AUTOSAR

• About this group
• Forums

• Home
• Groups
• AUTOSAR
• Forums
• AUTOSAR Articles
• Memory Protection in AUTOSAR

• 
  Arun Pulinatu

  The company name is only visible to registered members.

  Memory Protection in AUTOSAR

  Hi All,
  
  Can someone please tell me how memory protection is implemented in AUTOSAR 3.0.
  Suppose I am using target processor as PowerPC (which has MPU), how can OS, configured
  under SC3/SC4 ensure memory protection?
  
  My requirement is specifically for scenario where multiple applications reside on the same ECU.
  Hence I need a mechanism to ensure the read/write protection of:
  1. Stack area of each Task
  2. NvM allocated to each application
  
  Although NvM has a NvM_SetBlockProtection API, this API cannot differentiate between different applications
  and Fee blocks/Nv Blocks assigned to different applications.
  
  So, how is a rougue application prevented from accessing data that it should not access.
  
  Also, in AUTOSAR do we have any concept of RAM protection (other than through private stack of each task)?
  For, if we have RAM variables that are global, they will be accessible to all software.
  
  Warm Regards,
  Arun
  
  • 11 Aug 2010, 11:27 am
  Arun Pulinatu wrote: > Hi All, > > Can someone please tell me how memory protection is implemented in > AUTOSAR 3.0. > Suppose I am using target processor as PowerPC (which has MPU), how > can OS, configured > under SC3/SC4 ensure memory protection? > > My requirement is specifically for scenario where multiple > applications reside on the same ECU. > Hence I need a mechanism to ensure the read/write protection of: > 1. Stack area of each Task > 2. NvM allocated to each application > > Although NvM has a NvM_SetBlockProtection API, this API cannot > differentiate between different applications > and Fee blocks/Nv Blocks assigned to different applications. > > So, how is a rougue application prevented from accessing data that it > should not access. > > Also, in AUTOSAR do we have any concept of RAM protection (other than > through private stack of each task)? > For, if we have RAM variables that are global, they will be > accessible to all software. > > Warm Regards, > Arun
• 
  Jean-Luc Béchennec

  The company name is only visible to registered members.

  Re: Memory Protection in AUTOSAR

  Hi Arun
  
  Arun Pulinatu a écrit:
  Hi All,
   
  Can someone please tell me how memory protection is implemented in AUTOSAR 3.0.
  Suppose I am using target processor as PowerPC (which has MPU), how can OS, configured
  under SC3/SC4 ensure memory protection?
  I can explain how I implemented it in Trampoline 2
  
  Each non-trusted task/ISR2 has r/w access to 3 data memory regions :
  its stack (1 MPU descriptor)
  its data (1 MPU descriptor)
  the data of the OS Application the task/ISR2 belongs to (1 MPU descriptor)
  
  In the memory mapping I interleave the stack of tasks/ISR then the private data then the data of the OS Applications
  That way, a stack cannot overflow or underflow in the data.
  
  Consts and programs are contiguous and protected against writing (in the case they are located in RAM)
  
  The rest of memory space cannot be accessed (I/O and unmapped memory regions)
  
  No special configuration is required, the system generation tool (goil in our case) generates a MemMap.h with segments for each task/ISR. It generates also a link script to map these regions. Memory regions descriptors used to program the MPU when the kernel (OS) switches context are also generated. A different generation tool should do the same
  
  One of the Memory Protection AUTOSAR requirements is not yet supported: the access to I/O.
  
   
  My requirement is specifically for scenario where multiple applications reside on the same ECU.
  Hence I need a mechanism to ensure the read/write protection of:
  1. Stack area of each Task
  2. NvM allocated to each application
   
  Although NvM has a NvM_SetBlockProtection API, this API cannot differentiate between different applications
  and Fee blocks/Nv Blocks assigned to different applications.
   
  For NvM, I don't know
  
  So, how is a rougue application prevented from accessing data that it should not access.
   
