Since uvisor is part of ARM mbed project, Contributor Agreement should be accepted before a developers starts to contribute.

Google's open source projects hosted at GitHub explain how to contribute changes. Take re2 as an example. There is a dedicated wiki page Contribute. uvisor should provide one as well.

• currently uvisor_read & *_write do not accept structures member addresses
• affects user experience as addresses need to be calculated on the fly

Example:

uvisor_read(&UART0->BAUD_RATE)

needs currently to be written as:

uvisor_read(UART0_ADDRESS + UART_BAUD_RATE_OFFSET)

To allow distributed definition of target/module-specific background ACLs:

• define named section for background region ACLs
• yotta modules or the C-HAL can place background ACLs via the named section
• the existing box 0 ACLs are put into this section, too
• ensure byte alignment in the section
• add start/end symbols and add them to the uVisor-lib shared structure
  @AlessandroA

We need to generalize the concept of a disabled uVisor, so that disabled.c can be removed.

In that scenario, uVisor core would still be used in UVISOR_DISABLED mode, with less restrictions and with the MPU/Kinetis peripheral protections disabled.

Currently the file disabled.c file implements several fallback implementations of uVisor core, that with time become difficult to maintain. One example is captured by this commit.

when commands yotta target frdm-k64f-gcc and yotta install are executed, dependency files are downloading from public module registry:

yotta target frdm-k64f-gcc
info: get versions for frdm-k64f-gcc
info: download [email protected] from the public module registry
info: get versions for kinetis-k64-gcc
info: download [email protected] from the public module registry
info: get versions for mbed-gcc
info: download [email protected] from the public module registry

yotta install
info: get versions for mbed-drivers
info: download [email protected] from the public module registry
info: get versions for cmsis-core
info: download [email protected] from the public module registry
info: get versions for cmsis-core-freescale
info: download [email protected] from the public module registry
info: get versions for cmsis-core-k64f
info: download [email protected] from the public module registry
info: get versions for mbed-hal
info: download [email protected] from the public module registry
info: get versions for ualloc
info: download [email protected] from the public module registry
info: get versions for minar
info: download [email protected] from the public module registry
info: get versions for core-util
info: download [email protected] from the public module registry
info: get versions for compiler-polyfill
info: download [email protected] from the public module registry
info: get versions for mbed-hal-freescale
info: download [email protected] from the public module registry
info: get versions for mbed-hal-ksdk-mcu
info: download [email protected] from the public module registry
info: get versions for mbed-hal-k64f
info: download [email protected] from the public module registry
info: get versions for mbed-hal-frdm-k64f
info: download [email protected] from the public module registry
info: get versions for dlmalloc
info: download [email protected] from the public module registry
info: get versions for minar-platform
info: download [email protected] from the public module registry
info: get versions for minar-platform-mbed
info: download [email protected] from the public module registry
error: mbed-drivers does not meet specification ~0.11.1 required by core-util

The question is how to have all these required modules locally installed instead of downloading from public module registry?
and also it throws error:
error: mbed-drivers does not meet specification ~0.11.1 required by core-util

• currently the ACL collision detection in uVisor does not take into account that a bitband-ACL might overlap with a peripheral-ACL for the same peripheral.
• ensure to mark peripherals corresponding to bitband-ACL as used
• still allow the same box to have both bitband ACL and peripheral ACL for the same peripherals

Some of the fallback implementations of register-level gateway are currently using managed bus faults to perform read/write operations to restricted registers. Add support for this feature to STM32F4 (altready there for K64F).

Every time uVisor reads or writes a memory location belonging to a secure box, it should do so using unprivileged instructions, ldrt, strt.

We will change every occurrence of these memory accesses to use a static inline function, which in turn uses the CMSIS intrinsics for unprivileged access.

A single function helps with security verification and allows a consistent security model. In addition, if assumptions about a piece of code change, the security of the memory accesses is not compromised.

It is a similar issue to what was previously solved for the MMFAR register, for MemManage faults.

In vmpu_load_boxes() we have a for loop that scans ACLs and calls the function vmpu_acl_add() for each of them.

In K64F this function further calls vmpu_aips_add(), which

• adds the relevant AIPS slot and
• also adds ACLs from box 0 to the ACL list of the currently parsed box

This last point creates the bug: If the ACL list for a secure box is empty, then the vmpu_acl_add() will never be called and hence (for the K64F) the box 0 ACLs for AIPS slots are never applied to other boxes.

