CMSIS-RTOS2
Version 2.2.0
Real-Time Operating System: API and RTX Reference Implementation
|
RTOS Objects and MPU Protection explains that MPU Protected Zones do not provide full access protection to RTOS objects accessed via CMSIS-RTOS2 API. The concept of a safety class fills this gap.
Every RTOS object, including thread is assigned with a numeric safety class value. A thread cannot modify an RTOS object if its safety class value is higher than the safety class value of the thread. For example, it is not possible to change the priority or suspend a thread that has a higher safety class value than the thread that is currently executed.
Summary of functions and macros that implement safety classes:
Assign Safety Class to an RTOS Object lists CMSIS-RTOS2 API functions that support safety class assignment when creating RTOS objects. Handle Object Access Violation lists CMSIS-RTOS2 API functions that verify safety class assignment before execution.
It is possible to create any objects regardless of the safety class after the kernel initialize with osKernelInitialize, but before the kernel is started with osKernelStart. This allows to setup a system before actually starting the RTOS kernel.
Threads of a higher safety class can create RTOS objects that belong to a lower or same safety class. For the object types listed below, the attr_bits can have an optional safety class value that is assigned when the RTOS object is created with the os<Object>New function. The macro osSafetyClass encodes the value for the attr_bits field in the attr struct. For example:
The following object types support safety class assignment when creating an object with corresponding os<Object>New function:
If safety class is not provided when creating the RTOS object then it inherits the safety class of the current running thread that creates the object. If the object is created before kernel is started and no safety class is provided, then it receives default safety class 0. This simplifies integration of third-party code that can be classified as non-safety critical.
RTOS API call returns error code osErrorSafetyClass if the requested object manipulation cannot be performed because the target object has higher safety class than the safety class of the running thread. For example:
Following functions compare the safety class of the running thread with the safety class of the target object.
In Kernel Information and Control functions:
Comparison is done with safety class configured with osKernelProtect
In Thread Management functions:
In Thread Flags functions:
In Event Flags functions:
In Timer Management functions:
In Mutex Management functions:
In Semaphores functions:
In Memory Pool functions:
In Message Queue functions: