2.16. Software consideration for Security Extensions

The Monitor mode is responsible for the switch from one state to the other. You must only modify the SCR in Monitor mode.

The recommended way to return to the Nonsecure state is to:

All ARM implementations ensure that the processor cannot execute the prefetched instructions that follow MOVS, SUBS, or equivalents, with secure access permissions.

It is strongly recommended that you do not use an MSR instruction to switch from the Secure to the Nonsecure state. There is no guarantee enforced in the architecture that, after the NS bit is set to 1 in Monitor mode, an MSR instruction avoids execution of prefetched instructions with secure access permission. This is because the processor prefetches the instructions that follow the MSR with secure privileged permissions. This might form a security hole in the system if the prefetched instructions then execute in the Nonsecure state.

If the prefetched instructions are in nonsecure memory, with the MSR at the boundary between secure and nonsecure memory, they might be corrupted when giving secure information to the Nonsecure state.

To avoid this problem with the MSR instruction, you can use an IMB sequence shortly after the MSR. If you use the IMB sequence you must ensure that the instructions executed after the MSR and before the IMB do not leak any information to the Nonsecure state and do not rely on the secure permission level.

It is strongly recommended that you do not set the NS bit to 1 in privileged modes other than in Monitor mode. If you do so, you face the same problem as a return to the Nonsecure state with the MSR instruction. To avoid leakage after an MSR instruction, use an IMB sequence.

To enter the Secure Monitor, the processor executes the following instruction:

SMC {<cond>} <imm4>

where:

<cond>

Is the condition that the processor executes the SMC.

<imm4>

The processor ignores this 4-bit immediate value, but the Secure Monitor can use it to determine the service to provide.

To return from the Secure Monitor, the processor executes the following instruction:

MOVS PC, R14_mon
Copyright © 2006-2009 ARM Limited. All rights reserved.ARM DDI 0344I
Non-Confidential