FreeRTOS MPU behavior and threat model

yan-i wrote on Wednesday, January 07, 2015:


I’ve been struggling to understand FreeRTOS-MPU port’s threat model, as documented and as developed. I am referring to a few points that are seemingly exclusive:

  • All of MPU-ported FreeRTOS functions first raise the privilege of the calling task, then call to the actual function, then revert their privilege back to what it was.
  • The following line from MPU docs: “A Privileged mode task can call portSWITCH_TO_USER_MODE() to set itself into User mode. A task that is running in User mode cannot set itself into Privileged mode.”

portSWITCH_TO_USER_MODE() simply removes the privileged bit, and prvRaisePrivilege() calls through to the portSVC_RAISE_PRIVILEGE svc call, which unconditionally raises a task privilege. This seems to be counter to a task not being able to set itself into privilege mode after dropping privileges.

While I understand that the FreeRTOS-MPU port isn’t specifically designed to be a MAC-like mechanism, but I’d still like to be able to provide slightly stricter control over unprivileged tasks.

Ideally, I’d like to be able to to remove the privilege bit and only allow raising of privilege for a heavily-restricted set of FreeRTOS functions. Is this a supported use case? One way we’re currently thinking of implementing this is to add a bit more logic to to the portSVC_RAISE_PRIVIELGE svc call.


edwards3 wrote on Wednesday, January 07, 2015:

I don’t think it is possible to stop a task calling SVC, which will automatically set it into privileged mode. All you could do then is have the kernel check if it is a privileged task before you let it do anything else, returning it to user mode if necessary. Is that the extra logic you mention?

yan-i wrote on Wednesday, January 07, 2015:

Yep, the idea was to add a check in the ‘raise privilege’ handler to either limit the conditions under which a task can increase privileges, or to make sure that the lr register points inside the privileged_functions section.

On another note, I’m not sure what the sentence in the docs was referring to (can only drop privileges, not raise them). I guess it implied that only with code that doesn’t call a svc routine can you not increase your privileges.

rtel wrote on Wednesday, January 07, 2015:

The idea was to provide a method for a task to transition itself from
being privileged to unprivileged, which is safe, but not the reverse
(other than when legitimately calling an API function), which would not
be safe.

It is sometimes easier to create a task with full privileges, then once
the task has done whatever it needs at start up, to drop to its run-time
state of being unprivileged. It is purely a convenience thing.