Study on the performance of μC/OSII based on Cortex-M3 core

introduction

μC/OSII is a priority-based preemptive kernel. All tasks in the system have a unique priority level. It is suitable for applications with strong real-time requirements; however, it does not distinguish between user space and system space, which makes the system security worse. The μC/OSII system ported to the CortexM3 core generally runs at a privileged level, so that the application can also access the variables and constants of the operating system, which makes the system security and stability worse.

According to the characteristics of the CortexM3 core, the security and stability of the μC/OSII operating system are studied. The optional MPU (Memory Protection Unit) on the CortexM3 core is used to make appropriate improvements and optimizations to the μC/OSII operating system. After testing, the security and stability of the system are greatly improved.

1 Development Environment

IAR5.30 is used as the development environment, μC/OSII2.86 is ported to the CortexM3 kernel, and the LPC1786 processor equipped with MPU (Memory Protection Unit) is selected as the hardware experimental platform to improve and optimize the security and stability of the operating system.

2 CortexM3 Core Introduction

There are two stack pointers in the Cortex M3 core*: the main stack pointer (MSP), which is the default stack pointer after the system is powered on. It is used by the OS kernel, exception service routines, and all application code that requires privileged access; the process stack pointer (PSP), which is used for regular application code (when not in an exception service routine).

The Cortex M3 processor supports two operating modes: thread mode and handler mode, with two access levels: privileged level and user level. Exception handling always works in handler mode and can only use the main stack pointer. Handler mode always runs at the privileged level, while thread mode can run at both privileged and user levels. When the system is reset, it is always in the privileged mode of thread mode, and the default stack pointer used is MSP. At user level, access to special function registers and most registers in the system control space (SCS) is prohibited [2].

It has been verified experimentally that when MSR and MRS instructions are used to access special function registers (CONTROL, etc.) at the user level, these instructions are executed as NOP instructions (null instructions), while access to system control space (SCS) registers will produce precise bus access exceptions.

In addition, the CortexM3 core can also be equipped with an MPU (such as the LPC1700 series and LM3S series processors) to protect the memory. Setting access rights for a piece of memory is very helpful for the security of the system.

3 Introduction to μC/OSII Kernel

μC/OSII is a portable, curable, and customizable preemptive real-time multitasking kernel. Most of it is written in ANSI C, with only a small portion of hardware-related code written in assembly language. To date, μC/OSII has been successfully ported to more than 40 microkernel processors with different architectures [4]. The μC/OSII kernel only provides basic functions such as task scheduling, task management, time management, and inter-task communication. The architecture is shown in Figure 1. When porting the system, you only need to modify the three files OS_CPU_C.C, OS_CPU.H, and OS_CPU_A.ASM.

Figure 1 μC/OSII architecture

4 Improvement of μC/OSII Operating System Porting

The μC/OSII system based on the CortexM3 core provided by μC/OSII***** always works at the privileged level. The advantage of this is that the system does not need to switch access levels frequently, and the switch interrupt is very fast, which is conducive to the realization of real-time performance; however, the application (user task) can also access the special function registers and system control space (SCS) registers to modify the variables of the operating system, which is a threat to the security of the system. If the user task program runs away, it may damage the system registers and variables[5].

4.1 System register settings

User applications run at the user level and use the PSP stack pointer; operating system functions run at the privileged level and also use the PSP stack pointer; and interrupt service routines run in the privileged mode of the processing mode and use the MSP stack pointer.

Figure 2 Privileged and user-level partitions

First, the MPU is used to divide the memory into two areas: privileged access and user-level access, as shown in Figure 2. When the system is initialized, the MPU-related registers are set to allocate task stacks and main stacks for the system: the task stack is allocated in the user area, and the system variables and main stack are allocated in the privileged area and can only be accessed at the privileged level.

4.2 Modification of system functions

User tasks work at the user level, while operating system functions work at the privileged level. Tasks may perform context switching when executing system functions, so the system needs to record whether the task is at the privileged level or user level when switching, so that when the task regains control of the processor, it can switch to the original access level. When creating a task, add the access permission parameter mode.

