I’ve been struggling to understand FreeRTOS-MPU port’s threat model, as documented and as developed. I am referring to a few points that are seemingly exclusive:
- All of MPU-ported FreeRTOS functions first raise the privilege of the calling task, then call to the actual function, then revert their privilege back to what it was.
- The following line from MPU docs: “A Privileged mode task can call portSWITCH_TO_USER_MODE() to set itself into User mode. A task that is running in User mode cannot set itself into Privileged mode.”
portSWITCH_TO_USER_MODE() simply removes the privileged bit, and prvRaisePrivilege() calls through to the portSVC_RAISE_PRIVILEGE svc call, which unconditionally raises a task privilege. This seems to be counter to a task not being able to set itself into privilege mode after dropping privileges.
While I understand that the FreeRTOS-MPU port isn’t specifically designed to be a MAC-like mechanism, but I’d still like to be able to provide slightly stricter control over unprivileged tasks.
Ideally, I’d like to be able to to remove the privilege bit and only allow raising of privilege for a heavily-restricted set of FreeRTOS functions. Is this a supported use case? One way we’re currently thinking of implementing this is to add a bit more logic to to the portSVC_RAISE_PRIVIELGE svc call.