MPU Protection Sets

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
User19909
Level 3
Level 3
First like received
Hello,

Can someone explain to me what are protection sets and what are they useful for? I understand they are a group of access rights for tasks and so on, but how they work and if someone can explain a use case how they are useful during context switching and what is the difference if they didnt exist?
0 Likes
8 Replies
NeMa_4793301
Level 6
Level 6
10 likes received 10 solutions authored 5 solutions authored
The CPU Memory Protection Unit is used to enforce freedom from interference between software components.

I find it helpful to think of a secure building, where each employee (task) is given one of six different types of badges. Each type of badge specifies a different subset of rooms (memory ranges) that the employee is allowed to access.

If you can fit your application into just six different "badges" (or protection sets), the operating system only needs to switch PSW.PRS, so context switching is very fast.

If your application needs more than six protection sets, the OS has to reload all of the MPU registers, which makes context switching much slower.

If you don't need to enforce Freedom From Interference, you don't need to use the MPU. There is no speed penalty for enabling the MPU.

There's also Safety Memory Protection to consider, which can protect each CPU's local memory from read or write access by other bus masters: i.e., other CPUs, DMA, Ethernet, or the HSM.
0 Likes
cwunder
Employee
Employee
5 likes given 50 likes received 50 solutions authored
You should consider the MPU as part of your Memory Protection System. You have to understand that each CPU can operate with three different I/O privilege levels. There is a BUS-MPU for access between other CPU's (think of PSPR, DSPR, DAM, and LMU), in addition most resources have an access protection register that restricts which master has write access to it.

Basically you want to restrict the rights for tasks for both data operations and code execution ranges and get a notification upon a violation.

Have a look to Wikipedia you will find this
MPU monitors transactions, including instruction fetches and data accesses from the processor, which can trigger a fault exception when an access violation is detected. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself.
0 Likes
nsyed
Level 5
Level 5
5 likes given 100 sign-ins 50 sign-ins
What is the common strategy for defining protection sets ? Any thoughts ?

I can think of partitioning between
- QM SWC vs ASIL-SWC
- Higher ASIL-SWC vs Lower ASIL- SWC ? (Ex: ASIL-C SWC vs ASIL-B SWC) ?

Does this makes sense ? anything else needs to be considered ?
0 Likes
NeMa_4793301
Level 6
Level 6
10 likes received 10 solutions authored 5 solutions authored
At the end of the day, Infineon just makes the AURIX - those details are up to your application 🙂

For further guidance, see ISO 26262-6:2018 and ISO 26262-9:2018. Separating software elements by ASIL is a good start, and the standard gives you much more to think about.
0 Likes
User19909
Level 3
Level 3
First like received
UC_wrangler wrote:
The CPU Memory Protection Unit is used to enforce freedom from interference between software components.

If your application needs more than six protection sets, the OS has to reload all of the MPU registers, which makes context switching much slower.


So what you mean here is that for example the MPU registers are distributed amongst the Protection sets? so if the regions are statically configured ,then for example 18 region in case of data MPU fit in .
then for example register 0-9 is for PS0 10-19 for PS2 - just a dummy example for numbers- or if not then how is the context switching done when switching between Protection sets, how does the OS figures that protection set0 have access to those addresses.
cause all we have in the end are some MPU registers with start and end addresses.
0 Likes
NeMa_4793301
Level 6
Level 6
10 likes received 10 solutions authored 5 solutions authored
TC37xx wrote:
So what you mean here is that for example the MPU registers are distributed amongst the Protection sets? so if the regions are statically configured ,then for example 18 region in case of data MPU fit in .
then for example register 0-9 is for PS0 10-19 for PS2 - just a dummy example for numbers- or if not then how is the context switching done when switching between Protection sets, how does the OS figures that protection set0 have access to those addresses.
cause all we have in the end are some MPU registers with start and end addresses.

See TriCore_TC162P_core_architecture_vol_1_of_2.pdf, Chapter 10 for details:
- There are 18 data ranges (DPRx) and 10 code ranges (CPRx)
- The six sets of protection set registers (CPXE, DPRE, DPWE) are a bitmask of which code or data ranges are active in each protection set

For the fastest context switching, you set the protection ranges (DPRx, CPRx) and the protection sets (CPXEx, DPREx, DPWEx) once, and then the OS just sets PSW.PRS to specify which set is active.

But many operating systems are lazy, and just swap all of the MPU registers. That takes a lot longer.
0 Likes
User19909
Level 3
Level 3
First like received
UC_wrangler wrote:
See TriCore_TC162P_core_architecture_vol_1_of_2.pdf, Chapter 10 for details:
- There are 18 data ranges (DPRx) and 10 code ranges (CPRx)
- The six sets of protection set registers (CPXE, DPRE, DPWE) are a bitmask of which code or data ranges are active in each protection set

For the fastest context switching, you set the protection ranges (DPRx, CPRx) and the protection sets (CPXEx, DPREx, DPWEx) once, and then the OS just sets PSW.PRS to specify which set is active.

But many operating systems are lazy, and just swap all of the MPU registers. That takes a lot longer.


aha yeah understood that part. thanks!

Last questions, Why are there 32 registers for data/code protection ranges? where does the 32 come from? and are there multiple instances of these ranges and set enable registers for other cores? if not then how different MPUs on different cores would handle same protection sets for different cores?
0 Likes
NeMa_4793301
Level 6
Level 6
10 likes received 10 solutions authored 5 solutions authored
There could be 32, because the CPXE/DPRE/DPWE registers are 32 bits - but the actual number of data range registers is 18 (DPR0..17_L / DPR0..17_U), and 10 for code range registers (CPR0..9_L / CPR0..9_U).

Each CPU has its own set of MPU and Safety Protection registers.
0 Likes