Merge branch 'master' into mingxguo-fuzzing-mvp

2020-10-05 11:58:41 +02:00
parent 9493014b13 079c0a415a
commit 3c23206641
8 changed files with 537 additions and 95 deletions
--- a/libraries/persistent_store/src/bitfield.rs
+++ b/libraries/persistent_store/src/bitfield.rs
@@ -0,0 +1,376 @@
 // Copyright 2019-2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 //! Helps manipulate bit fields in 32-bits words.
 // TODO(ia0): Remove when the module is used.
 #![cfg_attr(not(test), allow(dead_code, unused_macros))]
 use crate::{StoreError, StoreResult};
 /// Represents a bit field.
 ///
 /// A bit field is a contiguous sequence of bits in a 32-bits word.
 ///
 /// # Invariant
 ///
 /// - The bit field must fit in a 32-bits word: `pos + len < 32`.
 pub struct Field {
    /// The position of the bit field.
    pub pos: usize,
    /// The length of the bit field.
    pub len: usize,
 }
 impl Field {
    /// Reads the value of a bit field.
    pub fn get(&self, word: u32) -> usize {
        ((word >> self.pos) & self.mask()) as usize
    }
    /// Sets the value of a bit field.
    ///
    /// # Preconditions
    ///
    /// - The value must fit in the bit field: `num_bits(value) < self.len`.
    /// - The value must only change bits from 1 to 0: `self.get(*word) & value == value`.
    pub fn set(&self, word: &mut u32, value: usize) {
        let value = value as u32;
        debug_assert_eq!(value & self.mask(), value);
        let mask = !(self.mask() << self.pos);
        *word &= mask | (value << self.pos);
        debug_assert_eq!(self.get(*word), value as usize);
    }
    /// Returns a bit mask the length of the bit field.
    ///
    /// The mask is meant to be applied on a value. It should be shifted to be applied to the bit
    /// field.
    fn mask(&self) -> u32 {
        (1 << self.len) - 1
    }
 }
 /// Represents a constant bit field.
 ///
 /// # Invariant
 ///
 /// - The value must fit in the bit field: `num_bits(value) <= field.len`.
 pub struct ConstField {
    /// The bit field.
    pub field: Field,
    /// The constant value.
    pub value: usize,
 }
 impl ConstField {
    /// Checks that the bit field has its value.
    pub fn check(&self, word: u32) -> bool {
        self.field.get(word) == self.value
    }
    /// Sets the bit field to its value.
    pub fn set(&self, word: &mut u32) {
        self.field.set(word, self.value);
    }
 }
 /// Represents a single bit.
 ///
 /// # Invariant
 ///
 /// - The bit must fit in a 32-bits word: `pos < 32`.
 pub struct Bit {
    /// The position of the bit.
    pub pos: usize,
 }
 impl Bit {
    /// Returns whether the value of the bit is zero.
    pub fn get(&self, word: u32) -> bool {
        word & (1 << self.pos) == 0
    }
    /// Sets the value of the bit to zero.
    pub fn set(&self, word: &mut u32) {
        *word &= !(1 << self.pos);
    }
 }
 /// Represents a checksum.
 ///
 /// A checksum is a bit field counting how many bits are set to zero in the word (except in the
 /// checksum itself) plus some external increment. It essentially behaves like a bit field storing
 /// the external increment.
 pub struct Checksum {
    /// The bit field
    pub field: Field,
 }
 impl Checksum {
    /// Reads the external increment from the checksum.
    ///
    /// # Errors
    ///
    /// Returns `InvalidStorage` if the external increment would be negative.
    pub fn get(&self, word: u32) -> StoreResult<usize> {
        let checksum = self.field.get(word);
        let zeros = word.count_zeros() as usize - (self.field.len - checksum.count_ones() as usize);
        checksum
            .checked_sub(zeros)
            .ok_or(StoreError::InvalidStorage)
    }
    /// Sets the checksum to the external increment value.
    ///
    /// # Preconditions
    ///
    /// - The bits of the checksum bit field should be set to one: `self.field.get(*word) ==
    ///   self.field.mask()`.
    /// - The checksum value should fit in the checksum bit field: `num_bits(word.count_zeros() +
    ///   value) < self.field.len`.
    pub fn set(&self, word: &mut u32, value: usize) {
        debug_assert_eq!(self.field.get(*word), self.field.mask() as usize);
        self.field.set(word, word.count_zeros() as usize + value);
    }
 }
 /// Tracks the number of bits used so far.
 ///
 /// # Features
 ///
 /// Only available for tests.
 #[cfg(any(doc, test))]
 pub struct Length {
    /// The position of the next available bit.
    pub pos: usize,
 }
 /// Helps defining contiguous bit fields.
 ///
 /// It takes a sequence of bit field descriptors as argument. A bit field descriptor is one of the
 /// following:
 /// - `$name: Bit,` to define a bit
 /// - `$name: Field <= $max,` to define a bit field of minimum length to store `$max`
 /// - `$name: Checksum <= $max,` to define a checksum of minimum length to store `$max`
 /// - `$name: Length,` to define a length tracker
 /// - `$name: ConstField = [$bits],` to define a constant bit field with value `$bits` (a sequence
 ///   of space-separated bits)
 #[cfg_attr(doc, macro_export)] // For `cargo doc` to produce documentation.
 macro_rules! bitfield {
    ($($input: tt)*) => {
        bitfield_impl! { []{ pos: 0 }[$($input)*] }
    };
 }
 macro_rules! bitfield_impl {
    // Main rules:
    // - Input are bit field descriptors
    // - Position is the number of bits used by prior bit fields
    // - Output are the bit field definitions
    ([$($output: tt)*]{ pos: $pos: expr }[$name: ident: Bit, $($input: tt)*]) => {
        bitfield_impl! {
            [$($output)* const $name: Bit = Bit { pos: $pos };]
            { pos: $pos + 1 }
            [$($input)*]
        }
    };
    ([$($output: tt)*]{ pos: $pos: expr }[$name: ident: Field <= $max: expr, $($input: tt)*]) => {
        bitfield_impl! {
            [$($output)* const $name: Field = Field { pos: $pos, len: num_bits($max) };]
            { pos: $pos + $name.len }
            [$($input)*]
        }
    };
    ([$($output: tt)*]{ pos: $pos: expr }
     [$name: ident: Checksum <= $max: expr, $($input: tt)*]) => {
        bitfield_impl! {
            [$($output)* const $name: Checksum = Checksum {
                field: Field { pos: $pos, len: num_bits($max) }
            };]
            { pos: $pos + $name.field.len }
            [$($input)*]
        }
    };
    ([$($output: tt)*]{ pos: $pos: expr }
     [$(#[$meta: meta])* $name: ident: Length, $($input: tt)*]) => {
        bitfield_impl! {
            [$($output)* $(#[$meta])* const $name: Length = Length { pos: $pos };]
            { pos: $pos }
            [$($input)*]
        }
    };
    ([$($output: tt)*]{ pos: $pos: expr }
     [$name: ident: ConstField = $bits: tt, $($input: tt)*]) => {
        bitfield_impl! {
            Reverse $name []$bits
            [$($output)*]{ pos: $pos }[$($input)*]
        }
    };
    ([$($output: tt)*]{ pos: $pos: expr }[]) => { $($output)* };
    // Auxiliary rules for constant bit fields:
    // - Input is a sequence of bits
    // - Output is the reversed sequence of bits
    (Reverse $name: ident [$($output_bits: tt)*] [$bit: tt $($input_bits: tt)*]
     [$($output: tt)*]{ pos: $pos: expr }[$($input: tt)*]) => {
        bitfield_impl! {
            Reverse $name [$bit $($output_bits)*][$($input_bits)*]
            [$($output)*]{ pos: $pos }[$($input)*]
        }
    };
    (Reverse $name: ident $bits: tt []
     [$($output: tt)*]{ pos: $pos: expr }[$($input: tt)*]) => {
        bitfield_impl! {
            ConstField $name { len: 0, val: 0 }$bits
            [$($output)*]{ pos: $pos }[$($input)*]
        }
    };
    // Auxiliary rules for constant bit fields:
    // - Input is a sequence of bits in reversed order
    // - Output is the constant bit field definition with the sequence of bits as value
    (ConstField $name: ident { len: $len: expr, val: $val: expr }[]
     [$($output: tt)*]{ pos: $pos: expr }[$($input: tt)*]) => {
        bitfield_impl! {
            [$($output)* const $name: ConstField = ConstField {
                field: Field { pos: $pos, len: $len },
                value: $val,
            };]
            { pos: $pos + $name.field.len }
            [$($input)*]
        }
    };
    (ConstField $name: ident { len: $len: expr, val: $val: expr }[$bit: tt $($bits: tt)*]
     [$($output: tt)*]{ pos: $pos: expr }[$($input: tt)*]) => {
        bitfield_impl! {
            ConstField $name { len: $len + 1, val: $val * 2 + $bit }[$($bits)*]
            [$($output)*]{ pos: $pos }[$($input)*]
        }
    };
 }
 /// Counts the number of bits equal to zero in a byte slice.
 pub fn count_zeros(slice: &[u8]) -> usize {
    slice.iter().map(|&x| x.count_zeros() as usize).sum()
 }
 /// Returns the number of bits necessary to represent a number.