For reference:

• Call to vmpu_acl_add()
• Box 0 ACLs are added to other boxes in vmpu_aips_add()

Possible solution:

• Create a new function that gets called after ACLs parsing: vmpu_add_common_acls()
  • Implemented differently for ARM and Freescale MPUs
  • All shared box 0 ACLs can be accounted for after private ACLs have been parsed
  • sharing box 0 ACLs is decoupled from having own ACLs

@meriac
@Patater

Please note that currently the latest version of uVisor (the HEAD of the uvisor repository) does not support the following features:

• LED blinking patterns
• Memory mapped debugging

This means that the support for hardware-specific debugging is temporarily unavailable. If you want to revert back to a version of uVisor that still supports those features, please checkout the uvisor_with_memory_map_debug branch:

git clone --recursive -b uvisor_with_memory_map_debug [email protected]:ARMmbed/uvisor.git

This command will clone both uvisor and uvisor-lib. You can then build uVisor as usual, as reported in the branch README.md.

Failed to build uvisor on the latest commit(master branch).
At uvisor/platform/stm32
Commands:$make clean release

Did I forget to update something?

rm -f stm32.map stm32.elf stm32.bin stm32.asm\
      stm32.linker gdb.script source.c.tags JLink.log\
        ../../release/source/stm32/version.txt
find . ../../core -iname '*.o' -exec rm -f \{\} \;
arm-none-eabi-gcc -mcpu=cortex-m4 -march=armv7e-m -mthumb -Os -DNDEBUG -g3 -Wall -Werror -DARCH_MPU_ARMv7M -DCONFIGURATION_ -DPROGRAM_VERSION=\"0.9.10-55-gcef5-dirty\" -I. -Iinc -I../../core -I../../core/cmsis/inc -I../../core/system/inc -I../../core/system/inc/mpu -I../../core/debug/inc -I../../core/lib/printf -ffunction-sections -fdata-sections -fno-exceptions  -c -o ../../core/system/src/benchmark.o ../../core/system/src/benchmark.c
In file included from inc/config.h:25:0,
                 from ../../core/uvisor.h:25,
                 from ../../core/system/src/benchmark.c:17:
inc/configurations.h:65:2: error: #error "Unrecognized uVisor configuration. Check your Makefile."
 #error "Unrecognized uVisor configuration. Check your Makefile."
  ^
In file included from ../../core/uvisor.h:25:0,
                 from ../../core/system/src/benchmark.c:17:
inc/config.h:31:2: error: #error "Currently only STM32 devices with a CCM are supported."
 #error "Currently only STM32 devices with a CCM are supported."
  ^
In file included from ../../core/uvisor.h:31:0,
                 from ../../core/system/src/benchmark.c:17:
../../core/cmsis/inc/core_generic.h:71:2: error: #error "Unsupported ARM core. Make sure CORE_* is defined in your workspace."
 #error "Unsupported ARM core. Make sure CORE_* is defined in your workspace."
  ^
In file included from ../../core/system/inc/svc_cx.h:22:0,
                 from ../../core/system/inc/svc.h:22,
                 from ../../core/system/inc/unvic.h:21,
                 from ../../core/system/inc/system.h:21,
                 from ../../core/uvisor.h:74,
                 from ../../core/system/src/benchmark.c:17:
../../core/system/inc/mpu/vmpu.h: In function 'vmpu_sram_addr':
../../core/system/inc/mpu/vmpu.h:37:33: error: 'SRAM_ORIGIN' undeclared (first use in this function)
     return (((uint32_t) addr >= SRAM_ORIGIN) &&
                                 ^
../../core/system/inc/mpu/vmpu.h:37:33: note: each undeclared identifier is reported only once for each function it appears in
../../core/system/src/benchmark.c: In function 'benchmark_configure':
../../core/system/src/benchmark.c:30:9: error: 'CoreDebug' undeclared (first use in this function)
         CoreDebug->DEMCR |= (1 >> 24);
         ^
../../core/system/src/benchmark.c:33:9: error: 'DWT' undeclared (first use in this function)
         DWT->CYCCNT = 0;
         ^
../../core/system/src/benchmark.c: In function 'benchmark_start':
../../core/system/src/benchmark.c:45:5: error: 'DWT' undeclared (first use in this function)
     DWT->CYCCNT = 0;
     ^
../../core/system/src/benchmark.c: In function 'benchmark_stop':
../../core/system/src/benchmark.c:50:12: error: 'DWT' undeclared (first use in this function)
     return DWT->CYCCNT - g_benchmark_overhead;
            ^
../../core/system/src/benchmark.c:51:1: error: control reaches end of non-void function [-Werror=return-type]
 }
 ^
cc1: all warnings being treated as errors
<builtin>: recipe for target '../../core/system/src/benchmark.o' failed
make: *** [../../core/system/src/benchmark.o] Error 1

And the tutorial to build uvisor seems to be old.
The k64f directory no longer exists.

