os/board/bk7239n/: Change memory access permission in MPU

[namanjain7]

Memory region is accessible only in priviledge mode. Unprivileged code cannot access it at all. This commit protects critical system memory (kernel region) from app memory.

[ewoodev]

firstly, BSP MPU setting is only PRIV, this loading logic is allow UNPRIV

[ewoodev]

Could you please it also?

[ewoodev]

please check it also

[ewoodev]

please check it also

[Poly-J]

Hello @namanjain7 @ewoodev

During internal testing, we found that the Bluetooth app directly uses kernel-space memory. The call path is as follows:

When the BLE server disconnects, ble_server_connected_cb is invoked; with the current Bluetooth architecture, this callback is called directly from the kernel layer.

static ble_server_init_config server_config = {
ble_server_connected_cb,
ble_server_disconnected_cb,
ble_server_mtu_update_cb,
ble_server_passkey_display_cb,
ble_server_pair_bond_cb,
true,
gatt_profile, sizeof(gatt_profile) / sizeof(ble_server_gatt_t)
};

The callback invokes the ble_server_set_adv_data interface. Inside that interface, a local variable is defined: blemgr_msg_s msg = {BLE_CMD_SET_ADV_DATA, BLE_MANAGER_FAIL, (void *)(data), NULL};. That local variable lives in kernel space, yet it is consumed in the BLE message handler task (which belongs to app space). The usage site is:

ble_result_e blemgr_handle_request(blemgr_msg_s *msg) {
trble_result_e ret = TRBLE_FAIL;
blemgr_msg_params queue_msg = {
.evt = msg->event,
.count = 3
};

So we configured the system to allow the app to access kernel space.

[giwon-nam]

Currently, the structure is not such that BLE requests are directly passed from within the callback called from the Kernel thread.
In the file named ble_response_handler.c, server and client callbacks are wrapped once, so the callback of the application layer is designed to be called by the user thread. (ecode only)
The structure is as follows:
Kernel thread calls response handler callback -> mq enqueue -> user thread mq dequeue -> calls application layer callback
Given this structure, it seems there would be no issues if kernel access is blocked on the user side.

[Poly-J]

Hello @giwon-nam The issue we tested is based on the code on GitHub, and tests related to ble_rmc will have this problem. Can you help me double-check it?

[giwon-nam]

It seems that the issue occurred in the part where the connected callback is called during disconnection on the TP1x Plus.
I will contact Beken and request that during disconnection, only the disconnected callback should be called, and not the connected callback.

[lingzhou2018]

Hi @giwon-nam ,
In the ble_perfs and ble_tester examples, the attribute write callback ble_peri_cb_charact_rmc_sync invokes ble_server_attr_get_data. So this appears to cause the same server disconnection issue, What is the recommended way to avoid this?

[ewoodev]

This state is not safetly..

we didn't receive any report issue about it.
you have to open issue this.

we will apply this PR. Please reslove the ble issue ASAP.

[giwon-nam]

Hello, @lingzhou2018
For now, the ble_server_attr_get_data function you mentioned appears to be functioning without issues.
Currently, on the ecode side, ble_server_attr_get_data is called within the attribute callback invoked by the kernel thread to check what data was written.
It has been confirmed that there are no issues on the ecode side after reflecting the content of the current PR.
If the schedule is urgent, it would be better to merge this PR first and then further analyze why crashes occur in ble_perfs and ble_tester.

[seokhun-eom24]

Automated nightly Codex PR review
PR: #7290 — os/board/bk7239n/: Change memory access permission in MPU
PR URL: #7290
GitHub updatedAt: 2026-04-21T14:47:29Z
Refreshed (UTC): 2026-04-21 17:52:37 UTC
Refreshed (KST): 2026-04-22 02:52:37 KST
Comment model: single evolving Codex-authored PR comment

PR #7290 — os/board/bk7239n/: Change memory access permission in MPU

This review done by codex. AI reviews can be inaccurate.
UTC: 2026-04-21 17:51 UTC
KST (UTC+9): 2026-04-22 02:51 KST

---

Repository: Samsung/TizenRT

Base → Head: master → pr/7290

HEAD Commit: cec81a8431d1b65f85528a462ee4044ab3c119e4

Scope: Review the single MPU policy change in os/board/bk7239n/src/middleware/soc/bk7239n/mpu_cfg_s.c and its impact on the active bk7239n protected/non-XIP/XIP layouts.

