5.22.2.2. RM safety checker

The RM Safety Checker is designed to ensure the integrity of register configurations within the Resource Management (RM) module. The Safety Application utilizes the Safety Checker APIs, running in the Safety Core, to manage configuration registers. These APIs involve reading the configuration data, and periodically validating the configuration to ensure it remains unchanged.

5.22.2.2.1. Introduction

RM safety checker library APIs are integrated into the safety application to verify the RM modules configurations and validate the current RM module configurations against golden reference.

The safety checker register read configurations design follows a generic pattern, applicable to various modules within the system.

  1. To retrieve the configuration of a RM module, a dedicated API is provided.

  2. When invoking the configuration register read APIs, it collects the corresponding configuration for devices present on the platform. The collected configuration shall be stored in an memory array.

Similar to the register read process, the verification of register configurations follows a generic approach.

  1. To verify the current register configuration of a RM module, a dedicated RM verification API is provided.

  2. When invoking the RM verification API, it collects the current configuration for devices present on the platform. Subsequently, it compares this configuration with the received register configuration.

  3. The comparison process ensures that any changes between the current configuration and the reference configuration are identified and returns an error message to the application.

For RM module, the safety checkers API monitors the following configuration registers:

  1. IR config registers

  2. IA IMAP config registers

  3. Ring Accelerator config registers

  4. DMA config registers

Upon confirmation of the safety loop, the Safety Application initiates the generation of a golden reference. This is achieved by calling the RM module register read APIs via the Safety Checker APIs. The retrieved configuration data serves as the benchmark for subsequent validations and is saved for one-time use. Following the establishment of the golden reference, the Safety Application continuously monitors the configuration registers within the safety loop. This is accomplished by calling the RM module verify API at regular intervals. Any deviation from the golden reference receives an error message, signaling potential changes to the configuration.

By adopting this design, the system can efficiently manage and verify the configuration of various modules.

Safety application shall consider below recommendations for robust operation of the safety checker APIs:

  1. Memory allocated for golden register reference shall be firewall protected

  2. Implement appropriate MPU configurations to isolate safety application memory from other applications

  3. Implement a watchdog timeout for safety checker API handling

5.22.2.2.1.1. Read the configuration data for RM module

The first step involves reading the configuration registers of RM module. This initialization step is performed once at the start of the safety loop. Call the RM register read API to access the configuration registers via the Safety Checkers APIs running in the Safety Core. This step initializes the Safety Application and gathers the initial configuration data.

For RM, use the following API to read RM module configuration registers:

  1. SafetyCheckers_rmGetRegCfg

../../_images/RM_regRead.png

5.22.2.2.1.2. Saving as Golden Reference

After the Safety Application reads the configuration registers for RM module using the Safety Checker library API, the configuration data shall be saved as the golden reference. This serves as the benchmark for subsequent validations. This is accomplished by saving the received pointer data to a file. The saved data represents the golden configuration, against which subsequent readings will be compared.

After saving the register configurations into a header file, the user shall call the RM verify register config APIs inside the safety loop, passing the register buffer pointer from the saved header file. The user’s application has to be rebuilt with the golden reference array buffer to incorporate the changes in the array buffer. Now, the user application shall include only RM module verify APIs, passing the golden dump array pointer, which will be executed inside the safety loop.

The user should implement firewall based protection for golden reference and also create a checksum for the golden reference to ensure validity of the golden reference data.

Note: This step of reading and saving the configuration data should be done only once, upon freezing the safety loop. The saved data serves as the benchmark for comparison in later validations.

5.22.2.2.1.3. Verify the configuration data for RM module

After saving the golden reference, rebuild the application with the golden registers incorporated into it. This ensures that the safety checker verify APIs have access to the correct golden reference for comparison during runtime. Call the RM checker verify API which continuously monitor the configuration registers within the safety loop. Verify API compares the current configuration registers against the golden reference to detect any changes. If changes are detected, verify API returns the error message to notify users of potential alterations to the configuration.

For RM, utilize the following APIs to verify the current RM configuration registers:

  1. SafetyCheckers_rmVerifyRegCfg

../../_images/RM_regValidate.png

5.22.2.2.2. Features Supported

The module supports below API’s for the application

  1. API to get the configurations registers for RM modules such as IR, IA IMAP, Ring Accelerator and DMA config registers.

  2. API to read RM module registers at run time and validate they are matching with golden state for modules in the safety loop.

5.22.2.2.3. APIs

RM Safety Checker (RM-SC) provides APIs to read the RM modules configuration registers and validate the RM modules configuration against the Golden Reference.

1. SafetyCheckers_rmGetRegCfg(uintptr_t * rmRegCfg,uint32_t size)

API to get the register value for all the RM control modules E.g. When the RM register configuration is requested, SafetyCheckers_rmGetRegCfg collects the register configuration values for all the RM control module by getting the base address and the length from the structure. The collected dump shall be considered as a golden sample and shall be returned to the application. Register values from the RM control modules IR, IA, RA and DMA are used for taking the register dump.

Parameters :

rmRegCfg     [IN/OUT] Pointer to store the Register configuration
size    [IN]     Size of reg cfg array

Returns :

SAFETY_CHECKERS_SOK in case of success,else failure.

2. SafetyCheckers_rmVerifyRegCfg(const uintptr_t * rmRegCfg,uint32_t size)

API to read back and compare the RM control module registers data E.g. When the RM verify register dump is requested, SafetyCheckers_rmVerifyRegCfg API collects the value for RM registers and compares with the received register values. Register values from the RM control modules IR, IA, RA and DMA are used for verifying the register dump.

Parameters :

rmRegCfg     [IN] Pointer of the golden sample
size    [IN] Size of reg dump pointer

Returns :

SAFETY_CHECKERS_SOK in case of success else failure

5.22.2.2.4. Example Usage

The following shows an example of RM safety checkers API usage

Include the below file to access the APIs

#include "../../src/safety_checkers_rm.h"

Below API returns the rmRegCfg with register configuration for RM module which shall be saved as golden reference:

SafetyCheckers_rmGetRegCfg(rmRegCfg, size);

Below API compares the saved rmRegCfg with runtime RM configuration values and return success or failure:

if(gflag == 1)
{
     gflag = 0;
     retVal = SafetyCheckers_rmVerifyRegCfg(rmRegCfg, size);

     if(retVal != 0)
     {
             DebugP_log("Register Mismatch\r\n");
     } else{
             DebugP_log("No Register Mismatch\r\n");
     }
}

5.22.2.2.5. Sample Output

RM register test pass!!
RM register change verified
RM error condition check test passed
Time taken for the execution of RM register dump and readback : 4842usecs
All tests have PASSED.