The values ​​of permissions are defined as:

#define OS_Mode_USER 1u //User level
#define OS_Mode_PRIVILEGE 0u //Privileged level
Add access permission parameters to the parameters of the task creation function and stack initialization function, in the following format:
INT8U OSTaskCreateExt (……,INT8U mode );
OS_STK *OSTaskStkInit (……,INT8U mode);

When the stack is initialized, the mode is finally saved in the stack so that the task can enter the corresponding working mode (privileged level or user level) when it runs for the first time. The mode of the statistics task and the idle task is OS_Mode_PRIVILEGE, while the mode of the user task is OS_Mode_USER.

4.3 Modification of functions in OS_CPU_A.ASM file

In the OS_CPU_A.ASM file, only the function PendSV_Handler (PendSV service routine) needs to be modified, and task switching is completed by it. At the same time, the priority of PendSV is set to the lowest to quickly respond to interrupts and improve the real-time performance of the system. The flow of the PendSV service routine is shown in Figure 3.

Figure 3 PendSV service routine flow

Task switching program above:

SUBS R0,R0,#0x24; adjust PSP pointer, mode, R4~R11 total 36 bytes
MRS R1,CONTROL; get the access level mode of the current task
STM R0,{R1,R4R11}; push mode, R4~R11

LDR R1,=OSTCBCur;Get OSTCBCur?﹥OSTCBStkPtr
LDR R1,[R1]
STR R0,[R1];Store PSP value in task control block Switch to the following program:
……;OSPrioCur=OSPrioHighRdy;
……;OSTCBCur=OSTCBHighRdy;
……;Get the PSP value of the new task and store it in R0
LDM R0,{R1,R4R11};R1(mode),R4~R11 pop the stack
MSR CONTROL,R1;Modify CONTROL[0]
ORR LR,LR,#0x04;Select the stack to be used when returning
ADDS R0,R0,#0x24;Adjust PSP value
MSR PSP,R0;Store R0 in PSP [page]

4.4 Use of system functions

System functions are executed at the privilege level. Before calling a system function in an application, you should switch to the privilege level, and then switch to the user level after the system function is executed. The calling form is as follows:

ToPrivilege ();
OSFunction(Parameter1, Parameter2......); //System function
ToUser ();

In the privileged level, you can enter the user level by setting CONTROL[0]. In the user level, you cannot return to the privileged level by modifying CONTROL[0]. You must modify CONTROL[0] through an exception handler to obtain the privileged level after returning to the thread mode. Therefore, the way to go from the user level to the privileged level is to generate an exception and then modify CONTROL[0] in the exception routine. The usual method is to use the soft interrupt SVC.

The code to switch to the privilege level is as follows:

ToPrivilege; function ToPrivilege ()
SVC 0
BX LR
SVC_Handler; SVC service routine
MRS R1, CONTROL
AND R1, R1, #0xFE
MSR CONTROL, R1; return to privilege level
BX LR

Switching from privileged to user level is simple. You only need to execute the switch program without generating exceptions. The code for switching to user level is:

ToUser; Function ToPrivilege ()
MRS R0, CONTROL
ORR R0, R0, #0x01; Switch to user level
MSR CONTROL, R0
BX LR

4.5 Other Improvement Methods

Tasks run at user level + PSP, while operating system functions run at privilege level + MPS. Interrupt service routines are set by hardware in processing mode + privilege level + MSP, so that the system security and stability will be higher. However, each task requires two stacks, PSP and MSP. This undoubtedly increases the use of memory (nearly doubled). Since the on-chip RAM of embedded chips is relatively small, increasing memory will inevitably increase costs, and the task control block must be modified accordingly to store two stacks. Both stacks must be initialized when the task is created, and the stack and access rights to be switched are determined when the task is switched, which increases the system overhead.

Conclusion

The system ran stably for more than 10 hours without any problems, indicating that the system transplantation was successful. The MPU selected by the CortexM3 core was used to modify the μC/OSII operating system, which only added a small amount of system overhead, but greatly improved the security and stability of the system. This method can be applied to occasions with high requirements for system security and stability.