---

Review Summary

Category	Status
Build / Compile Status	⚠️ Not run
Functional Correctness	✅ No blocking defect found in static review
Validation Coverage	⚠️ Missing protected-build runtime evidence

Final Verdict: 💬 Comment

---

Must-Fix Issues

No blocking issues found in static review.

---

Nice-to-Have Improvements

1. Add protected-build boot coverage for the tightened MPU windows

Item	Details
Location	os/board/bk7239n/src/middleware/soc/bk7239n/mpu_cfg_s.c:107
Severity	Medium
Type	Validation

Problem
This patch flips the coarse non-secure SRAM, peripheral, and PSRAM windows from MPU_UN_PRIV_RW to MPU_PRIV_RW in the CONFIG_SPE=0 path that bk7239n builds actually compile (os/board/bk7239n/src/middleware/soc/bk7239n/Make.defs:52-58). The review did not find PR-side boot or runtime evidence for the protected bk7239n images that use those windows.

Impact

• Static review confidence stays limited for loadable_all, loadable_apps, and xip_all, all of which place their non-secure RAM window under the 0x38000000 alias (build/configs/bk7239n/scripts/bk7239n_bsp_loadable_all.ld:24-25,45, build/configs/bk7239n/scripts/bk7239n_bsp_ns.ld:24-25,45).
• If any common/app binary path is missing the expected compensating MPU setup, the regression will show up as an MPU fault during boot, binary load, or the first user-mode access after up_mpuinitialize().

Recommended Action

• Boot the protected bk7239n configurations touched by this file and attach the result to the PR.
• At minimum, validate that common/app binaries still start after the board-specific MPU policy is applied and after TizenRT installs per-binary MPU regions (os/binfmt/binfmt_arch_apis.c:33-72).
• If the intended protection depends on a narrower kernel-only carve-out, document that assumption next to bk_mpu_init() or split the coarse region so the kernel slice is privileged-only without relying on unstated runtime behavior.

Example Validation Matrix

Area	Example Target / Check	Result
Protected loadable image	build/configs/bk7239n/loadable_all boots without MPU fault after up_mpuinitialize()	Not Run
Protected app-separated image	build/configs/bk7239n/loadable_apps launches common/app binaries and basic syscalls still work	Not Run
Protected XIP image	build/configs/bk7239n/xip_all boots and runs a user task without permission fault	Not Run

---

Notable Improvements

Use this section to acknowledge changes that are clearly correct or materially better.

✔ The patch updates the whole coarse policy set, not just one alias

• The change consistently tightens every affected board-specific window in bk_mpu_init() instead of leaving SRAM, peripheral, and PSRAM handling out of sync.
• That keeps the privilege policy internally consistent with the PR's stated goal of preventing unprivileged access to kernel-owned ranges.

✔ The PR touches the active bk7239n MPU source file

• os/board/bk7239n/src/middleware/soc/bk7239n/Make.defs:52-58 selects mpu_cfg_s.c whenever CONFIG_SPE=0, which is what the published bk7239n defconfigs use.
• That means the patch is aimed at the path that actually matters for current bk7239n builds, not a dormant alternate source file.

---

Final Assessment

Must-Fix Summary

• No blocking defect was proven from the code walk alone.

Nice-to-Have Summary

• Add protected-build boot/runtime evidence for the tightened MPU policy before relying on this change in shipped bk7239n images.

Residual Risk / Test Gap

• Static review only; no build, boot, or board-level validation was run in this review.
• The changed file affects coarse MPU windows for protected bk7239n layouts, so runtime coverage matters more than usual.

---

Final Verdict

💬 Comment

The patch is directionally reasonable and I did not find a code-level blocker in the surrounding MPU setup. I am stopping at Comment rather than Approve because the PR does not show runtime proof for the protected bk7239n images whose coarse RAM/peripheral/PSRAM windows were tightened.

[amandeep-samsung]

MPU PRIV is applied to all defined 7 MPU regions.