Programmer’s Model
ARM DDI 0301H
Copyright © 2004-2009 ARM Limited. All rights reserved.
2-5
ID012310
Non-Confidential, Unrestricted Access
2.
Execute a MOVS, SUBS or RFE.
All ARM implementations ensure that the processor can not execute the prefetched instructions
that follow MOVS, SUBS, or equivalents, with Secure access permissions.
It is strongly recommended that you do not use an MSR instruction to switch from the Secure
to the Non-secure world. There is no guarantee that, after the NS bit is set in Secure Monitor
mode, an MSR instruction avoids execution of prefetched instructions with Secure access
permission. This is because the processor prefetches the instructions that follow the MSR with
Secure privileged permissions and this might form a security hole in the system if the prefetched
instructions then execute in the Non-secure world.
If the prefetched instructions are in Non-secure memory, with the MSR at the boundary between
Secure and Non-secure memory, they might be corrupted to give Secure information to the
Non-secure world.
To avoid this problem with the MSR instruction, you can use an IMB sequence shortly after the
MSR. If you use the IMB sequence you must ensure that the instructions that execute after the
MSR and before the IMB do not leak any information to the Non-secure world and do not rely
on the Secure permission level.
It is strongly recommended that you do not set the NS bit in Privileged modes other than in
Secure Monitor mode. If you do so you face the same problem as a return to the Non-secure
world with the MSR instruction.
Note
To avoid leakage after an MSR instruction use an IMB sequence.
To enter the Secure Monitor the processor executes:
SMC {<cond>} <imm16>
Where:
<cond>
Is the condition when the processor executes the SMC
<imm16>
The processor ignores this 16-bit immediate value, but the Secure Monitor can
use it to determine the service to provide.
To return from the Secure Monitor the processor executes:
MOVS PC, R14_mon
Secure memory management
The principle of TrustZone memory management is to partition the physical memory into
Secure and Non-secure regions. The Secure protection is ensured by checking all physical
access to memory or peripherals. There are various means to split the global physical memory
into Secure and Non-secure regions. This can be done at each slave level, in the memory
controller, or in a global module, for example. The partition can be hard-wired or configurable.
All systems can have specific requirements, but the partitioning must be done so that any
Non-secure access to Secure memory or device causes an external abort to the core, a security
violation. An AXI signal
AxPROT[1]
indicates whether the current access is Secure or not and
is used to check the access.
The Secure information exists at any stage of the memory management to guarantee the integrity
of data:
•
at L2 stage, you can split the memory mapping into Secure and Non-secure regions