Memory protection
SPDX-License-Identifier: Apache-2.0
The Zephyr RTOS shall support memory protection features to isolate a thread's memory region.
As a Zephyr RTOS user I want memory to be allocated and protected to my application threads preventing mistakenly access to foreign memory as far as the hardware allows.
The Zephyr RTOS shall provide a mechanism to grant user threads access to kernel objects.
As a Zephyr RTOS user I want, from the user space, under certain conditions, access to kernel objects.
The Zephyr RTOS shall be able to differentiate between user threads and kernel threads for memory access.
As a Zephyr RTOS user I want, from the kernel space, unconditioned access to kernel objects.
The Zephyr RTOS shall have a defined behaviour when an invocation of an unimplemented system call is made.
As a Zephyr RTOS user I want Zephyr OS to indicate any unimplemented system call by an appropriate error message.
The Zephyr RTOS shall have a defined behaviour when an invalid system call ID is used.
As a Zephyr RTOS user I want Zephyr OS to indicate invalid system call by an appropriate error message.
The Zephyr RTOS shall prevent user threads from creating new threads that are higher priority than the caller.
The Zephyr RTOS shall support revoking permission to a kernel object. User mode threads may only revoke their own access to an object.
As a Zephyr RTOS user I want to be protected against other user threads changing access to kernel objects of my thread.
The Zephyr RTOS shall prevent user threads from creating kernel threads.
As a Zephyr RTOS user I want to be protected against user threads creating higher privileged kernel/supervisor threads.
The Zephyr RTOS shall allow the creation of threads that run in reduced privilege level.
As a Zephyr RTOS user I want to be able to create lower privileged threads than my own.
The Zephyr RTOS shall provide system calls to allow user mode threads to perform privileged operations.
As a Zephyr RTOS user I want to be able to perform privileged operations in the kernel mode through a well defined interface.
The Zephyr RTOS shall support a defined mechanism for user mode handling a of detected stack overflow.
As a Zephyr RTOS user I want, when a stack overflow is detected, to be able to implement a graceful, application defined handling of the exception.
The Zephyr RTOS shall support detection of stack overflows.
As a Zephyr RTOS user I want to get an indication when a stack overflow occurs at least during debugging / the development phase, and for safety applications also in a release version of my application.
The Zephyr RTOS shall support configurable access to memory during boot time.
The Zephyr RTOS shall provide helper functions for system call handler functions to validate the inputs passed in from user mode before invoking the implementation function to protect the kernel.
As a Zephyr RTOS user I want Zepyhr OS to validate system call parameters passed from the user mode to the kernel mode to avoid crashes and undefined behaviour.
The Zephyr RTOS shall support system calls to be able to safely accept C strings passed in from user mode.
As a Zephyr RTOS user I want Zepyhr OS to validate system call string type parameters passed from the user mode to the kernel mode to avoid crashes and undefined behaviour.
e.g.
- verify the string length is smaller or equal to the syscalls defined max.
- verify that the length type does not overflow when allocating one more byte ???
The Zephyr RTOS shall track kernel objects that are used by user mode threads.
Note: this means Zephyr shall track the resources used by the user mode thread (associate this with a user story).
The Zephyr RTOS shall have an interface to request access to specific memory after initial allocation.
As a Zephyr RTOS user I want to be able to request read-only or read-write access to a dedicated memory area/pool during runtime.
The Zephyr RTOS shall support assigning a memory pool to act as that thread's resource pool.
As a Zephyr RTOS user I want to be able, during runtime from the kernel, to request a memory area/pool which is exclusively available to the requesting thread protected against access from other threads.