 pub const fn num_bits(x: usize) -> usize {
    8 * core::mem::size_of::<usize>() - x.leading_zeros() as usize
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    #[test]
    fn field_ok() {
        let field = Field { pos: 3, len: 5 };
        assert_eq!(field.get(0x00000000), 0);
        assert_eq!(field.get(0x00000007), 0);
        assert_eq!(field.get(0x00000008), 1);
        assert_eq!(field.get(0x000000f8), 0x1f);
        assert_eq!(field.get(0x0000ff37), 6);
        let mut word = 0xffffffff;
        field.set(&mut word, 3);
        assert_eq!(word, 0xffffff1f);
    }
    #[test]
    fn const_field_ok() {
        let field = ConstField {
            field: Field { pos: 3, len: 5 },
            value: 9,
        };
        assert!(!field.check(0x00000000));
        assert!(!field.check(0x0000ffff));
        assert!(field.check(0x00000048));
        assert!(field.check(0x0000ff4f));
        let mut word = 0xffffffff;
        field.set(&mut word);
        assert_eq!(word, 0xffffff4f);
    }
    #[test]
    fn bit_ok() {
        let bit = Bit { pos: 3 };
        assert!(bit.get(0x00000000));
        assert!(bit.get(0xfffffff7));
        assert!(!bit.get(0x00000008));
        assert!(!bit.get(0xffffffff));
        let mut word = 0xffffffff;
        bit.set(&mut word);
        assert_eq!(word, 0xfffffff7);
    }
    #[test]
    fn checksum_ok() {
        let field = Checksum {
            field: Field { pos: 3, len: 5 },
        };
        assert_eq!(field.get(0x00000000), Err(StoreError::InvalidStorage));
        assert_eq!(field.get(0xffffffff), Ok(31));
        assert_eq!(field.get(0xffffff07), Ok(0));
        assert_eq!(field.get(0xffffff0f), Ok(1));
        assert_eq!(field.get(0x00ffff67), Ok(4));
        assert_eq!(field.get(0x7fffff07), Err(StoreError::InvalidStorage));
        let mut word = 0x0fffffff;
        field.set(&mut word, 4);
        assert_eq!(word, 0x0fffff47);
    }
    #[test]
    fn bitfield_ok() {
        bitfield! {
            FIELD: Field <= 127,
            CONST_FIELD: ConstField = [0 1 0 1],
            BIT: Bit,
            CHECKSUM: Checksum <= 58,
            LENGTH: Length,
        }
        assert_eq!(FIELD.pos, 0);
        assert_eq!(FIELD.len, 7);
        assert_eq!(CONST_FIELD.field.pos, 7);
        assert_eq!(CONST_FIELD.field.len, 4);
        assert_eq!(CONST_FIELD.value, 10);
        assert_eq!(BIT.pos, 11);
        assert_eq!(CHECKSUM.field.pos, 12);
        assert_eq!(CHECKSUM.field.len, 6);
        assert_eq!(LENGTH.pos, 18);
    }
    #[test]
    fn count_zeros_ok() {
        assert_eq!(count_zeros(&[0xff, 0xff]), 0);
        assert_eq!(count_zeros(&[0xff, 0xfe]), 1);
        assert_eq!(count_zeros(&[0x7f, 0xff]), 1);
        assert_eq!(count_zeros(&[0x12, 0x48]), 12);
        assert_eq!(count_zeros(&[0x00, 0x00]), 16);
    }
    #[test]
    fn num_bits_ok() {
        assert_eq!(num_bits(0), 0);
        assert_eq!(num_bits(1), 1);
        assert_eq!(num_bits(2), 2);
        assert_eq!(num_bits(3), 2);
        assert_eq!(num_bits(4), 3);
        assert_eq!(num_bits(5), 3);
        assert_eq!(num_bits(8), 4);
        assert_eq!(num_bits(9), 4);
        assert_eq!(num_bits(16), 5);
    }
 }
--- a/libraries/persistent_store/src/lib.rs
+++ b/libraries/persistent_store/src/lib.rs
@@ -14,6 +14,10 @@
 #![cfg_attr(not(feature = "std"), no_std)]
 #[macro_use]
 mod bitfield;
 mod storage;
 mod store;
 pub use self::storage::{Storage, StorageError, StorageIndex, StorageResult};
 pub use self::store::{StoreError, StoreResult};
--- a/libraries/persistent_store/src/store.rs
+++ b/libraries/persistent_store/src/store.rs
@@ -0,0 +1,63 @@
 // Copyright 2019-2020 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 use crate::StorageError;
 #[derive(Debug, PartialEq, Eq)]
 pub enum StoreError {
    /// Invalid argument.
    ///
    /// The store is left unchanged. The operation will repeatedly fail until the argument is fixed.
    InvalidArgument,
    /// Not enough capacity.
    ///
    /// The store is left unchanged. The operation will repeatedly fail until capacity is freed.
    NoCapacity,
    /// Reached end of lifetime.
    ///
    /// The store is left unchanged. The operation will repeatedly fail until emergency lifetime is
    /// added.
    NoLifetime,
    /// A storage operation failed.
