MPU for safety critical application

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Not applicable
I have an safety application where safety critical code (and data) and
no-safety functional code(and data) are located on one XMC4500 Microcontroller.
I want to divide safety areas and no-safety areas, so that no-safety-code
cannot access safety code and data - this can be done with the MPU of the core? Is it right?

In reference manual is documented, that when MPU is active, the memory map
is divided into 8 regions and may be 1 background region. In Table 2-18 of Reference Manual
it is shown, that each region has an access permission.

It is useful to assign my regions with

safety critical memory
001 rw No access Access from privileged software
only

and regions with no-safety functional memory with
011 rw rw Full access
?

When entering (no-safety) functional code I would set in CONTROL register
nPRIV = Unprivileged and when entering safety critical code, then
I would set nPRIV = privileged (via SVC). It is that a possible solution?
How can I implement SVC to go into privilege mode?

But which privilege level is active, when interrupt occurs - for example
UART receive interrupt? This interrupt can occur at any time - indifferent if safety code
or no-safety code is executed. Can code in interrupt handler access safety critical memory?
How can I proceed, when interrupt occurs?

Is there an example for using MPU?

A lot of thanks for your help!

Best,
Torben
0 Likes
6 Replies
Not applicable
Hello Torben,
I have the same problem to use the MPU with dividing memory into safety critical code and non safety code.
I also searching for MPU examples. Have you done some ?

best,
Rico
0 Likes
Travis
Employee
Employee
First solution authored Welcome! 500 replies posted
Hi all,

I don't know how you guys are going to use it for safety, but MPU is used for OS platform, such that each OS task is allocated with a protected memory region. To access this memory region the task manager has to unlock the memory region with a password for a particular task. In this way other tasks are not allow to access this memory region.

At this moment I do not have any example for this MPU application.

BR
Travis
0 Likes
Not applicable
it is interesting topic. any news since that?
0 Likes
User12775
Level 5
Level 5
First solution authored First like received
The MPU has little thing to do with safety. It is designed for separating multi processes from illegally accessing each others' memory space.
The FreeRTOS port for XMC4 has an option to use the MPU.
0 Likes
jferreira
Employee
Employee
10 sign-ins 5 sign-ins First like received
Hi,

The CPU_CTRL_XMC4 has a tab to configure the MPU.

Regards,
Jesus
0 Likes
User8819
Level 4
Level 4
Hi,

here is example to use MPU for protecting vector table against write access after it has been relocated to ram

extern int __vectortableram_start;

void SetupMpu(void)
{
#define MPU_RGN_NUMBER_VT 3 // region number and priority
#define MPU_RGN_SIZE_VT 8 // 512B =2^(8+1)
#define AP_VT 6 // access parameters r/r

#define MPU_RBAR_VALUE_VT ((uint32_t)__vectortableram_start)
#define MPU_RASR_VALUE_VT ((((uint32_t)MPU_RGN_SIZE_VT << PPB_MPU_RASR_SIZE_Pos) & PPB_MPU_RASR_SIZE_Msk) | \
((uint32_t)PPB_MPU_RASR_S_Msk) | \
((uint32_t)PPB_MPU_RASR_C_Msk) | \
(((uint32_t)AP_VT << PPB_MPU_RASR_AP_Pos) & PPB_MPU_RASR_AP_Msk) | \
((uint32_t)PPB_MPU_RASR_ENABLE_Msk))

// setup region address and region access parameters for VT
PPB->MPU_RNR = MPU_RGN_NUMBER_VT;
PPB->MPU_RBAR = MPU_RBAR_VALUE_VT;
PPB->MPU_RASR = MPU_RASR_VALUE_VT;

// enable MPU
PPB->MPU_CTRL = (uint32_t)(PPB_MPU_CTRL_ENABLE_Msk | PPB_MPU_CTRL_PRIVDEFENA_Msk);
__DSB();
__ISB();
}

write access will trigger exception memfault if installed.

rum
0 Likes