Memory Protection

Virtual Memory MMU

What is an MMU?

A Memory Management Unit (MMU) is part of complex processor CPUs and controls the access of the operating system (kernel) and applications to the main memory. The term "memory" refers to all locations that can be addressed by the CPU and may comprise Read Only Memory (ROM), Random Access Memory (RAM) as well as I/O memory. The MMU provides virtual memory that gives the illusion of a large address space, dedicated to a single process. Those address spaces are usually unique to each process, however their address ranges are typically overlapping. Each chunk of virtual memory (called page) can be mapped to a page in the linear physical memory. While two process may have overlapping virtual memory areas, their mapping to the physical address space is usually distinct. This allows the implementation of complex operating systems with multiple independent processes.

Learn more: PikeOS Product Overview  |  ELinOS Product Overview

Physical Memory MPU

What is an MPU?

In less complex CPUs you will often find a Memory Protection Unit (MPU). This significantly simplifies the chip design, however complex operating systems (such as Linux) cannot be executed. In this case there is exactly one linear physical address space visible to the operating systems as well as all applications and as a consequence, all processes share the same address space. However, read/write access can be explicitly granted to processes by means of MPU regions. The amount of memory regions is limited. One region can cover a contiguous memory range, depending on the architecture the start address and the size of a region might have different alignment restrictions, for example on arm_v8r it must be aligned to 64bytes, for arm_v7r it must be naturally aligned to power of two.

Learn more: PikeOS for MPU Product Overview

Protection Mechanisms


Not considering exceptional cases (such as shared memory), the memory mapping is different for each process. Therefore, a process cannot access another processes' memory by design, as the physical areas are not overlapping. That means that two processes that are accessing the exact same virtual address are actually operating on two distinct physical addresses. The memory mapping of each process is enforced by the operating system. In terms of PikeOS, those mappings are static and created at system startup.

However, what happens, if a process accesses a page not mapped within its address space?

  1. A processor exception is raised by the MMU
  2. PikeOS delegates the event to its health monitor subsystem (HM)
  3. Based on the partition configuration and scenario, the HM reacts as configured in the VMIT configuration

Assuming that the page fault happened inside a non-critical Linux guest operating system, the HM might forward the exception to the Linux kernel which then loads missing data from hard disc and map the area in the process address space (memory swapping). The treatment for mission critical partitions can be completely different and range from just restarting the affected partition or restarting the entire board. This decision is up to the system integrator who considers effects like single event upset or even severe hardware problems.


In case of an MPU, each process is assigned to a list of accessible memory regions (read/write). If a process tries to access a memory address without sufficient rights, the MPU raises a processor exception and PikeOS for MPU delegates the event to its health monitor subsystem. The HM then reacts in the same way as above.

Please note that memory swapping can only be implemented with an MMU, however, the error can be still handled on partition level in a different way.

Need more Information?

Tell us about your project and your needs.

Contact us