    ///
    /// The consequences depend on the storage failure. In particular, the operation may or may not
    /// have succeeded, and the storage may have become invalid. Before doing any other operation,
    /// the store should be [recovered]. The operation may then be retried if idempotent.
    ///
    /// [recovered]: struct.Store.html#method.recover
    StorageError,
    /// Storage is invalid.
    ///
    /// The storage should be erased and the store [recovered]. The store would be empty and have
    /// lost track of lifetime.
    ///
    /// [recovered]: struct.Store.html#method.recover
    InvalidStorage,
 }
 impl From<StorageError> for StoreError {
    fn from(error: StorageError) -> StoreError {
        match error {
            StorageError::CustomError => StoreError::StorageError,
            // The store always calls the storage correctly.
            StorageError::NotAligned | StorageError::OutOfBounds => unreachable!(),
        }
    }
 }
 pub type StoreResult<T> = Result<T, StoreError>;
--- a/patches/tock/01-persistent-storage.patch
+++ b/patches/tock/01-persistent-storage.patch
@@ -1,11 +1,11 @@
 diff --git a/boards/nordic/nrf52840_dongle/src/main.rs b/boards/nordic/nrf52840_dongle/src/main.rs
-index fc53f59..d72d204 100644
+index fc53f59c8..d72d20482 100644
 --- a/boards/nordic/nrf52840_dongle/src/main.rs
 +++ b/boards/nordic/nrf52840_dongle/src/main.rs
@@ -55,6 +55,11 @@ const NUM_PROCS: usize = 8;
 static mut PROCESSES: [Option<&'static dyn kernel::procs::ProcessType>; NUM_PROCS] =
     [None; NUM_PROCS];
-
+ 
 +static mut STORAGE_LOCATIONS: [kernel::StorageLocation; 1] = [kernel::StorageLocation {
 +    address: 0xC0000,
 +    size: 0x40000,
@@ -13,16 +13,16 @@ index fc53f59..d72d204 100644
 +
 // Static reference to chip for panic dumps
 static mut CHIP: Option<&'static nrf52840::chip::Chip> = None;
-
+ 
@@ -90,6 +95,7 @@ pub struct Platform {
         'static,
         capsules::virtual_alarm::VirtualMuxAlarm<'static, nrf52840::rtc::Rtc<'static>>,
     >,
 +    nvmc: &'static nrf52840::nvmc::SyscallDriver,
 }
-
+ 
 impl kernel::Platform for Platform {
-@@ -108,19 +114,42 @@ impl kernel::Platform for Platform {
+@@ -108,10 +114,30 @@ impl kernel::Platform for Platform {
             capsules::ieee802154::DRIVER_NUM => f(Some(self.ieee802154_radio)),
             capsules::temperature::DRIVER_NUM => f(Some(self.temp)),
             capsules::analog_comparator::DRIVER_NUM => f(Some(self.analog_comparator)),
@@ -51,25 +51,24 @@ index fc53f59..d72d204 100644
 +        }
 +    }
 }
-
+ 
 /// Entry point in the vector table called on hard reset.
- #[no_mangle]
+@@ -120,7 +146,10 @@ pub unsafe fn reset_handler() {
 pub unsafe fn reset_handler() {
     // Loads relocations and clears BSS
     nrf52840::init();
-
+ 
 -    let board_kernel = static_init!(kernel::Kernel, kernel::Kernel::new(&PROCESSES));
 +    let board_kernel = static_init!(
 +        kernel::Kernel,
 +        kernel::Kernel::new_with_storage(&PROCESSES, &STORAGE_LOCATIONS)
 +    );
-
+ 
     // GPIOs
     let gpio = components::gpio::GpioComponent::new(
@@ -286,6 +315,14 @@ pub unsafe fn reset_handler() {
         nrf52840::acomp::Comparator
     ));
-
+ 
 +    let nvmc = static_init!(
 +        nrf52840::nvmc::SyscallDriver,
 +        nrf52840::nvmc::SyscallDriver::new(
@@ -79,7 +78,7 @@ index fc53f59..d72d204 100644
 +    );
 +
     nrf52_components::NrfClockComponent::new().finalize(());
-
+ 
     let platform = Platform {
@@ -300,6 +337,7 @@ pub unsafe fn reset_handler() {
         temp,
@@ -88,22 +87,22 @@ index fc53f59..d72d204 100644
 +        nvmc,
         ipc: kernel::ipc::IPC::new(board_kernel, &memory_allocation_capability),
     };
-
+ 
 diff --git a/boards/nordic/nrf52840dk/src/main.rs b/boards/nordic/nrf52840dk/src/main.rs
-index 169f3d3..2ebb384 100644
+index 169f3d393..2ebb384d8 100644
 --- a/boards/nordic/nrf52840dk/src/main.rs
 +++ b/boards/nordic/nrf52840dk/src/main.rs
@@ -123,6 +123,11 @@ const NUM_PROCS: usize = 8;
 static mut PROCESSES: [Option<&'static dyn kernel::procs::ProcessType>; NUM_PROCS] =
     [None; NUM_PROCS];
-
+ 
 +static mut STORAGE_LOCATIONS: [kernel::StorageLocation; 1] = [kernel::StorageLocation {
 +    address: 0xC0000,
 +    size: 0x40000,
 +}];
 +
 static mut CHIP: Option<&'static nrf52840::chip::Chip> = None;
-
+ 
 /// Dummy buffer that causes the linker to reserve enough space for the stack.
