Fortifying Your Embedded System: Can a Memory Protection Unit Shield RAM from ROM Instructions?

Key Highlights:

MPUs are designed to control memory access: They define regions with specific permissions, preventing unauthorized read, write, or execute operations.
MPUs can restrict ROM instruction effects on RAM: By configuring MPU regions, you can prevent instructions executed from ROM from writing to specific RAM areas.
Understanding MPU configuration is crucial: Setting up the MPU involves defining regions, setting access permissions, and enabling the MPU to enforce these rules.

Understanding the Cortex-M4 Memory Protection Unit (MPU)

The Memory Protection Unit (MPU) is a hardware component present in many ARM Cortex-M processors, including the Cortex-M4. It's designed to enhance the reliability and security of embedded systems by providing memory access control. An MPU allows you to divide the memory map into distinct regions and assign specific access permissions to each region. This capability is crucial for preventing unintended memory corruption and enforcing privilege separation.

How the MPU Works

The MPU operates by defining memory regions with associated attributes. These attributes dictate what type of access is permitted (read, write, execute) and the privilege level required to perform the access (privileged or unprivileged). When the CPU attempts to access a memory location, the MPU checks if the access is allowed based on the region's attributes. If the access violates the defined permissions, the MPU triggers a fault, such as a Memory Management Fault (MMF).

MPU Registers

The MPU is configured through a set of registers that define the memory regions and their attributes. Key registers include:

MPU_RNR (MPU Region Number Register): Selects the region to be configured.
MPU_RBAR (MPU Region Base Address Register): Sets the starting address of the region.
MPU_RASR (MPU Region Attribute and Size Register): Defines the size, access permissions, and other attributes of the region.
MPU_CTRL (MPU Control Register): Enables the MPU and configures its overall behavior.

Preventing ROM Instructions from Modifying RAM

Yes, it is possible to configure the MPU on a Cortex-M4 to prevent instructions executed from a specific region of ROM from writing to a specific region of RAM. This involves setting up MPU regions with appropriate access permissions.

Configuration Steps

Define the ROM Region: Create an MPU region that corresponds to the specific area of ROM from which instructions are being executed. Configure this region with execute-only permissions and disallow write access.
Define the RAM Region: Create another MPU region that corresponds to the specific area of RAM you want to protect. Configure this region to allow read and write access only for privileged code, or disallow write access altogether for unprivileged code, depending on your security requirements.
Enable the MPU: Enable the MPU in the MPU_CTRL register to enforce the defined memory access permissions.

Example Scenario

Let's say you have a section of ROM at address 0x08000000 and you want to prevent any instructions executed from this ROM from writing to a section of RAM at address 0x20000000.

Configure ROM Region:
- MPU_RNR = 0 (Select Region 0)
- MPU_RBAR = 0x08000000 (Base address of ROM)
- MPU_RASR = (Enable | Size | Execute-Only | No Write)
Configure RAM Region:
- MPU_RNR = 1 (Select Region 1)
- MPU_RBAR = 0x20000000 (Base address of RAM)
- MPU_RASR = (Enable | Size | Read-Write | Privileged Access)
Enable MPU:
- MPU_CTRL = (Enable)

With this configuration, any attempt by code executing from the ROM region (0x08000000) to write to the RAM region (0x20000000) will trigger an MPU fault, preventing the write operation and potentially halting the system or triggering an error handler.

MPU Configuration Considerations

Configuring the MPU correctly is crucial for ensuring the desired level of memory protection without hindering legitimate memory accesses. Here are some important considerations:

Region Overlap and Priority

If memory regions overlap, the MPU uses a priority scheme to determine which region's attributes apply. Typically, the region with the highest number takes precedence. This allows you to create exceptions to broader memory protection rules.

If the same memory range is covered in multiple MPU regions, the configuration in the highest REGION number will be applied. For example, if REGION 0 turns off access to the first 32kB of RAM for Unprivileged mode but REGION 1 makes the same RAM region read-only, REGION 1 settings will take precedence.

Privilege Levels

The Cortex-M4 supports privileged and unprivileged execution modes. Privileged code (e.g., the operating system kernel) has unrestricted access to all memory regions, while unprivileged code (e.g., user applications) is subject to the MPU's access control rules. You can configure MPU regions to allow or deny access based on the current privilege level.

Subregions

Some MPU implementations allow you to divide a region into subregions, each with its own access permissions. This provides finer-grained control over memory access. The number of definable regions varies based on implementation. The MPU in Arm® Cortex®-M4/M7 and M0+ CPU in TRAVEOTM T2G supports up to 8 programmable regions and each region defined can further be divided into 8 equal subregions. This increases the granularity of the implemented protection.

Fault Handling

When the MPU detects a memory access violation, it triggers a fault. You should implement a fault handler to catch these exceptions and take appropriate action, such as logging the error, terminating the offending task, or resetting the system. Examples of MPU faults include:

Data Access Violation: Attempting to read or write data from a region without the necessary permissions.
Instruction Access Violation: Attempting to execute code from a region without execute permissions.

