Enable PMP for memory isolation #32
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jserv
reviewed
Oct 29, 2025
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
d2552a5 to
319ba96
Compare
jserv
reviewed
Oct 31, 2025
Contributor
jserv
left a comment
jserv
left a comment
There was a problem hiding this comment.
Use unified "flexpage" notation.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
e264a35 to
4a62d5b
Compare
Collaborator
Author
Got it! Thanks for the correction and the L4 X.2 reference. |
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
5 times, most recently
from
109259d to
f6c3912
Compare
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
2 times, most recently
from
2644558 to
1bb5fcf
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
6 times, most recently
from
904e972 to
ed800fc
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
6 times, most recently
from
0d55f21 to
865a5d6
Compare
Collaborator
Author
Finished. And I removed the M-mode fault-handling commits, as they are not aligned with the upcoming work. |
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
865a5d6 to
7e3992e
Compare
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
5 times, most recently
from
f1422f7 to
5fa0716
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
5fa0716 to
337fdb6
Compare
This comment was marked as resolved.
This comment was marked as resolved.
jserv
reviewed
Jan 30, 2026
jserv
reviewed
Jan 30, 2026
jserv
reviewed
Jan 30, 2026
jserv
reviewed
Jan 30, 2026
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Establish the complete PMP infrastructure to support hardware-enforced memory isolation. This implementation spans the driver layer, hardware abstraction, and region lifecycle management. Introduce `flexpages` to represent contiguous physical regions with protection attributes, and `memory_spaces` to group them into per-task protection domains. These abstractions decouple high-level memory policies from low-level hardware constraints. Address the RISC-V immediate value limitation for CSR instructions by implementing a runtime-indexed access mechanism. A switch-case dispatch system maps dynamic indices to static `pmpcfg` and `pmpaddr` instructions, enabling iterative configuration of PMP entries. All regions use TOR (Top-of-Range) mode to support arbitrary address alignment. Implement a driver stack that maintains a centralized shadow configuration to mirror hardware state. This serves as the single source of truth for PMP operations, supporting atomic updates and dynamic region allocation. The region management API handles the validation, locking, and eviction of entries, while kernel memory pools are automatically secured at boot using linker symbols (Text: RX, Data: RW).
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
337fdb6 to
18841ee
Compare
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
18841ee to
7b02e82
Compare
Memory protection requires dynamic reconfiguration when switching between tasks. Each task receives a dedicated memory space with its stack registered as a protected flexpage. During context switches, the scheduler evicts the outgoing task's regions from hardware slots and loads the incoming task's regions, while kernel regions remain locked across all transitions. Kernel text, data, and BSS regions are configured at boot and protected from eviction. User mode tasks operate in isolated memory domains where they cannot access kernel memory or other tasks' stacks. Nested trap handling is required for correct U-mode operation. When a user mode syscall triggers a yield, the resulting nested trap must not corrupt the outer trap's context. Trap nesting depth tracking ensures only the outermost trap performs context switch restoration, and yield from trap context invokes the scheduler directly without additional trap nesting. A test validates mixed-privilege context switching by spawning M-mode and U-mode tasks that continuously yield, verifying correct operation across privilege boundaries.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
7b02e82 to
18485e7
Compare
Hardware PMP entries are limited resources, restricting the number of simultaneous memory mappings. Additionally, unrecoverable access faults currently panic the kernel, which compromises system availability during multitasking. Address the hardware implementation limit by loading memory regions dynamically. When a task accesses a valid region not present in hardware, the fault handler evicts a lower-priority entry to map the required flexpage on demand. This decouples the number of task memory regions from the physical PMP slot count. Improve system stability by terminating tasks that trigger unrecoverable faults. Instead of halting the entire system, the fault handler marks the task as a zombie and signals the scheduler to maximize resource reclamation. This ensures that isolation violations affect only the faulting process.
Provides comprehensive documentation covering memory abstraction, context switching, and fault handling for the PMP implementation. The test application validates three core isolation guarantees. Tasks verify stack integrity across context switches using guard values. Destructive tests validate kernel memory protection and inter-task isolation by attempting unauthorized accesses that trigger fault handling and task termination. CI scripts are modified to recognize expected output results. Synchronization timing in mutex tests is adjusted to accommodate context switch overhead from PMP configuration.
HeatCrab
force-pushed
the
pmp/memory-isolation
branch
from
18485e7 to
e34fac0
Compare
Contributor
|
Thank @HeatCrab for contributing! |
25 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements PMP (Physical Memory Protection) support for RISC-V to enable hardware-enforced memory isolation in Linmo, addressing #30.
Currently Phase 1 (infrastructure) is complete. This branch will continue development through the remaining phases. Phase 1 adds the foundational structures and declarations: PMP hardware layer in arch/riscv with CSR definitions and region management structures, architecture-independent memory abstractions (flex pages, address spaces, memory pools), kernel memory pool declarations from linker symbols, and TCB extension for address space linkage.
The actual PMP operations including region configuration, CSR manipulation, and context switching integration are not yet implemented.
TOR mode is used for its flexibility with arbitrary address ranges without alignment constraints, simplifying region management for task stacks of varying sizes. Priority-based eviction allows the system to manage competing demands when the 16 hardware regions are exhausted, ensuring critical kernel and stack regions remain protected while allowing temporary mappings to be reclaimed as needed.
Summary by cubic
Enables RISC-V PMP for hardware memory isolation (#30). Uses TOR mode with boot-time kernel protection, trap-time flexpage loading, per-task context switching, and U-mode kernel stack isolation via mscratch; unrecoverable access faults terminate the task instead of panicking.
Written for commit e34fac0. Summary will update on new commits.