mirror of
https://github.com/espressif/esp-idf.git
synced 2025-09-01 14:34:31 +00:00
refactor(esp_system): Place all memory protection options under one option
This commit is contained in:
harshal.patil
@@ -157,59 +157,65 @@ menu "ESP System Settings"
|
||||
|
||||
endchoice
|
||||
|
||||
menu "Memory protection"
|
||||
|
||||
config ESP_SYSTEM_PMP_IDRAM_SPLIT
|
||||
bool "Enable IRAM/DRAM split protection"
|
||||
depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
|
||||
default "y"
|
||||
config ESP_SYSTEM_MEMPROT
|
||||
bool "Enable memory protection"
|
||||
default y
|
||||
depends on SOC_CPU_IDRAM_SPLIT_USING_PMP || SECURE_ENABLE_TEE || SOC_MEMPROT_SUPPORTED
|
||||
help
|
||||
If enabled, the CPU watches all the memory access and raises an exception in case
|
||||
of any memory violation. This feature automatically splits
|
||||
the SRAM memory, using PMP, into data and instruction segments and sets Read/Execute permissions
|
||||
for the instruction part (below given splitting address) and Read/Write permissions
|
||||
for the data part (above the splitting address). The memory protection is effective
|
||||
on all access through the IRAM0 and DRAM0 buses.
|
||||
This option enables memory protection for the valid memory regions.
|
||||
This feature also automatically splits the ROM, RAM and flash memory into data and
|
||||
instruction segments and sets Read/Execute permissions for the instruction part
|
||||
(below given splitting address) and Read/Write permissions for the data part
|
||||
(above the splitting address). The memory protection is effective on all access
|
||||
through the IRAM0 and DRAM0 buses.
|
||||
|
||||
config ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE
|
||||
choice ESP_SYSTEM_MEMPROT_MODE
|
||||
prompt "Memory Protection configurations"
|
||||
depends on ESP_SYSTEM_MEMPROT
|
||||
default ESP_SYSTEM_MEMPROT_TEE if SECURE_ENABLE_TEE
|
||||
default ESP_SYSTEM_MEMPROT_PMP if SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
|
||||
default ESP_SYSTEM_MEMPROT_PMS if SOC_MEMPROT_SUPPORTED
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_PMS
|
||||
bool "Enable Permission Control Module (PMS) configurations"
|
||||
depends on SOC_MEMPROT_SUPPORTED
|
||||
help
|
||||
This option enables memory protection using the Permission Control Module (PMS).
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_PMP
|
||||
bool "Enable CPU's Physical Memory Protection (PMP) configurations"
|
||||
depends on SOC_CPU_IDRAM_SPLIT_USING_PMP && !SECURE_ENABLE_TEE
|
||||
help
|
||||
This option enables memory protection using CPU PMP.
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_TEE
|
||||
bool "Enable Trusted Execution Environment (TEE) configurations"
|
||||
depends on SECURE_ENABLE_TEE
|
||||
help
|
||||
This option enables the default memory protection provided by TEE.
|
||||
|
||||
endchoice
|
||||
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_PMS_LOCK
|
||||
bool "Lock memory protection settings"
|
||||
depends on ESP_SYSTEM_MEMPROT && ESP_SYSTEM_MEMPROT_PMS
|
||||
default y
|
||||
help
|
||||
Once locked, memory protection settings cannot be changed anymore.
|
||||
The lock is reset only on the chip startup.
|
||||
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
|
||||
bool "Make LP core reserved memory executable from HP core"
|
||||
depends on IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_PMP_IDRAM_SPLIT
|
||||
default "n"
|
||||
depends on ESP_SYSTEM_MEMPROT&& IDF_TARGET_ARCH_RISCV && SOC_LP_CORE_SUPPORTED && ESP_SYSTEM_MEMPROT_PMP
|
||||
default n
|
||||
help
|
||||
If enabled, user can run code available in LP Core image.
|
||||
|
||||
Warning: on ESP32-P4 this will also mark the memory area used for BOOTLOADER_RESERVE_RTC_MEM
|
||||
as executable. If you consider this a security risk then do not activate this option.
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
|
||||
bool "Enable memory protection (via TEE)"
|
||||
depends on SECURE_ENABLE_TEE
|
||||
default "y"
|
||||
help
|
||||
This option enables the default memory protection provided by TEE.