# assuming you are developing in ~/code, select the correct platform in the code tree
cd ~/code/k64f/uvisor

I have seen the Warning: Enabling Debug Features on uVisor,and it says that the current uvisor does not have Debug Features.

• uVisor is supposed to have as little as possible special knowledge about the target and it peripherals
• uVisor must still support complex debugging like over meshed wireless networks, IPv6 Ethernet with SSL or USB CDC serial.

Solution:

• Debug communication and debug LED handling will be moved into a uVisor box: a "debug driver" that doesn't even need to be uVisor aware. Such a debug driver will map debug requirements like ("blink LED 3 times repeating" or "print log-text over whatever interface you support") to the underlying hardware. The OS above uses that driver in a hardware-independent way.
• uVisor or OS create a machine readable stack trace of crash in network endianness format, the debug box can choose to forward it to turn it into a local "bluescreen" (USB serial etc.)
• The debug box can choose to maintain the hardware-dependent memory map with human readable peripheral names to enrich a "blue screen" output- whenever the remote system wants to communicate to uVisor, the debug box will call into uVisor to deliver just the payload.
• whenever uVisor will print messages, it will issue a de-privileged call to the dedicated box that handles the output.
• as a result uVisor does not need to know about complex protocols, but is still able to interact with remote systems in a debug session.
• the debug box might be able to debug other boxes if these boxes allow to do so (similar to Android where an app needs to explicitly allow debugging in its manifest)
• we stop uVisors attack surface from growing by reducing privileged code
• uVisors security properties are very comparable across a multitude of system: security verifications become transferable across systems
• consider using CBOR format for a verbose debug dump, as the format requires not just standard outputs like stack traces etc, but various status register and context/security related info that might be platform dependent

See also #64

Add signatures to binary uVisor packages and document reproducible build of *.box binaries which are already reproducible.

• for security reasons CPU core registers need to be cleared whenever execution shifts to a new box to avoid leakage of information
• a box can opt-out from register clearing for performance reasons in case privacy is not required

• results in deterministic release process
• adapts to #63

It shouldn't.

With the current Makefile.rules, it seems that it isn't possible to release multiple configurations. If I have a Makefile like this for my platform:

CONFIGURATIONS:= \
    MY_CONFIG_1 \
    MY_CONFIG_2 \
    MY_CONFIG_3

my_platform_r:
    $(foreach CONFIGURATION, \
              $(CONFIGURATIONS), \
              CONFIGURATION=$(CONFIGURATION) make -f ../../core/Makefile.rules clean release && ) true

Then only the last configuration will be preserved in release/source/<platform>/, since the release make target performs rm -rf $(RELEASE_SRC_HW).

If I understand the comments on the refactoring pull request + comments in source code correctly, it should be possible to call make release multiple times to output multiple binaries/configurations for the same platform.

• always verify if any of the hardware interrupts are enabled when uvisor is initialised
• on debug build fail with a verbose security message explaining that the port is broken and interrupts need to be initialised using uVisor APIs.
• on release build just die & drop over in an endless loop

• verify if interrupts are enabled before they are set
• each attempt to change the enable-state of an interrupt while it's not assigned to the calling box must fail with a security exception. This allows detecting race conditions in application code.

Note: changes above prevent bugs like #87

The box id is currently of type uint8_t, but there should be dedicated box_id_t which abstracts this for future compatibility.

• currently ARMCC breaks as there is now way for enforcing unoptimized assembler inlines
• as a result function gateways and register gateways do not function when compiled with ARMCC

Bug description
On the NXP FRDM-K64F it has been observed that turning on compiler
optimizations interferes with the content of the r0 register in memory access
macros.

Although r0 is in the register list of the inline asm used for the
uvisor_write32() API, it contains garbage at the moment of use. The bug is
observed in the form of a hard fault due to an invalid address (r0) in a str
instruction.

To reproduce
Create a yotta application that uses the frdm-k64f-gcc target. Use the
following source code:

#include "mbed-drivers/mbed.h"

PwmOut led(D5);

void app_start(int, char **) {
    led = 0.5f;
}

and compile in release mode with yotta build -r. Run the program and observe the hard fault.
The fault comes from the pwmout_write function, in which a series of optimizations leads
to the following str instruction:

str r1, [r0]
dsb
nop
nop
nop

where r0 = 0x0. The instructions above implement the uvisor_write32() API.

