Lesson 18 Memory Protection Unit (MPU) 1. Overview In this lesson, the Memory Protection Unit (MPU) of the LPC1768 microcontroller is introduced. For detailed description of the features and all controlling options for the UART, read section 34.4.5 of the LPC17xx User Manual and chapter 11 of the Definitive Guide to ARM Cortex-M3 and Cortex-M4 Processors. 2. Background The Cortex-M3 processor supports an added level of protection for the system memory through the implementation of the MPU. Undesired accesses to the system memory can occur unintentionally (a programmer/user mistake) or intentionally (malicious purpose). For example, an unbalanced combination of push/pop operations in a function may cause a stack overflow which may overwrite useful data in memory. An exploit to the system (attack) can also be carried out through different level of memory access. An example of such attack is the stuxnet computer worm (60 mintues report). Before we examine how access to the system memory can cause problem for any applications, let s first review the memory layout of our microcontroller (LPC1768). From Fig. 3 in the LPC17xx User manual, NXP Semiconductors, 2010. 1
The flash memory section of the microcontroller contains instructions (code) for the application. Access to this part of the memory system is generally limited to read-only (RO). The data memory portion (SRAM) of the microcontroller allows read and write access from user application. The potential problem is that malicious software code can be embedded into data memory and once activated can take control of the application. For example, let s consider a simple program shown below. Whenever function f1 is called, the first thing it will do is to push the returning address (PUSH LR) to the memory stack because it calls function f2. Once returned from f2, the address from the stack is then popped into the PC to return the main function. Assume that the functions are allocated in memory as shown below. Address Code memory Address Data memory 0x00000166 0x00000168 0x0000016A 0x0000016E 0x00000172 0x00000176 0x0000017A F2 -- BX LR F1 PUSH {LR} -- BL F2 POP {PC} MAIN BL F1 B main 0x10000268 0x10000264 0x10000260 0x10000178 0x1000017C Loop B Loop SP 2
Let s say that someone with malicious intent was able to place a program code in the data memory at location 0x10000178 (just a loop operation for illustration). If this person can also modify the return address from the stack to point to his program (ie. replace 0x0000017B with 0x10000179 at location 0x10000264 of the stack,) then he will have control of the application. An illustration of this example is shown below. Normal operation: Data memory holds executable code: This program will never return to the original functions (main, f1, or f2). 3
The MPU can be employed to block executable code (memory fault) to prevent the problem discussed above. 3. LP1768 MPU Control of the MPU is done via the four main registers: MPU Control Register (CTRL) Bit 0: 0 = MPU disabled, 1 = MPU enabled. MPU Region Number Register (RNR) From Table 680 in the LPC17xx User manual, NXP Semiconductors, 2010. From Table 683 in the LPC17xx User manual, NXP Semiconductors, 2010. The MPU supports 8 different user-defined regions and each can be configured differently. Generally, a program will write the region number to the RNR register before configuring the region via the RBAR and RASR registers. MPU Region Base Address Register (RBAR) From Table 684 in the LPC17xx User manual, NXP Semiconductors, 2010. Note: NN = llllll 2 (rrrrrrrrrrrr ssssssss iiii bbbbbbbbbb) 4
MPU Region Attribute and Size Register (RASR) Region size: From Table 685 in the LPC17xx User manual, NXP Semiconductors, 2010. From Table 686 in the LPC17xx User manual, NXP Semiconductors, 2010. Region attributes: 5
From Table 687 in the LPC17xx User manual, NXP Semiconductors, 2010. From Table 689 in the LPC17xx User manual, NXP Semiconductors, 2010. Typical configuration for the MPU of a LPC1768 microcontroller: Regions No Memory Size Base Address Type Access Permission 0 Flash 512 KB 0x00000000 Normal Full RO 1 SRAM 32 KB 0x10000000 Normal Full RW 2 AHB SRAM 32 KB 0x2007C000 Normal Full RW 3 GPIO 16 KB 0x2009C000 Device Full RW 4 APB 512 KB 0x40000000 Device Full RW Peripherals 5 AHB Peripherals 2MB 0x40000000 Device Full RW Based on Setting Up the Cortex-M3/M4 (ARMv7-M) Memory Protection Unit (MPU), Feabhas, 2013. 6
Exercise: Configure region1 from the table above (SRAM: 0x10000000 0x10007FFF) with the following attributes: No executable code allowed(instruction fetches disabled) Normal memory type, nonsharable (can only be accessed by one bus), and noncacheable (or bufferable) Full access permissions No sub-regions Setup steps: Step 1: disable MPU first CNTRL register = 0x0 Step 2: Select region 1 RNR register = 0x1 Step 3: Set base address for region 1 RBAR register = 0x10000000 Step 4: Set region attributes and size XN = 0b1 (instruction fetches disabled) AP = 0b011 (full access) TEX = 0b001, S = 0b0, C = 0b0, B = 0b0 (Normal memory type, nonshareable, noncacheable) SRD = 0b00000000 (no sub-region) Size = 0b01110 (32 KB) Enable= 0b1 So, RASR register = 0b00010011000010000000000000011101 = 0x1308001D XN AP TEX,S,C,B SRD SIZE ENABLE Step 5: Enable MPU CNTRL register = 0x1 4. References [1]. Joseph Yiu, The Definitive Guide to ARM Cortex-M3 and Cortex-M4 Processors, Elsevier, 3 rd ed, 2014. [2]. [3]. Jonathan Valvano, Introduction to ARM Cortex-M Microcontroller, 4 nd ed, 2013. ARMv7-M Architecture Reference Manual, ARM Limited, 2010. [4]. LPC17xx User manual, NXP Semiconductors, 2010. [5]. Cortex-M3 Technical Reference Manual, ARM Limited, 2010. [6]. Patrick Vincent and Agur Adams, EC310 Notes, USNA, 2014. [7]. Setting Up the Cortex-M3/M4 (ARMv7-M) Memory Protection Unit (MPU), Feabhas, 2013. 7