@@ -158,6 +163,7 @@ pub struct Platform {
         capsules::virtual_alarm::VirtualMuxAlarm<'static, nrf52840::rtc::Rtc<'static>>,
@@ -111,7 +110,7 @@ index 169f3d3..2ebb384 100644
     nonvolatile_storage: &'static capsules::nonvolatile_storage_driver::NonvolatileStorage<'static>,
 +    nvmc: &'static nrf52840::nvmc::SyscallDriver,
 }
-
+ 
 impl kernel::Platform for Platform {
@@ -177,10 +183,30 @@ impl kernel::Platform for Platform {
             capsules::temperature::DRIVER_NUM => f(Some(self.temp)),
@@ -142,24 +141,24 @@ index 169f3d3..2ebb384 100644
 +        }
 +    }
 }
-
+ 
 /// Entry point in the vector table called on hard reset.
@@ -204,7 +230,10 @@ pub unsafe fn reset_handler() {
         UartChannel::Pins(UartPins::new(UART_RTS, UART_TXD, UART_CTS, UART_RXD))
     };
-
+ 
 -    let board_kernel = static_init!(kernel::Kernel, kernel::Kernel::new(&PROCESSES));
 +    let board_kernel = static_init!(
 +        kernel::Kernel,
 +        kernel::Kernel::new_with_storage(&PROCESSES, &STORAGE_LOCATIONS)
 +    );
-
+ 
     let gpio = components::gpio::GpioComponent::new(
         board_kernel,
@@ -411,6 +440,14 @@ pub unsafe fn reset_handler() {
         nrf52840::acomp::Comparator
     ));
-
+ 
 +    let nvmc = static_init!(
 +        nrf52840::nvmc::SyscallDriver,
 +        nrf52840::nvmc::SyscallDriver::new(
@@ -169,7 +168,7 @@ index 169f3d3..2ebb384 100644
 +    );
 +
     nrf52_components::NrfClockComponent::new().finalize(());
-
+ 
     let platform = Platform {
@@ -426,6 +463,7 @@ pub unsafe fn reset_handler() {
         alarm,
@@ -178,33 +177,32 @@ index 169f3d3..2ebb384 100644
 +        nvmc,
         ipc: kernel::ipc::IPC::new(board_kernel, &memory_allocation_capability),
     };
-
+ 
 diff --git a/chips/nrf52/src/nvmc.rs b/chips/nrf52/src/nvmc.rs
-index b70162c..9dcb82b 100644
+index b70162cae..9dcb82b07 100644
 --- a/chips/nrf52/src/nvmc.rs
 +++ b/chips/nrf52/src/nvmc.rs
-@@ -3,15 +3,16 @@
+@@ -3,6 +3,7 @@
 //! Used in order read and write to internal flash.
-
+ 
 use core::cell::Cell;
 +use core::convert::TryFrom;
 use core::ops::{Index, IndexMut};
 use kernel::common::cells::OptionalCell;
 use kernel::common::cells::TakeCell;
- use kernel::common::cells::VolatileCell;
+@@ -11,7 +12,7 @@ use kernel::common::deferred_call::DeferredCall;
 use kernel::common::deferred_call::DeferredCall;
 use kernel::common::registers::{register_bitfields, ReadOnly, ReadWrite};
 use kernel::common::StaticRef;
 use kernel::hil;
 -use kernel::ReturnCode;
 +use kernel::{AppId, AppSlice, Callback, Driver, Grant, ReturnCode, Shared};
-
+ 
 use crate::deferred_call_tasks::DeferredCallTask;
-
+ 
@@ -141,7 +142,13 @@ register_bitfields! [u32,
 static DEFERRED_CALL: DeferredCall<DeferredCallTask> =
     unsafe { DeferredCall::new(DeferredCallTask::Nvmc) };
-
+ 
 +type WORD = u32;
 +const WORD_SIZE: usize = core::mem::size_of::<WORD>();
 const PAGE_SIZE: usize = 4096;
@@ -212,13 +210,13 @@ index b70162c..9dcb82b 100644
 +const MAX_PAGE_ERASES: usize = 10000;
 +const WORD_MASK: usize = WORD_SIZE - 1;
 +const PAGE_MASK: usize = PAGE_SIZE - 1;
-
+ 
 /// This is a wrapper around a u8 array that is sized to a single page for the
 /// nrf. Users of this module must pass an object of this type to use the
@@ -219,6 +226,11 @@ impl Nvmc {
         }
     }
-
+ 
 +    pub fn configure_readonly(&self) {
 +        let regs = &*self.registers;
 +        regs.config.write(Configuration::WEN::Ren);
@@ -235,11 +233,11 @@ index b70162c..9dcb82b 100644
 +        regs.eraseuicr.write(EraseUicr::ERASEUICR::ERASE);
         while !self.is_ready() {}
     }
-
+ 
@@ -326,7 +338,7 @@ impl Nvmc {
         // Put the NVMC in write mode.