Comparing to other ARM mbed projects such as mbed-drivers and mbed-client, I found that the existing coding style in uvisor is a bit inconsistent. For example, the keyword if in C program statement usually lacks of corresponding space in uvisor, but both mbed-drivers and mbed-client have the explicit space: if (...).

I just wonder if there is the documentation about coding style globally applied to all mbed projects.

Now that box 0 has its own ACLs, it makes sense to include it in the count kept in g_vmpu_box_count.
The code in the vmpu module should be changed accordingly to avoid off-by-one errors.

The YOTTA_CFG_UVISOR_PRESENT check in uvisor-lib.h should also check for truthiness, in order to work with targets defining "uvisor": { "present": false }.

Hi,

• We want to create a secure box for debugging, it seems that CrashCatcher is a good choice. By using CrashCather we can capture the register and RAM state at a time of a crash, and through CrashDebug we can do post-mortem debugging.
• Currently vmpu can only load one secure box, and if we want to capture its state when crashed, there is no available box for integrating CrashCather.

void vmpu_load_box(uint8_t box_id)
{
        if(box_id == 0)
             vmpu_switch(0, 0);
        else
             HALT_ERROR(NOT_IMPLEMENTED, "currently only box 0 can be loaded"); 
}

THX !

Without UVISOR_NAKED the compiler (especially in debug mode) introduces push/pop operations; the pop operation is cut off by the bx lr instruction in unvic_isr_mux() and the r4-r11 registers might be broken as a consequence.

00001c24 <isr_default_handler>:
    1c24:       b480            push    {r7}
    1c26:       af00            add     r7, sp, #0
    1c28:       df10            svc     16
    1c2a:       df10            svc     16
    1c2c:       4770            bx      lr                 <---- returns before popping
    1c2e:       46bd            mov     sp, r7
    1c30:       f85d 7b04       ldr.w   r7, [sp], #4
    1c34:       4770            bx      lr
    1c36:       bf00            nop

• add a UVISOR_TACL_INIT_ONLY for init-time-only ACLs
• add a UVISOR_TACL_RUNTIME_ONLY for runtime-only ACLs
• add a uvisor API call to switch from init to runtime mode, but not back

Usage:

• simplified hardware initialization and runtime optimization as some regions will only be used once during init

uvisor_read gets wrong value in this example.
I printed it out,and got 00000000000000000000000000000000(32-bits)
However,with ST-LINK(debugger),I got different value.
And I think the ST-LINK is right.
This value is used to calculate how many FPB comparators does STM32F429i support.

#define FPB_CTRL 0xE0002000
uvisor_read(debug_box,FPB_CTRL);

(gdb) p/t *0xE0002000
$1 = 1001100001

On master branch, in README.md file, section Memory Layout, there is a hyperlink for "uVisor memory layout" - https://github.com/ARMmbed/uvisor/blob/master/k64f/docs/memory_layout.png

But there is no /k64f folder. Other branches does have this folder. Please have a look this, thank you.

Currently secure gateways to box 0 are not allowed.

We should implement a secure callback that allows switching context to box 0. This callback would look like any other secure gateway but will allow runtime-determined function pointers to be given as a destination for the callback.

• allows creations of less platform specific uvisor binaries
• distirbution of uvisor binaries simplified as a result
• improved user experience

Instructions in The uVisor as a yotta Module section does not work.
yotta link command gives following error:
error: No module.json file.
error: The current directory does not contain a valid module.

The different types of ACLs must be documented, specifying the access rights they imply and how to use them in real world examples. @akselsm

• Fix the interrupt bug related to tailchained IRQ that happen during a context switch.
• Affects EFM32GG

Acceptance criteria:

• create test to reproduce the behaviour
• verify the bug if fixed in the context of the test

In https://github.com/ARMmbed/uvisor/blob/master/core/system/src/unvic.c#L265 the check on ACLs for the context switch is too restrictive. The implementation of the function blocks cross-box interrupts since it requires the destination box to be the current box.

To fix this:

• add a box_id arg to unvic_acl_check()
• use dst_id as trigger for the ACL check in interrupt context switch. g_active_box is used for all other cases

Trying to run make all, I noticed that the binaries that get output to the "release" folder are the exact same size as the ones in the "debug" folder. Also, the "release" binaries seem to still have the semihosting code intact, which requires a debugger to be connected for programs to run.