Benefits of Using an MPU

Implementing an MPU provides several benefits for embedded systems:

Enhanced Security

The MPU helps protect against malicious attacks by preventing unauthorized code from accessing critical memory regions. By preventing instructions executed from ROM from writing to specific RAM areas, the MPU adds a layer of defense against code injection attacks or unintended data corruption.

Improved Reliability

By preventing accidental memory overwrites, the MPU can improve the overall reliability of the system. This is particularly important in safety-critical applications where memory corruption can have serious consequences.

Simplified Debugging

MPU faults can help identify memory access errors during development, making it easier to debug and fix software bugs. An MPU exception can be a great hint when you are debugging memory access problems.

Practical Applications of MPU

The MPU is useful in a variety of applications:

Protecting the Operating System Kernel: The MPU can be used to protect the OS kernel from being overwritten by user applications.
Isolating Tasks: In real-time operating systems (RTOS), the MPU can isolate tasks from each other, preventing one task from corrupting the memory of another.
Securing Bootloaders: The MPU can protect the bootloader code from tampering, ensuring a secure boot process.
Implementing Memory Access Control: The MPU can be used to enforce fine-grained memory access control policies, allowing different parts of the system to have different levels of access to memory.

Illustrative Table of MPU Configuration

This table demonstrates how to configure the MPU to prevent ROM instructions from modifying RAM. It provides a simplified example and should be adapted to fit specific system requirements.

Region Number	Base Address	Size	Access Permissions	Description
0	0x08000000 (ROM Start)	32KB	Execute Only, No Write	ROM Region - Instructions are executed from here.
1	0x20000000 (RAM Start)	64KB	Read/Write, Privileged Access Only	RAM Region - Data is stored here, write access restricted.
2	0x40000000 (Peripheral Memory)	16KB	Read/Write	Peripheral Memory - Accessible for read and write.

Visualizing the MPU: Images of Development Boards

Examining development boards that utilize the Cortex-M4 architecture can provide a clearer understanding of how MPUs are implemented in hardware. These boards often come with pre-configured memory regions and example code that demonstrate MPU functionality.

Logsun Systems ARM Cortex M4 STM32F407VET6 Development Board

The images above showcase various STM32F407 development boards, which are popular choices for embedded systems development using the ARM Cortex-M4 processor. These boards typically include features like on-board memory, peripherals, and debugging interfaces, making them ideal for experimenting with MPU configurations. By studying the memory maps and example code provided with these boards, developers can gain practical insights into how to effectively use the MPU to protect memory regions and enhance system security.

Deep Dive into MPU Configuration: A Video Guide

The video "STM32 MPU Config || #1. Need for the Memory Protection Unit" provides a comprehensive guide on configuring the MPU on STM32 microcontrollers, which utilize the ARM Cortex-M architecture. This video is particularly relevant as it delves into the practical aspects of setting up the MPU, including defining memory regions and configuring access permissions. The presenter effectively illustrates the importance of using the MPU to protect memory and enhance the security of embedded systems. By watching this video, developers can gain a deeper understanding of the MPU configuration process and learn how to implement it effectively in their own projects.

Code Example: Configuring MPU Registers in C

This example demonstrates how to configure MPU registers in C for a Cortex-M4 processor. Note that the specific register addresses and bit definitions may vary depending on the microcontroller you are using. Always refer to the manufacturer's documentation for accurate details.


// Define MPU register addresses
#define MPU_CTRL (*((volatile unsigned long*) 0xE000ED94))  // MPU Control Register
#define MPU_RNR (*((volatile unsigned long*) 0xE000ED98))   // MPU Region Number Register
#define MPU_RBAR (*((volatile unsigned long*) 0xE000ED9C))  // MPU Region Base Address Register
#define MPU_RASR (*((volatile unsigned long*) 0xE000EDA0))  // MPU Region Attribute and Size Register

// Define bit masks for MPU_RASR
#define MPU_RASR_ENABLE (1 << 0)    // Region enable bit
#define MPU_RASR_SIZE_8KB (5 << 1)   // 8KB region size
#define MPU_RASR_AP_PRIV_RW (3 << 24) // Privileged read/write access
#define MPU_RASR_XN (1 << 28)         // Execute Never

void configure_mpu() {
    // Disable MPU
    MPU_CTRL = 0;

    // Configure Region 0 (ROM)
    MPU_RNR = 0;
    MPU_RBAR = 0x08000000;                         // ROM base address
    MPU_RASR = MPU_RASR_ENABLE | MPU_RASR_SIZE_8KB | MPU_RASR_XN; // Enable, 8KB, Execute Never

    // Configure Region 1 (RAM)
    MPU_RNR = 1;
    MPU_RBAR = 0x20000000;                               // RAM base address
    MPU_RASR = MPU_RASR_ENABLE | MPU_RASR_SIZE_8KB | MPU_RASR_AP_PRIV_RW; // Enable, 8KB, Privileged read/write

    // Enable MPU
    MPU_CTRL = 1;
}

int main() {
    configure_mpu();

    // Your code here
    return 0;
}