pkg/xipfs: add MPU memory isolation to file execution

[GGuche-2XS-Univ-Lille]

Contribution description

The xipfs filesystem is able to perform in-place execution.

The aim of this PR is to add hardware MPU-based memory isolation to the xipfs' execution capability.

With it, an executable fae file is run in non-privileged mode and can only access to its legitimate memory areas, thanks to MPU regions definitions of TEXT, DATA and STACK segments.
TEXT is read-only, but DATA and STACK are read-write.

This generic hardware approach can handle all executables, with almost zero time overhead.
MPU regions identifiers have been chosen with respect to RIOT's MPU safe guard and MPU no exec functionalities.

This feature should be available for all platforms with an ARM cpu and an ARMv7-M MPU, but has been only tested on QORVO DWM1001 for now.

Testing procedure

For this board, a memory dumper is provided in xipfs' example to illustrate simple/safe memory dumps of legit/non-legit ram/rom.

> drop_files
2025-10-01 14:22:34,102 # drop_files
> ls /nvme0p0
2025-10-01 14:22:37,829 # ls /nvme0p0
2025-10-01 14:22:37,831 # hello-world.fae       1376 B
2025-10-01 14:22:37,833 # dumper.fae    1920 B
2025-10-01 14:22:37,834 # total 2 files
> execute /nvme0p0/dumper.fae legit-ram
2025-10-01 14:22:38,303 # execute /nvme0p0/dumper.fae legit-ram
2025-10-01 14:22:38,314 # 20004050  00 00 00 00 00 00 00 00   b0 04 00 20 d4 04 00 20  |........... ... |
2025-10-01 14:22:38,321 # 20004060  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:22:38,328 # 20004070  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:22:38,335 # 20004080  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:22:38,336 # 20004090
> execute -p /nvme0p0/dumper.fae legit-ram
2025-10-01 14:23:09,935 # execute -p /nvme0p0/dumper.fae legit-ram
2025-10-01 14:23:09,946 # 20004050  01 00 00 00 fc 77 00 20   00 00 00 00 00 00 00 00  |.....w. ........|
2025-10-01 14:23:09,954 # 20004060  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:23:09,961 # 20004070  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:23:09,968 # 20004080  00 00 00 00 00 00 00 00   00 00 00 00 00 00 00 00  |................|
2025-10-01 14:23:09,969 # 20004090
> execute /nvme0p0/dumper.fae non-legit-ram
2025-10-01 14:23:26,575 # execute /nvme0p0/dumper.fae non-legit-ram
2025-10-01 14:23:26,586 # 20000020  fe e7 fe e7 fe e7 fe e7   fe e7 fe e7 fe e7 fe e7  |................|
2025-10-01 14:23:26,594 # 20000030  fe e7 fe e7 fe e7 fe e7   fe e7 fe e7 fe e7 fe e7  |................|
2025-10-01 14:23:26,601 # 20000040  fe e7 fe e7 fe e7 fe e7   fe e7 fe e7 fe e7 fe e7  |................|
2025-10-01 14:23:26,608 # 20000050  fe e7 fe e7 fe e7 fe e7   fe e7 fe e7 fe e7 fe e7  |................|
2025-10-01 14:23:26,609 # 20000060
> execute -p /nvme0p0/dumper.fae non-legit-ram
2025-10-01 14:23:47,488 # execute -p /nvme0p0/dumper.fae non-legit-ram
2025-10-01 14:23:47,496 # 20000020  Illegal memory access detected at 0x20000020.
2025-10-01 14:23:47,501 # Failed to execute '/nvme0p0/dumper.fae', error=-5 (I/O error)
> execute /nvme0p0/dumper.fae legit-rom
2025-10-01 14:24:52,687 # execute /nvme0p0/dumper.fae legit-rom
2025-10-01 14:24:52,698 # 1c470  2d e9 f8 43 04 46 00 f1   40 07 bc 42 a0 46 07 d3  |[email protected]..|
2025-10-01 14:24:52,705 # 1c480  2d 4b 21 46 5a f8 03 00   bd e8 f8 43 00 f0 c8 b8  |-K!FZ......C....|
2025-10-01 14:24:52,712 # 1c490  2a 4b 21 46 5a f8 03 00   00 f0 c2 f8 28 4b 5a f8  |*K!FZ.......(KZ.|
2025-10-01 14:24:52,719 # 1c4a0  03 90 26 46 00 25 16 f8   01 1b 01 35 48 46 00 f0  |..&F.%.....5HF..|
2025-10-01 14:24:52,719 # 1c4b0
> execute -p /nvme0p0/dumper.fae legit-rom
2025-10-01 14:25:16,344 # execute -p /nvme0p0/dumper.fae legit-rom
2025-10-01 14:25:16,355 # 1c470  2d e9 f8 43 04 46 00 f1   40 07 bc 42 a0 46 07 d3  |[email protected]..|
2025-10-01 14:25:16,362 # 1c480  2d 4b 21 46 5a f8 03 00   bd e8 f8 43 00 f0 c8 b8  |-K!FZ......C....|
2025-10-01 14:25:16,369 # 1c490  2a 4b 21 46 5a f8 03 00   00 f0 c2 f8 28 4b 5a f8  |*K!FZ.......(KZ.|
2025-10-01 14:25:16,376 # 1c4a0  03 90 26 46 00 25 16 f8   01 1b 01 35 48 46 00 f0  |..&F.%.....5HF..|
2025-10-01 14:25:16,377 # 1c4b0
> execute /nvme0p0/dumper.fae non-legit-rom
2025-10-01 14:25:49,232 # execute /nvme0p0/dumper.fae non-legit-rom
2025-10-01 14:25:49,242 # 00  00 04 00 20 3d 0a 00 00   c5 09 00 00 81 09 00 00  |... =...........|
2025-10-01 14:25:49,249 # 10  15 0a 00 00 d5 09 00 00   e5 09 00 00 00 00 00 00  |................|
2025-10-01 14:25:49,256 # 20  00 00 00 00 00 00 00 00   00 00 00 00 31 09 00 00  |............1...|
2025-10-01 14:25:49,262 # 30  f5 09 00 00 00 00 00 00   e5 08 00 00 05 0a 00 00  |................|
2025-10-01 14:25:49,263 # 40
> execute -p /nvme0p0/dumper.fae non-legit-rom
2025-10-01 14:26:23,457 # execute -p /nvme0p0/dumper.fae non-legit-rom
2025-10-01 14:26:23,464 # 0  Illegal memory access detected at 0x0.
2025-10-01 14:26:23,468 # Failed to execute '/nvme0p0/dumper.fae', error=-5 (I/O error)