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_FEATURE
|
||||
bool "Enable memory protection"
|
||||
depends on SOC_MEMPROT_SUPPORTED
|
||||
default "y"
|
||||
help
|
||||
If enabled, the permission control module watches all the memory access and fires the panic handler
|
||||
if a permission violation is detected. This feature automatically splits
|
||||
the SRAM memory into data and instruction segments and sets Read/Execute permissions
|
||||
for the instruction part (below given splitting address) and Read/Write permissions
|
||||
for the data part (above the splitting address). The memory protection is effective
|
||||
on all access through the IRAM0 and DRAM0 buses.
|
||||
|
||||
config ESP_SYSTEM_MEMPROT_FEATURE_LOCK
|
||||
depends on ESP_SYSTEM_MEMPROT_FEATURE
|
||||
bool "Lock memory protection settings"
|
||||
default "y"
|
||||
help
|
||||
Once locked, memory protection settings cannot be changed anymore.
|
||||
The lock is reset only on the chip startup.
|
||||
|
||||
endmenu # Memory protection
|
||||
|
||||
config ESP_SYSTEM_EVENT_QUEUE_SIZE
|
||||
int "System event queue size"
|
||||
default 32
|
||||
|
||||
@@ -40,3 +40,9 @@ CONFIG_BROWNOUT_DET_LVL_SEL_5 CONFIG_ESP_BROWNOUT_DET_
|
||||
CONFIG_BROWNOUT_DET_LVL_SEL_6 CONFIG_ESP_BROWNOUT_DET_LVL_SEL_6
|
||||
CONFIG_BROWNOUT_DET_LVL_SEL_7 CONFIG_ESP_BROWNOUT_DET_LVL_SEL_7
|
||||
CONFIG_BROWNOUT_DET_LVL CONFIG_ESP_BROWNOUT_DET_LVL
|
||||
|
||||
CONFIG_ESP_SYSTEM_PMP_IDRAM_SPLIT CONFIG_ESP_SYSTEM_MEMPROT
|
||||
CONFIG_ESP_SYSTEM_PMP_LP_CORE_RESERVE_MEM_EXECUTABLE CONFIG_ESP_SYSTEM_MEMPROT_PMP_LP_CORE_RESERVE_MEM_EXEC
|
||||
CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE CONFIG_ESP_SYSTEM_MEMPROT
|
||||
CONFIG_ESP_SYSTEM_MEMPROT_FEATURE CONFIG_ESP_SYSTEM_MEMPROT
|
||||
CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
# sdkconfig replacement configurations for deprecated options formatted as
|
||||
# CONFIG_DEPRECATED_OPTION CONFIG_NEW_OPTION
|
||||
|
||||
CONFIG_ESP32C3_MEMPROT_FEATURE CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
|
||||
CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
|
||||
CONFIG_ESP32C3_MEMPROT_FEATURE CONFIG_ESP_SYSTEM_MEMPROT
|
||||
CONFIG_ESP32C3_MEMPROT_FEATURE_LOCK CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
|
||||
CONFIG_ESP32C3_DEBUG_OCDAWARE CONFIG_ESP_DEBUG_OCDAWARE
|
||||
|
||||
CONFIG_ESP32C3_BROWNOUT_DET CONFIG_ESP_BROWNOUT_DET
|
||||
|
||||
@@ -6,8 +6,8 @@ CONFIG_ESP32S2_PANIC_PRINT_HALT CONFIG_ESP_SYSTEM_PANIC_
|
||||
CONFIG_ESP32S2_PANIC_PRINT_REBOOT CONFIG_ESP_SYSTEM_PANIC_PRINT_REBOOT
|
||||
CONFIG_ESP32S2_PANIC_SILENT_REBOOT CONFIG_ESP_SYSTEM_PANIC_SILENT_REBOOT
|
||||
CONFIG_ESP32S2_PANIC_GDBSTUB CONFIG_ESP_SYSTEM_PANIC_GDBSTUB
|
||||
CONFIG_ESP32S2_MEMPROT_FEATURE CONFIG_ESP_SYSTEM_MEMPROT_FEATURE
|
||||
CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK CONFIG_ESP_SYSTEM_MEMPROT_FEATURE_LOCK
|
||||
CONFIG_ESP32S2_MEMPROT_FEATURE CONFIG_ESP_SYSTEM_MEMPROT
|
||||
CONFIG_ESP32S2_MEMPROT_FEATURE_LOCK CONFIG_ESP_SYSTEM_MEMPROT_PMS_LOCK
|
||||
CONFIG_ESP32S2_ALLOW_RTC_FAST_MEM_AS_HEAP CONFIG_ESP_SYSTEM_ALLOW_RTC_FAST_MEM_AS_HEAP
|
||||
CONFIG_ESP32S2_DEBUG_OCDAWARE CONFIG_ESP_DEBUG_OCDAWARE
|
||||
CONFIG_ESP32S2_NO_BLOBS CONFIG_APP_NO_BLOBS
|
||||
|
||||
@@ -3,7 +3,6 @@ menu "ESP-TEE (Trusted Execution Environment)"
|
||||
|
||||
config SECURE_ENABLE_TEE
|
||||
bool "Enable the ESP-TEE framework"
|
||||
select ESP_SYSTEM_MEMPROT_FEATURE_VIA_TEE
|
||||
help
|
||||
This configuration enables the Trusted Execution Environment (TEE) feature.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user