soc: esp32c6: enable PMP and define SoC regions

Enable RISC-V PMP for ESP32-C6 and configure appropriate defaults:
- 16 PMP slots available on hardware
- Unlocked global entries for XIP flash execution
- MEM_ATTR subsystem for device tree memory regions

Define SoC-specific PMP regions:
- SoC ROM (0x40000000): libc functions, R+X
- IRAM text: interrupt handlers and critical code, R+X

Signed-off-by: Sylvio Alves <sylvio.alves@espressif.com>

soc/espressif/common/Kconfig.flash

@@ -113,12 +113,15 @@ endchoice
 
 config BOOTLOADER_REGION_PROTECTION_ENABLE
 	bool "Protect unmapped memory regions from unintended accesses"
-	default y
+	default y if !RISCV_PMP && !MCUBOOT
 	help
 	  Protects the unmapped memory regions of the entire address space from unintended accesses.
 	  This will ensure that an exception will be triggered whenever the CPU performs a memory
 	  operation on unmapped regions of the address space.
 
+	  Automatically disabled when RISCV_PMP is enabled since Zephyr manages PMP directly.
+	  Also disabled for MCUboot builds since the bootloader handles its own region protection.
+
 config SPI_FLASH_HPM_ENABLE
 	bool
 	depends on SOC_SERIES_ESP32S3

soc/espressif/esp32c6/CMakeLists.txt

@@ -21,4 +21,5 @@ if(CONFIG_SOC_ESP32C6_HPCORE)
   zephyr_library_sources_ifdef(CONFIG_PM power.c)
   zephyr_library_sources_ifdef(CONFIG_POWEROFF poweroff.c)
   zephyr_sources_ifdef(CONFIG_ULP_COPROC_ENABLED hpcore_init_ulp.c)
+  zephyr_sources_ifdef(CONFIG_RISCV_PMP pmp_regions.c)
 endif()

soc/espressif/esp32c6/Kconfig

@@ -4,6 +4,7 @@
 config SOC_SERIES_ESP32C6
 	select RISCV
 	select RISCV_SOC_HAS_GP_RELATIVE_ADDRESSING
+	select RISCV_PMP if SOC_ESP32C6_HPCORE && !MCUBOOT
 	select DYNAMIC_INTERRUPTS if SOC_ESP32C6_HPCORE
 	select CLOCK_CONTROL if SOC_ESP32C6_HPCORE
 	select PINCTRL if SOC_ESP32C6_HPCORE

soc/espressif/esp32c6/Kconfig.defconfig

@@ -6,6 +6,16 @@ if SOC_SERIES_ESP32C6
 config NUM_IRQS
 	default 32
 
+config PMP_SLOTS
+	default 16
+
+# ESP32-C6 uses MMU to map flash to virtual addresses for code execution.
+# The PMP init code runs from IRAM while the main rom region is in flash.
+# Locked PMP entries would block IRAM execution before proper coverage is set.
+# Use unlocked entries with MPRV-based enforcement instead.
+config PMP_NO_LOCK_GLOBAL
+	default y
+
 config FLASH_SIZE
 	default $(dt_node_reg_size_int,/soc/flash-controller@60002000/flash@0,0)
 

soc/espressif/esp32c6/pmp_regions.c

@@ -0,0 +1,39 @@
+/*
+ * Copyright (c) 2025 Espressif Systems (Shanghai) Co., Ltd.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#include <zephyr/kernel.h>
+#include <zephyr/arch/riscv/csr.h>
+#include <zephyr/devicetree.h>
+#include <pmp.h>
+
+/*
+ * ESP32-C6 SoC ROM region.
+ *
+ * The ESP32-C6 has a ROM at 0x40000000 containing libc and other utility
+ * functions. This region needs to be accessible (R+X) from both kernel
+ * and user mode for proper operation.
+ */
+#define SOC_ROM_NODE DT_NODELABEL(soc_rom)
+
+PMP_SOC_REGION_DEFINE(esp32c6_soc_rom, DT_REG_ADDR(SOC_ROM_NODE),
+		      DT_REG_ADDR(SOC_ROM_NODE) + DT_REG_SIZE(SOC_ROM_NODE), PMP_R | PMP_X);
+
+/*
+ * ESP32-C6 IRAM text region.
+ *
+ * On ESP32-C6, IRAM and DRAM share the same 512KB physical memory space
+ * (0x40800000-0x40880000). The split between code (IRAM) and data (DRAM)
+ * is determined at link time. Only the IRAM text portion should be
+ * executable to maintain security - making the entire region executable
+ * would allow code execution from the data area.
+ *
+ * The linker symbols _iram_text_start and _iram_text_end define the
+ * actual IRAM text boundaries.
+ */
+extern char _iram_text_start[];
+extern char _iram_text_end[];
+
+PMP_SOC_REGION_DEFINE(esp32c6_iram_text, _iram_text_start, _iram_text_end, PMP_R | PMP_X);