On a sidenote, illegitimate RAM address has been chosen to be equal to 0x20000020, because the first 32 bytes of the RAM are in read-only MPU stack guard region.
In safe execution mode, the dumper would display the 32 bytes starting at 0x20000000 before the MPU detects an illegal access, which could lead to deceptive conclusions.

[riot-ci]

Murdock results

✔️ PASSED

664951f fixup! pkg/xipfs: add MPU memory isolation to file execution

Success	Failures	Total	Runtime
10510	0	10510	13m:10s

Artifacts

• Documentation preview

[Teufelchen1]

Where can I look at the code of examples/advanced/xipfs/dumper.fae?

[GGuche-2XS-Univ-Lille]

@Teufelchen1 Sorry for the delay. You can find the source of the memory dumper here.

It comes with the tools for building : the sources are compiled to an elf file, which is processed in order to build a fae file.
Fae files are lighter than elf ones and suited to our needs (own crt0 performing relocation etc...).

For more details on the tools and process, please go to the XIPFS Format repository

[crasbe]

I don't really like the modifications to the common Cortex-M files to be honest.
This is pretty application specific and does not really belong here.

I acknowledge that currently there are no provisions to change the mem_manage handler or add cases to the SVC dispatcher, but I'm afraid that this is not a good way yet.

[GGuche-2XS-Univ-Lille]

@crasbe XIPFS is designed for ARM platforms with addressable flash memory and ARMv7-M MPU.

As such, we don't target any board specifically but more a family of boards sharing these features.
Plugin the code in the common part of cortex-m cpu appeared to us as the appropriate move.

Furthermore, we need to customize the memory fault handler :

• to dynamically set TEXT mpu region, when PC jumps over flash pages,
• to stop the execution when an illegal memory access is detected.

We also need to add svc cases :

• to leave the thread privileged mode and enter the handler one, which leads finally to enter the user mode,
• to handle an API of syscalls (quite small for now, but that will grow in the future), and keep the fae files footprint low.

We would have liked to come with a better proposal, satisfying all of us, but to the best of our knowledge, we need at least these two modifications to make the MPU memory isolation work for the targeted platforms.