It looks like clean is not run between building debug and release, causing make/gcc to skip recompiling the binaries, therefore linking the old "debug" versions instead. This means that -DNDEBUG is not applied to the compile step in release mode.

This is also a problem when building multiple configurations. Since the source files aren't recompiled, any defines set in configurations.h won't actually be applied to the given configuration, you'll just end up with multiple copies of whatever configuration was built first.

The following build string successfully builds a single release mode binary without semihosting code: make BUILD_MODE=release PLATFORM=<my_platform> clean <MY_CONFIG>

vmpu_validate_access in vmpu.c does currently not have ACL checking implemented so access to all memories is permitted, resulting in a security problem.

• create a dedicated linker section for base-ACLs
• each module declares its own base-ACLs
• the init function of each module fake-refers to its base-ACLs
• by referring to the base-ACLs, the ACLs get linked in and not garbage collected
• due to the linker section they end up in one big chunk
• all secure boxes can override the base-ACL (taking ownership of an ACL)
• the base-ACLs are processed last, the remaning ACLs get assigned to the main box

• add hardware floating point support for the main box as a first step
• extend floating point support to other secure boxes later

When creating a RO region, write access will create an access fault as expected - but it needs to avoid configuring the corresponding MPU region again: instead faulting with an security exception.

Workaround:

• avoid writing to RO-regions

Currently, uVisor contains copies of CMSIS headers for each platform it supports. These same headers are available from yotta modules, manufacturer zip files, KEIL packs, and/or other git repos. It'd be nice if uVisor could get the headers from someplace else instead of making yet another unmaintainable copy.

As a positive side effect, this will reduce the cognitive overhead of porting uVisor to a new platform, as one no longer need worry about how to make a maintainable copy of CMSIS definitions that, to quote the porting guide, "keep the header files to a minimum, providing only basic symbols and macros for the platform."

This is an inefficient use of SRAM on K64F.
https://github.com/ARMmbed/uvisor/blob/master/api/inc/box_config.h#L59

@meriac

With the changes introduced in #142 uVisor becomes even more hardware-agnostic.

This means that no memory map, IRQ map, LED blinking patterns are available for debugging. We should then provide APIs/mechanisms for unprivileged code to provide such information.

This may fit in the larger picture of a debug box, but for the moment I am creating this issue as an enhancement to keep track of the removed functionality.

Currently access is granted to RCC, EXTI and SYSCFG - for all of these registers access can't be directly granted, but filtered per register / bit. Especially SYSCFG is security critical as it allows re-mapping of the RAM/FLASH memory.

As a result we added the new concept called "Register Level Access Security" as seen in https://github.com/ARMmbed/uvisor-lib/blob/master/uvisor-lib/register_gateway.h#L90 .

Our solution creates a similar mechanism as the call gateway, but for registers - the register level gateway can grant access to a set of bits of a single register - avoiding the creation of large ACLs covering the whole region.
As the access is specified in flash an attacker can't get access to other bits or using a different box context - as long as write access is blocked to flash.

The implementation is currently undergoing and needs to be released to fix this problem.

• allow the developer to place debug messages at various verbosity levels
  • critical
  • medium
  • verbose
• for the debug mode the verbosity is set to low, so only critical messages are displayed by default
  • medium and verbose messages are suppressed
  • the verbosity level can be overridden during compilation to get more verbose debug messages

Hardware-specific code for uVisor lives in dedicated folders. Currently these are simply named after the 2 platforms that we support at the moment.

To make porting easier, we should change the Makefile and Makefile.rules formats so that the symbol $CPU is assembled from at least 3 parameters:

CPU := $(ARCH)$(FAMILY)$(CHIP)

Targets that leave one or more of those fields empty get less granularity, but everything still works.

In general we can expect a porting to look like this:

• a new folder named lowercase($(ARCH)) contains hw-specific code;
• the hw-specific code contains #ifdefs depending on $(FAMILY) and $(CPU); we expect those to be very few, since uVisor only relies on few hw-specific parameters (memories boundaries, usually);
• the release rule is available for more complex release scripts; for example, in a given hw-specific $(ARCH) folder a release-all rule could iterate over all $(ARCH)s and over all $(CPU)s to create release binaries for all possible targets in the family.

For some library functions, it is important, for fault detection, to know whether the API has been called as part of the call tree of an IRQ.

Examples:

• Memory allocators
• Some scheduler functions, e.g. postCallbackAgain()

It may be adequate to document that these should not be done, but runtime checks are more direct.

upon execution of command git clone --recursive [email protected]:ARMMbed/uvisor.git throws following error:
Cloning into 'uvisor'...
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.