Merge #455

455: Add zero-init-ram feature r=adamgreig a=inorick

Add the 'zero-init-ram' feature that initializes the RAM with zeros during startup. This is normally
not necessary but might be required on custom hardware. If this step is skipped on such hardware,
reading from memory that was never written to will cause a hard-fault.

Co-authored-by: Norbert Fabritius <[email protected]>
Co-authored-by: Adam Greig <[email protected]>

Author: 3 people

cortex-m-rt/CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+- Add `zero-init-ram` feature to initialize RAM with zeros on startup. This can be necessary on
+  safety-critical hardware to properly initialize memory integrity measures.
+
 ## [v0.7.3]
 
 - Fixed a potential miscompilation caused by the initial stack pointer

cortex-m-rt/Cargo.toml

@@ -45,6 +45,7 @@ required-features = ["device"]
 device = []
 set-sp = []
 set-vtor = []
+zero-init-ram = []
 
 [package.metadata.docs.rs]
 features = ["device"]

cortex-m-rt/ci/script.sh

@@ -63,6 +63,8 @@ main() {
 
             cargo rustc --target "$TARGET" --example minimal --features "set-sp,${needed_features}" -- $linker
             cargo rustc --target "$TARGET" --example minimal --features "set-sp,${needed_features}" --release -- $linker
+            cargo rustc --target "$TARGET" --example minimal --features "zero-init-ram,${needed_features}" -- $linker
+            cargo rustc --target "$TARGET" --example minimal --features "zero-init-ram,${needed_features}" --release -- $linker
             cargo rustc --target "$TARGET" --example minimal --features "set-vtor,${needed_features}" -- $linker
             cargo rustc --target "$TARGET" --example minimal --features "set-vtor,${needed_features}" --release -- $linker
         done

cortex-m-rt/link.x.in

@@ -60,7 +60,9 @@ PROVIDE(__pre_init = DefaultPreInit);
 /* # Sections */
 SECTIONS
 {
-  PROVIDE(_stack_start = ORIGIN(RAM) + LENGTH(RAM));
+  PROVIDE(_ram_start = ORIGIN(RAM));
+  PROVIDE(_ram_end = ORIGIN(RAM) + LENGTH(RAM));
+  PROVIDE(_stack_start = _ram_end);
 
   /* ## Sections in FLASH */
   /* ### Vector table */

cortex-m-rt/src/lib.rs

@@ -169,6 +169,13 @@
 //! `_stack_start` value from the linker script. This is not usually required, but some debuggers
 //! do not initialise SP when performing a soft reset, which can lead to stack corruption.
 //!
+//! ## `zero-init-ram`
+//!
+//! If this feature is enabled, RAM is initialized with zeros during startup from the `_ram_start`
+//! value to the `_ram_end` value from the linker script. This is not usually required, but might be
+//! necessary to properly initialize checksum-based memory integrity measures on safety-critical
+//! hardware.
+//!
 //! ## `set-vtor`
 //!
 //! If this feature is enabled, the vector table offset register (VTOR) is initialised in the reset
@@ -529,9 +536,11 @@ cfg_global_asm! {
     // Example use cases include disabling default watchdogs or enabling RAM.
     "bl __pre_init",
 
-    // Initialise .bss memory. `__sbss` and `__ebss` come from the linker script.
-    "ldr r0, =__sbss
-     ldr r1, =__ebss
+    // If enabled, initialize RAM with zeros. This is not usually required, but might be necessary
+    // to properly initialize checksum-based memory integrity measures on safety-critical hardware.
+    #[cfg(feature = "zero-init-ram")]
+    "ldr r0, =_ram_start
+     ldr r1, =_ram_end
      movs r2, #0
      0:
      cmp r1, r0
@@ -540,17 +549,29 @@ cfg_global_asm! {
      b 0b
      1:",
 
+    // Initialise .bss memory. `__sbss` and `__ebss` come from the linker script.
+    #[cfg(not(feature = "zero-init-ram"))]
+    "ldr r0, =__sbss
+     ldr r1, =__ebss
+     movs r2, #0
+     2:
+     cmp r1, r0
+     beq 3f
+     stm r0!, {{r2}}
+     b 2b
+     3:",
+
     // Initialise .data memory. `__sdata`, `__sidata`, and `__edata` come from the linker script.
     "ldr r0, =__sdata
      ldr r1, =__edata
      ldr r2, =__sidata
-     2:
+     4:
      cmp r1, r0
-     beq 3f
+     beq 5f
      ldm r2!, {{r3}}
      stm r0!, {{r3}}
-     b 2b
-     3:",
+     b 4b
+     5:",
 
     // Potentially enable an FPU.
     // SCB.CPACR is 0xE000_ED88.