• State TI Thinks Resolved
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 66 views
  • Users 0 members are here
Support feedback
Options
Options
Similar topics

AM2632: Usage of MPU in AM2632

Jo Scho
Prodigy 215 points
Part Number: AM2632
Other Parts Discussed in Thread: SYSCONFIG

Tool/software:

Hello,

we are using AM2632 in lookstep mode. 


Cluster R5SS1 is currently started and exexcutes pBIST for R5SS0-memory areas and has no further tasks at the moment.
Cluster R5SS0 is our "main" core and  shall be used for our functional safety tasks. But there are still big parts of firmware, which are not safety relevant.


On the main core (R5SS0) we do not want to make all parts of firmware to to safety relevant code, because it is a much more effort, to get safety certification for the whole firmware, than for the safety relevant parts only.
We do not use a operating system on our system, we use bare metal option.


In this context I try to understand the MPU units of the AM263x, but I am a little confused at the moment.

For my understanding, AM263x separates between the ARM MPU and the system MPU Firmware (provided by HSM). Is my understanding correct?
The possibilities of

What is our aim:

We want to execute all our safety relevant tasks from one function, our "functional safety task". 
My idea is now, that the functional safety task uses its own memory area, to hold the safety relevant runtime data. Therefore I implemented an own memory area on a specific RAM adress in the linker command file for that safety data.

The safety data should be read- and writeable by the "functional safety task" and only readable (not writeable) by the rest of the firmware ("non-functional safety firmware parts").

My question is now the following.
Is it possible to achieve such a data separation and protection with the MPU, which is configurable by SysConfig?

In my SysConfig-Configuration I have introduced a new region (region 5) which represents the safety data area. Full access to the safety data is only possible in supervisor mode, user mode can only read the data.



My questions are now:

- Is that a good approach, to achieve the data separation between functional safety and non-functional-safety on one core?  Is that the right application of the MPU?


- my system is still not running with that configuration. I can switch to the user mode, but I am not sure, how to switch the supervisor mode, at the begin of my safety application, can you give me some example?




Best regards
Jo


 

  • 0
    TI__Mastermind 26704 points

    Hi Jo,

    Jo Scho said:
    For my understanding, AM263x separates between the ARM MPU and the system MPU Firmware (provided by HSM). Is my understanding correct?
    The possibilities of

    Yes this is correct Jo.

  • 0
    TI__Mastermind 26704 points
    Jo Scho said:
    We want to execute all our safety relevant tasks from one function, our "functional safety task". 
    My idea is now, that the functional safety task uses its own memory area, to hold the safety relevant runtime data. Therefore I implemented an own memory area on a specific RAM adress in the linker command file for that safety data.

    The safety data should be read- and writeable by the "functional safety task" and only readable (not writeable) by the rest of the firmware ("non-functional safety firmware parts").

    My question is now the following.
    Is it possible to achieve such a data separation and protection with the MPU, which is configurable by SysConfig?

    I have few question here: 1. Are both safe and non-safe task running on same core?

  • 0 in reply to Nilabh Anand
    Prodigy 215 points

    yes, safe and non-safe firmware parts should run on the same core

  • 0 in reply to Jo Scho
    TI__Mastermind 26704 points

    Hi Jo 

    Few clarification on Firewall and MPU to understand their distinction:

    The firewalls are SoC specific feature whereas the MPUs are core specific feature. The aim to using both is prevent unwanted accesses to memory regions. Now which one you use would depend on the context from which you want to prevent the unwanted access. So that means when you configure the firewall  for a memory region would affect the transactions from any entity on present on the SoC while the MPU configurations are local to the core....

  • 0 in reply to Nilabh Anand
    Prodigy 215 points

    OK, this difference I have understood now. But that sounds to activate both feature, if I want to be sure, that my data are protected against unwanted modification.

    How can I get then a priviledge to get write-acess to the data from my saatey functions then? Is the right way, to use the core in user mode and to switch to supervisor mode then?


  • 0 in reply to Jo Scho
    TI__Mastermind 26704 points

    You can refer to ARM R5F Technical reference manual for details on how to enable Previlage mode

  • 0 in reply to Nilabh Anand
    TI__Mastermind 26704 points

    Also I would highly recommend reading this white paper from Wittenstein on safety solution in single core architecture

    https://highintegritysystems.com/downloads/white_papers/Using_an_MPU_to_Enforce_Spatial_Separation.pdf

    It talks about the architecture that you are planning to use along with the challenges. 

    Let me know if you have any other query.