Implement PMP context switching for task isolation

HeatCrab · HeatCrab · commit fb2c14a987d0 · 2025-11-16T16:52:43.000+08:00
Add per-task memory space switching during context transitions. Evicts
old task's dynamic regions and loads new task's regions into available
hardware slots while preserving locked kernel regions.
diff --git a/arch/riscv/pmp.c b/arch/riscv/pmp.c
@@ -425,3 +425,38 @@ int32_t pmp_handle_access_fault(uint32_t fault_addr, uint8_t is_write)
     int32_t ret = pmp_evict_fpage(victim);
     return (ret == 0) ? pmp_load_fpage(target_fpage, victim->pmp_id) : ret;
 }
+
+int32_t pmp_switch_context(memspace_t *old_mspace, memspace_t *new_mspace)
+{
+    if (old_mspace == new_mspace)
+        return 0;
+
+    pmp_config_t *config = pmp_get_config();
+    if (!config)
+        return -1;
+
+    /* Evict old task's dynamic regions */
+    if (old_mspace) {
+        for (fpage_t *fp = old_mspace->pmp_first; fp; fp = fp->pmp_next) {
+            uint8_t region_id = fp->pmp_id;
+            if (region_id != 0 && !config->regions[region_id].locked) {
+                pmp_disable_region(config, region_id);
+                fp->pmp_id = 0;
+            }
+        }
+    }
+
+    /* Load new task's regions into available slots */
+    if (new_mspace) {
+        uint8_t available_slots = PMP_MAX_REGIONS - config->region_count;
+        uint8_t loaded_count = 0;
+
+        for (fpage_t *fp = new_mspace->first; fp && loaded_count < available_slots; fp = fp->as_next) {
+            uint8_t region_idx = config->region_count + loaded_count;
+            if (pmp_load_fpage(fp, region_idx) == 0)
+                loaded_count++;
+        }
+    }
+
+    return 0;
+}
diff --git a/arch/riscv/pmp.h b/arch/riscv/pmp.h
@@ -119,3 +119,15 @@ int32_t pmp_init_kernel(pmp_config_t *config);
  * Returns 0 on successful recovery, negative error code on failure.
  */
 int32_t pmp_handle_access_fault(uint32_t fault_addr, uint8_t is_write);
+
+/* Switches PMP configuration during task context switch.
+ *
+ * Evicts the old task's dynamic regions from hardware and loads the new
+ * task's regions into available PMP slots. Kernel regions marked as locked
+ * are preserved across all context switches.
+ *
+ * @old_mspace : Memory space of task being switched out (can be NULL)
+ * @new_mspace : Memory space of task being switched in (can be NULL)
+ * Returns 0 on success, negative error code on failure.
+ */
+int32_t pmp_switch_context(memspace_t *old_mspace, memspace_t *new_mspace);