         regs.config.write(Configuration::WEN::Wen);
-
+ 
 -        for i in (0..data.len()).step_by(4) {
 +        for i in (0..data.len()).step_by(WORD_SIZE) {
             let word: u32 = (data[i + 0] as u32) << 0
@@ -427,7 +425,7 @@ index b70162c..9dcb82b 100644
 +    }
 +}
 diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs
-index dbe5035..428d90c 100644
+index dbe503515..428d90c29 100644
 --- a/kernel/src/lib.rs
 +++ b/kernel/src/lib.rs
@@ -123,7 +123,7 @@ pub use crate::sched::cooperative::{CoopProcessNode, CooperativeSched};
@@ -436,17 +434,17 @@ index dbe5035..428d90c 100644
 pub use crate::sched::round_robin::{RoundRobinProcessNode, RoundRobinSched};
 -pub use crate::sched::{Kernel, Scheduler};
 +pub use crate::sched::{Kernel, Scheduler, StorageLocation};
-
+ 
 // Export only select items from the process module. To remove the name conflict
 // this cannot be called `process`, so we use a shortened version. These
 diff --git a/kernel/src/memop.rs b/kernel/src/memop.rs
-index 348c746..5465c95 100644
+index 348c746a5..5465c95f4 100644
 --- a/kernel/src/memop.rs
 +++ b/kernel/src/memop.rs
@@ -108,6 +108,25 @@ pub(crate) fn memop(process: &dyn ProcessType, op_type: usize, r1: usize) -> Ret
             ReturnCode::SUCCESS
         }
-
+ 
 +        // Op Type 12: Number of storage locations.
 +        12 => ReturnCode::SuccessWithValue { value: process.number_storage_locations() },
 +
@@ -470,13 +468,13 @@ index 348c746..5465c95 100644
     }
 }
 diff --git a/kernel/src/process.rs b/kernel/src/process.rs
-index 4dfde3b..0ceff3e 100644
+index 4dfde3b4f..8380af673 100644
 --- a/kernel/src/process.rs
 +++ b/kernel/src/process.rs
@@ -360,6 +360,15 @@ pub trait ProcessType {
     /// writeable flash region.
     fn get_writeable_flash_region(&self, region_index: usize) -> (u32, u32);
-
+ 
 +    /// How many storage locations are defined for this process.
 +    fn number_storage_locations(&self) -> usize;
 +
@@ -489,10 +487,10 @@ index 4dfde3b..0ceff3e 100644
     /// Debug function to update the kernel on where the stack starts for this
     /// process. Processes are not required to call this through the memop
     /// system call, but it aids in debugging the process.
-@@ -1015,6 +1024,32 @@ impl<C: Chip> ProcessType for Process<'_, C> {
+@@ -1015,6 +1024,35 @@ impl<C: Chip> ProcessType for Process<'_, C> {
         self.header.get_writeable_flash_region(region_index)
     }
-
+ 
 +    fn number_storage_locations(&self) -> usize {
 +        self.kernel.storage_locations().len()
 +    }
@@ -502,30 +500,33 @@ index 4dfde3b..0ceff3e 100644
 +    }
 +
 +    fn fits_in_storage_location(&self, ptr: usize, len: usize) -> bool {
-+        self.kernel.storage_locations().iter().any(|storage_location| {
+        self.kernel
-+            let storage_ptr = storage_location.address;
+            .storage_locations()
-+            let storage_len = storage_location.size;
+            .iter()
-+            // We want to check the 2 following inequalities:
+            .any(|storage_location| {
-+            // (1) `storage_ptr <= ptr`
+                let storage_ptr = storage_location.address;
-+            // (2) `ptr + len <= storage_ptr + storage_len`
+                let storage_len = storage_location.size;
-+            // However, the second one may overflow written as is. We introduce a third
+                // We want to check the 2 following inequalities:
-+            // inequality to solve this issue:
+                // (1) `storage_ptr <= ptr`
-+            // (3) `len <= storage_len`
+                // (2) `ptr + len <= storage_ptr + storage_len`
-+            // Using this third inequality, we can rewrite the second one as:
+                // However, the second one may overflow written as is. We introduce a third
-+            // (4) `ptr - storage_ptr <= storage_len - len`
+                // inequality to solve this issue:
-+            // This fourth inequality is equivalent to the second one but doesn't overflow when
+                // (3) `len <= storage_len`
-+            // the first and third inequalities hold.
