- All of MPU-ported FreeRTOS functions first raise the privilege of the calling task, then call to the actual function, then revert their privilege back to what it was.
- The following line from MPU docs: “A Privileged mode task can call portSWITCHTOUSER_MODE() to set itself into User mode. A task that is running in User mode cannot set itself into Privileged mode.”
FreeRTOS MPU behavior and threat model
Hello,
I’ve been struggling to understand FreeRTOS-MPU port’s threat model, as documented and as developed. I am referring to a few points that are seemingly exclusive:
FreeRTOS MPU behavior and threat model
I don’t think it is possible to stop a task calling SVC, which will automatically set it into privileged mode. All you could do then is have the kernel check if it is a privileged task before you let it do anything else, returning it to user mode if necessary. Is that the extra logic you mention?
FreeRTOS MPU behavior and threat model
Yep, the idea was to add a check in the ‘raise privilege’ handler to either limit the conditions under which a task can increase privileges, or to make sure that the lr register points inside the privileged_functions section.
On another note, I’m not sure what the sentence in the docs was referring to (can only drop privileges, not raise them). I guess it implied that only with code that doesn’t call a svc routine can you not increase your privileges.
FreeRTOS MPU behavior and threat model
The idea was to provide a method for a task to transition itself from
being privileged to unprivileged, which is safe, but not the reverse
(other than when legitimately calling an API function), which would not
be safe.
It is sometimes easier to create a task with full privileges, then once
the task has done whatever it needs at start up, to drop to its run-time
state of being unprivileged. It is purely a convenience thing.
Regards.