -560,6 +641,19 @@ static inline unsigned int z_riscv_pmp_thread_init(enum pmp_mode mode,
 
 	pmp_addr[pmp_end_index - 1] = global_pmp_last_addr[mode];
 
+#if defined(CONFIG_MEM_ATTR) && defined(CONFIG_USERSPACE)
+	/*
+	 * This block restores the PMP entries used for memory attributes (set in
+	 * mem_attr_pmp_addr) that were overwritten when switching from user mode
+	 * back to kernel mode. It only applies when running in M_MODE pmp mode.
+	 */
+	if (mode == M_MODE) {
+		memcpy(&pmp_addr[global_pmp_end_index[U_MODE]], mem_attr_pmp_addr,
+		       (global_pmp_end_index[M_MODE] - global_pmp_end_index[U_MODE]) *
+			       PMPCFG_STRIDE);
+	}
+#endif
+
 	return pmp_end_index;
 }
 #endif
@@ -585,7 +679,7 @@ void z_riscv_pmp_kernelmode_prepare(struct k_thread *thread)
 	} else if (z_stack_is_user_capable(thread->stack_obj)) {
 		stack_bottom = thread->stack_info.start - K_THREAD_STACK_RESERVED;
 	}
-#endif
+#endif /* CONFIG_USERSPACE */
 	set_pmp_entry(&index, PMP_NONE,
 		      stack_bottom, Z_RISCV_STACK_GUARD_SIZE,
 		      PMP_M_MODE(thread));
@@ -614,10 +708,17 @@ void z_riscv_pmp_kernelmode_enable(struct k_thread *thread)
 	csr_clear(mstatus, MSTATUS_MPRV | MSTATUS_MPP);
 
 	/* Write our m-mode MPP entries */
+#ifdef CONFIG_USERSPACE
+	write_pmp_entries(global_pmp_end_index[U_MODE],
+			  thread->arch.m_mode_pmp_end_index,
+			  false /* no need to clear to the end */,
+			  PMP_M_MODE(thread));
+#else
 	write_pmp_entries(global_pmp_end_index[M_MODE],
 			  thread->arch.m_mode_pmp_end_index,
 			  false /* no need to clear to the end */,
 			  PMP_M_MODE(thread));
+#endif /* CONFIG_USERSPACE */
 
 	if (PMP_DEBUG_DUMP) {
 		dump_pmp_regs("m-mode register dump");
@@ -723,8 +824,52 @@ static void resync_pmp_domain(struct k_thread *thread,
 			continue;
 		}
 
-		ok = set_pmp_entry(&index, part->attr.pmp_attr,
-				   part->start, part->size, PMP_U_MODE(thread));
+#ifdef CONFIG_MEM_ATTR
+		/*
+		 * Determine whether the partition is covered by a memory
+		 * attribute region.
+		 *
+		 * Constraint due to number of PMP entry limitation:
+		 * The logic asserts against any cases that requires splitting
+		 * a partition into multiple permissions, such as partial
+		 * overlap or the partition fully containing the memory
+		 * attribute region but not fully match.
+		 *
+		 * Supported cases:
+		 * 1. Partition excludes all memory attribute regions
+		 *    The partition's permission is applied directly.
+		 * 2. Partition is contained in a memory attribute region:
+		 *    The partition's permission is masked with the memory
+		 *    attribute.
+		 */
+		const struct mem_attr_region_t *region;
+		uint8_t attr_mask = PMP_R | PMP_W | PMP_X;
+
+		for (int idx = 0; idx < mem_attr_get_regions(&region); idx++) {
+			uintptr_t dt_start = (uintptr_t)(region[idx].dt_addr);
+			uintptr_t dt_end = dt_start + (size_t)(region[idx].dt_size);
+			bool covered = false;
+
+			/* No overlap at all, skip this memory region */
+			if ((part->start + part->size) <= dt_start || part->start >= dt_end) {
+				continue;
+			}
+
+			/* Check if the partition is contained in the memory attribute region. */
+			covered = part->start >= dt_start && (part->start + part->size) <= dt_end;
+			__ASSERT(covered, "No allowed partition partially overlaps memory region");
+
+			attr_mask = DT_MEM_RISCV_TO_PMP_PERM(region[idx].dt_attr);
+			break;
+		}
+
+		ok = set_pmp_entry(&index, part->attr.pmp_attr & attr_mask, part->start, part->size,
+				   PMP_U_MODE(thread));
+#else
+		ok = set_pmp_entry(&index, part->attr.pmp_attr, part->start, part->size,
+				   PMP_U_MODE(thread));
+#endif
+
 		__ASSERT(ok,
 			 "no PMP slot left for %d remaining partitions in domain %p",
 			 remaining_partitions + 1, domain);

arch/riscv/include/pmp.h

@@ -7,8 +7,15 @@
 #ifndef PMP_H_
 #define PMP_H_
 
+#include <zephyr/dt-bindings/memory-attr/memory-attr-riscv.h>
+
 #define PMPCFG_STRIDE (__riscv_xlen / 8)
 
+#define DT_MEM_RISCV_TO_PMP_PERM(dt_attr) (		\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_R) ? PMP_R : 0) |	\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_W) ? PMP_W : 0) |	\
+	(((dt_attr) & DT_MEM_RISCV_TYPE_IO_X) ? PMP_X : 0))
+
 void z_riscv_pmp_init(void);
 void z_riscv_pmp_kernelmode_prepare(struct k_thread *thread);
 void z_riscv_pmp_kernelmode_enable(struct k_thread *thread);