+                // Using this third inequality, we can rewrite the second one as:
-+            storage_ptr <= ptr && len <= storage_len && ptr - storage_ptr <= storage_len - len
+                // (4) `ptr - storage_ptr <= storage_len - len`
-+        })
+                // This fourth inequality is equivalent to the second one but doesn't overflow when
 +                // the first and third inequalities hold.
 +                storage_ptr <= ptr && len <= storage_len && ptr - storage_ptr <= storage_len - len
 +            })
 +    }
 +
     fn update_stack_start_pointer(&self, stack_pointer: *const u8) {
         if stack_pointer >= self.mem_start() && stack_pointer < self.mem_end() {
             self.debug.map(|debug| {
-@@ -1664,6 +1699,33 @@ impl<C: 'static + Chip> Process<'_, C> {
+@@ -1664,6 +1702,33 @@ impl<C: 'static + Chip> Process<'_, C> {
             return Err(ProcessLoadError::MpuInvalidFlashLength);
         }
-
+ 
 +        // Allocate MPU region for the storage locations. The storage locations are currently
 +        // readable by all processes due to lack of stable app id.
 +        for storage_location in kernel.storage_locations() {
@@ -557,13 +558,13 @@ index 4dfde3b..0ceff3e 100644
         // memory space just for kernel and grant state. We need to make
         // sure we allocate enough memory just for that.
 diff --git a/kernel/src/sched.rs b/kernel/src/sched.rs
-index 88eea40..ed3ae82 100644
+index 88eea4042..ed3ae8260 100644
 --- a/kernel/src/sched.rs
 +++ b/kernel/src/sched.rs
-@@ -118,15 +118,24 @@ pub enum SchedulingDecision {
+@@ -118,6 +118,12 @@ pub enum SchedulingDecision {
     TrySleep,
 }
-
+ 
 +/// Represents a storage location in flash.
 +pub struct StorageLocation {
 +    pub address: usize,
@@ -573,12 +574,10 @@ index 88eea40..ed3ae82 100644
 /// Main object for the kernel. Each board will need to create one.
 pub struct Kernel {
     /// How many "to-do" items exist at any given time. These include
-     /// outstanding callbacks and processes in the Running state.
+@@ -127,6 +133,9 @@ pub struct Kernel {
     work: Cell<usize>,
     /// This holds a pointer to the static array of Process pointers.
     processes: &'static [Option<&'static dyn process::ProcessType>],
-
+ 
 +    /// List of storage locations.
 +    storage_locations: &'static [StorageLocation],
 +
@@ -586,7 +585,7 @@ index 88eea40..ed3ae82 100644
     /// created. This is used to create new unique identifiers for processes.
     process_identifier_max: Cell<usize>,
@@ -170,9 +179,17 @@ pub enum StoppedExecutingReason {
-
+ 
 impl Kernel {
     pub fn new(processes: &'static [Option<&'static dyn process::ProcessType>]) -> Kernel {
 +        Kernel::new_with_storage(processes, &[])
@@ -604,7 +603,7 @@ index 88eea40..ed3ae82 100644
             grant_counter: Cell::new(0),
             grants_finalized: Cell::new(false),
@@ -899,4 +916,8 @@ impl Kernel {
-
+ 
         (return_reason, time_executed_us)
     }
 +
--- a/reproducible/reference_binaries_macos-10.15.sha256sum
+++ b/reproducible/reference_binaries_macos-10.15.sha256sum
@@ -1,9 +1,9 @@
 dd5920dfb172d9371b29d019b6a37fae1a995bf9d814000944d9ef36bad31513	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840dk.bin
-8868f4fa542d9dd9c88abfbd84b4527bcd2f4b9ae16caf3098a3d5e73eae0067	target/nrf52840dk_merged.hex
+fe868d9398863ff6e484742d93a4266ee7afa1ac34f9fa5ed570f8309272156a	target/nrf52840dk_merged.hex
 e4acfa602a5cc5d7c61d465f873918e8e0858628d0e5f8e0db26a7b7dd0b94d4	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_dongle.bin
-c162cfdd219306940f919716a4f53d053b0bcfed2963f8787e1098a5163ae704	target/nrf52840_dongle_merged.hex
+acca7d690ecc4733be4606ff9cd491fbc62dc3216ce0b98132e5669c8b2cba29	target/nrf52840_dongle_merged.hex
 c0ace9f13ef3fd18c576a735ae23b3956bf8dd346f20c6217086e748d6bad8a2	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_dongle_dfu.bin
-c1e79ad3aa2c9566c13c5469a389195a3814839b815253ffc4f5325329496b26	target/nrf52840_dongle_dfu_merged.hex
+e5cf030db968b0d78a30683d7278e7481d5e2d385b80e6509e76cfb9392899b2	target/nrf52840_dongle_dfu_merged.hex
 06a38a0d6d356145467a73c765e28a945878f663664016f888393207097bfe10	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_mdk_dfu.bin