  Also, in AUTOSAR do we have any concept of RAM protection (other than through private stack of each task)?
  Yes, see above
  
  For, if we have RAM variables that are global, they will be accessible to all software.
  No, these variables should be in an OS Application data region
  
  But consts are accessible
  
  Best regards
  This post was modified on 20 Oct 2010 at 12:24 pm.
  • 20 Oct 2010, 12:04 pm
  Jean-Luc Béchennec wrote: > Hi Arun > > Arun Pulinatu a écrit: > > Hi All, > > > > Can someone please tell me how memory protection is implemented in > > AUTOSAR 3.0. > > Suppose I am using target processor as PowerPC (which has MPU), how > > can OS, configured > > under SC3/SC4 ensure memory protection? > > I can explain how I implemented it in Trampoline 2 > > Each non-trusted task/ISR2 has r/w access to 3 data memory regions : > its stack (1 MPU descriptor) > its data (1 MPU descriptor) > the data of the OS Application the task/ISR2 belongs to (1 MPU > descriptor) > > In the memory mapping I interleave the stack of tasks/ISR then the > private data then the data of the OS Applications > That way, a stack cannot overflow or underflow in the data. > > Consts and programs are contiguous and protected against writing (in > the case they are located in RAM) > > The rest of memory space cannot be accessed (I/O and unmapped memory > regions) > > No special configuration is required, the system generation tool > (goil in our case) generates a MemMap.h with segments for each > task/ISR. It generates also a link script to map these regions. > Memory regions descriptors used to program the MPU when the kernel > (OS) switches context are also generated. A different generation tool > should do the same > > One of the Memory Protection AUTOSAR requirements is not yet > supported: the access to I/O. > > > > > My requirement is specifically for scenario where multiple > > applications reside on the same ECU. > > Hence I need a mechanism to ensure the read/write protection of: > > 1. Stack area of each Task > > 2. NvM allocated to each application > > > > Although NvM has a NvM_SetBlockProtection API, this API cannot > > differentiate between different applications > > and Fee blocks/Nv Blocks assigned to different applications. > > > > For NvM, I don't know > > > So, how is a rougue application prevented from accessing data that it > > should not access. > > > > Also, in AUTOSAR do we have any concept of RAM protection (other than > > through private stack of each task)? > > Yes, see above > > > For, if we have RAM variables that are global, they will be > > accessible to all software. > > No, these variables should be in an OS Application data region > > But consts are accessible > > Best regards
• 
  Yannick Moreaux

  The company name is only visible to registered members.

  Re^2: Memory Protection in AUTOSAR

  Hello,
  
  You have some problems, in AutoSAR Release R3.0 specifications, Memory Protection in only defined for AUTOSAR OS, but not for RTE... . If you want to develop an AUTOSAR application with AutoSAR Software Components( SW-Cs) and Memory Protection you need AutoSAR Release R4.0. I am not sure that there are already AutoSAR R4.0 tools and COTS on the market.
  
  You can use Memory Protection with your AUTOSAR OS R3.0 if you don't need Memory Protection between SW-Cs.
  
  The configuration of Memory Protection for AUTOSAR OS R3.0 is not standardized. It is specific to the OS vendor. You have to look to your OS manual.
  
  You can protect the stack of your tasks without Memory Protection. It is in OSEK specifications, and so in AUTOSAR OS. But the check of the integrity of the stack is only realized at tasks switch. It is generally implemented just with a tag value in stack bottom.
  
  The NvM_SetBlockProtection API is something different from Memory Protection of RAM memory. If just an API to toggle a flag located in the EEPROM and associated with the NvM Block you want to modify.
  
  
  Best Regards and salutations to IRCCyN
  This post was modified on 23 Oct 2010 at 11:47 am.
  • 23 Oct 2010, 11:35 am
  Yannick Moreaux wrote: > Hello, > > You have some problems, in AutoSAR Release R3.0 specifications, > Memory Protection in only defined for AUTOSAR OS, but not for RTE... > . If you want to develop an AUTOSAR application with AutoSAR > Software Components( SW-Cs) and Memory Protection you need AutoSAR > Release R4.0. I am not sure that there are already AutoSAR R4.0 > tools and COTS on the market. > > You can use Memory Protection with your AUTOSAR OS R3.0 if you don't > need Memory Protection between SW-Cs. > > The configuration of Memory Protection for AUTOSAR OS R3.0 is not > standardized. It is specific to the OS vendor. You have to look to > your OS manual. > > You can protect the stack of your tasks without Memory Protection. It > is in OSEK specifications, and so in AUTOSAR OS. But the check of the > integrity of the stack is only realized at tasks switch. It is > generally implemented just with a tag value in stack bottom. > > The NvM_SetBlockProtection API is something different from Memory > Protection of RAM memory. If just an API to toggle a flag located in > the EEPROM and associated with the NvM Block you want to modify. > > > Best Regards and salutations to IRCCyN
• 
  Arun Pulinatu

  The company name is only visible to registered members.

  Re^3: Memory Protection in AUTOSAR

  Thank you all for your feedback.
  
  Regards,
  Arun
  
  • 05 Jan 2011, 07:23 am
  Arun Pulinatu wrote: > Thank you all for your feedback. > > Regards, > Arun