Disallow unprivileged critical sections with MPU wrappers v2 (#1427)

When using MPU wrappers version 2 (configUSE_MPU_WRAPPERS_V1 == 0), portRAISE_PRIVILEGE() is a no-op because the portSVC_RAISE_PRIVILEGE handler is compiled only for MPU wrappers version 1. As a result, an unprivileged task that calls taskENTER_CRITICAL() does not actually raise its privilege, so the subsequent BASEPRI write is ignored by the hardware and the critical section silently fails to mask interrupts. This produces latent, hard-to-debug faults. configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is therefore not supported with MPU wrappers version 2. In the ARMv7-M MPU ports: - When the option is left undefined under v2, default it to 0 instead of 1 so the dangerous default configuration is safe. - When the option is explicitly set to 1 under v2, raise a compile-time #error so the unsupported configuration is rejected loudly rather than failing silently at run time. Behaviour for MPU wrappers version 1 is unchanged.
2026-06-19 17:43:42 +02:00 · 2026-06-15 22:30:25 +00:00 · 2026-06-15 22:30:25 +00:00 · 83e56c38ee
commit 83e56c38ee
parent fc25364931
4 changed files with 48 additions and 8 deletions
--- a/portable/GCC/ARM_CM3_MPU/port.c
+++ b/portable/GCC/ARM_CM3_MPU/port.c
@ -55,10 +55,20 @@
    #define portNVIC_SYSTICK_CLK    ( 0 )
 #endif

+/* Unprivileged critical sections are not supported when using MPU wrappers
+ * version 2. Default the option to 0 and reject an explicit value of 1. */
 #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS
+    #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    0
+    #else
        #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security."
        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    1
    #endif
+#else
+    #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) )
+        #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ).
+    #endif
+#endif

 /* Prototype of all Interrupt Service Routines (ISRs). */
 typedef void ( * portISR_t )( void );
--- a/portable/GCC/ARM_CM4_MPU/port.c
+++ b/portable/GCC/ARM_CM4_MPU/port.c
@ -59,10 +59,20 @@
    #define portNVIC_SYSTICK_CLK    ( 0 )
 #endif

+/* Unprivileged critical sections are not supported when using MPU wrappers
+ * version 2. Default the option to 0 and reject an explicit value of 1. */
 #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS
+    #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    0
+    #else
        #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security."
        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    1
    #endif
+#else
+    #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) )
+        #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ).
+    #endif
+#endif

 /* Prototype of all Interrupt Service Routines (ISRs). */
 typedef void ( * portISR_t )( void );
--- a/portable/IAR/ARM_CM4F_MPU/port.c
+++ b/portable/IAR/ARM_CM4F_MPU/port.c
@ -66,10 +66,20 @@
    #define portNVIC_SYSTICK_CLK_BIT    ( 0 )
 #endif

+/* Unprivileged critical sections are not supported when using MPU wrappers
+ * version 2. Default the option to 0 and reject an explicit value of 1. */
 #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS
+    #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    0
+    #else
        #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security."
        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    1
    #endif
+#else
+    #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) )
+        #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ).
+    #endif
+#endif

 /* Prototype of all Interrupt Service Routines (ISRs). */
 typedef void ( * portISR_t )( void );
--- a/portable/RVDS/ARM_CM4_MPU/port.c
+++ b/portable/RVDS/ARM_CM4_MPU/port.c
@ -48,10 +48,20 @@

 #undef MPU_WRAPPERS_INCLUDED_FROM_API_FILE

+/* Unprivileged critical sections are not supported when using MPU wrappers
+ * version 2. Default the option to 0 and reject an explicit value of 1. */
 #ifndef configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS
+    #if ( configUSE_MPU_WRAPPERS_V1 == 0 )
+        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    0
+    #else
        #warning "configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not defined. We recommend defining it to 0 in FreeRTOSConfig.h for better security."
        #define configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS    1
    #endif
+#else
+    #if ( ( configUSE_MPU_WRAPPERS_V1 == 0 ) && ( configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS == 1 ) )
+        #error configALLOW_UNPRIVILEGED_CRITICAL_SECTIONS is not supported with MPU wrappers version 2 ( configUSE_MPU_WRAPPERS_V1 == 0 ).
+    #endif
+#endif

 /* Prototype of all Interrupt Service Routines (ISRs). */
 typedef void ( * portISR_t )( void );