-d0b23e0dd0c349ded966fb5563a5a65c3935710d1741ade0ae7d9e06a176f442	target/nrf52840_mdk_dfu_merged.hex
+3735572cccfc0c39540f77e2c55d0a25aa82dd22ad698824fd2630fcbd87f611	target/nrf52840_mdk_dfu_merged.hex
-aacf3873a90bf93f0c51ccc85d0c03642d078865d16c4aeb0b805d1f6865e6ba	target/tab/ctap2.tab
+4d36b3b456de9340e4e18fd595ae25e71298431f73ef17653bb7fb707830a9af	target/tab/ctap2.tab
--- a/reproducible/reference_binaries_ubuntu-18.04.sha256sum
+++ b/reproducible/reference_binaries_ubuntu-18.04.sha256sum
@@ -1,9 +1,9 @@
 2426ee9a6c75e325537818081d45445d95468a4c0a77feacdc6133d7d9aa227a	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840dk.bin
-c8507168c7e81d388641177c17c917b7473c8fe27849678cc7e558c64b33e9f5	target/nrf52840dk_merged.hex
+b4248106097b9d54b882cd1dd1f88710585a3e274ee5edff334dcb2b26c8af51	target/nrf52840dk_merged.hex
 c53d1e1db72df25950fa6d28699a2d38757def0dcbeb0d09d2366481cf0149a6	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_dongle.bin
-103888792b1b81a50e16746f1e2e2bee7cc01599881c464b56d9d7f6ae856c3e	target/nrf52840_dongle_merged.hex
+ac2d36a3c7f8326496c66d1e4aa8a82bbe2d689fe9cd86308f1304393bc125ec	target/nrf52840_dongle_merged.hex
 233b5ba4459523759e3171cee83cdb3a383bbe65727c8ece64dfe5321d6ebe34	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_dongle_dfu.bin
-ca1847ac82a3b3498f79918746f5662863033a0c69300d669e466701f485e3d9	target/nrf52840_dongle_dfu_merged.hex
+aff4b19511486548529f02be3a32bd47bd6329f813aef6e761c15dce8284bfa7	target/nrf52840_dongle_dfu_merged.hex
 1baaf518a74c6077cb936d9cf178b6dd0232e7562fa56174886b05b77886cc32	third_party/tock/target/thumbv7em-none-eabi/release/nrf52840_mdk_dfu.bin
-97f89caa930fde44193d16e3f396584de6044ca4c46092c7275b5b44b9eed774	target/nrf52840_mdk_dfu_merged.hex
+a2f1e440b9c875f0ca1dd0952fd435686dfd1c29d708771b08827ae21fc31c51	target/nrf52840_mdk_dfu_merged.hex
-7e05f90206506e78aa9eec0b1495bf3548d7a0446722c1f40b3a84f674d2ca0e	target/tab/ctap2.tab
+5eb8a111c5eb1554785e86bb8168180ee984ee69bc110d859cad1043b79daa2e	target/tab/ctap2.tab
--- a/reproducible/reference_elf2tab_macos-10.15.txt
+++ b/reproducible/reference_elf2tab_macos-10.15.txt
@@ -6,8 +6,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187352 (0x2dbd8) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187480 (0x2dc58). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -30,8 +30,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187352 (0x2dbd8) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187480 (0x2dc58). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -54,8 +54,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187352 (0x2dbd8) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187480 (0x2dc58). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -78,8 +78,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187352 (0x2dbd8) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187480 (0x2dc58). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
--- a/reproducible/reference_elf2tab_ubuntu-18.04.txt
+++ b/reproducible/reference_elf2tab_ubuntu-18.04.txt
@@ -6,8 +6,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187344 (0x2dbd0) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187472 (0x2dc50). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -30,8 +30,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187344 (0x2dbd0) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187472 (0x2dc50). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -54,8 +54,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187344 (0x2dbd0) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187472 (0x2dc50). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2
@@ -78,8 +78,8 @@ Min RAM size from segments in ELF: 20 bytes
 Number of writeable flash regions: 0
  Adding .crt0_header section. Offset: 64 (0x40). Length: 64 (0x40) bytes.
 Entry point is in .text section
-  Adding .text section. Offset: 128 (0x80). Length: 187008 (0x2da80) bytes.
+  Adding .text section. Offset: 128 (0x80). Length: 187344 (0x2dbd0) bytes.
-  Adding .stack section. Offset: 187136 (0x2db00). Length: 16384 (0x4000) bytes.
+  Adding .stack section. Offset: 187472 (0x2dc50). Length: 16384 (0x4000) bytes.
 Searching for .rel.X sections to add.
 TBF Header:
               version:        2        0x2