5.4 TT instruction intrinsics

Intrinsics are available to support TT instructions depending on the value of the predefined macro __ARM_FEATURE_CMSE.

TT intrinsics

The following table describes the TT intrinsics that are available when __ARM_FEATURE_CMSE is set to either 1 or 3:
Intrinsic Description
cmse_address_info_t cmse_TT(void *p) Generates a TT instruction.
cmse_address_info_t cmse_TT_fptr(p) Generates a TT instruction. The argument p can be any function pointer type.
cmse_address_info_t cmse_TTT(void *p) Generates a TT instruction with the T flag.
cmse_address_info_t cmse_TTT_fptr(p) Generates a TT instruction with the T flag. The argument p can be any function pointer type.
When __ARM_BIG_ENDIAN is not set, the result of the intrinsics is returned in the following C type:
typedef union {
	struct cmse_address_info {
		unsigned mpu_region:8;
		unsigned :8;
		unsigned mpu_region_valid:1;
		unsigned :1;
		unsigned read_ok:1;
		unsigned readwrite_ok:1;
		unsigned :12;
	} flags;
	unsigned value;
} cmse_address_info_t;
When __ARM_BIG_ENDIAN is set, the bit-fields in the type are reversed such that they have the same bit-offset as little-endian systems following the rules specified by Procedure Call Standard for the ARM® Architecture.

TT intrinsics for ARMv8-M Security Extensions

The following table describes the TT intrinsics for ARMv8-M Security Extensions that are available when __ARM_FEATURE_CMSE is set to 3:
Intrinsic Description
cmse_address_info_t cmse_TTA(void *p) Generates a TT instruction with the A flag.
cmse_address_info_t cmse_TTA_fptr(p) Generates a TT instruction with the A flag. The argument p can be any function pointer type.
cmse_address_info_t cmse_TTAT(void *p) Generates a TT instruction with the T and A flag.
cmse_address_info_t cmse_TTAT_fptr(p) Generates a TT instruction with the T and A flag. The argument p can be any function pointer type.
When __ARM_BIG_ENDIAN is not set, the result of the intrinsics is returned in the following C type:
typedef union {
	struct cmse_address_info {
		unsigned mpu_region:8;
		unsigned sau_region:8;
		unsigned mpu_region_valid:1;
		unsigned sau_region_valid:1;
		unsigned read_ok:1;
		unsigned readwrite_ok:1;
		unsigned nonsecure_read_ok:1;
		unsigned nonsecure_readwrite_ok:1;
		unsigned secure:1;
		unsigned idau_region_valid:1;
		unsigned idau_region:8;
	} flags;
	unsigned value;
} cmse_address_info_t;
When __ARM_BIG_ENDIAN is set, the bit-fields in the type are reversed such that they have the same bit-offset as little-endian systems following the rules specified by Procedure Call Standard for the ARM® Architecture.
In the Secure state, the TT instruction returns the Security Attribute Unit (SAU) and Implementation Defined Attribute Unit (IDAU) configuration and recognizes the A flag.

Address range check intrinsic

Checking the result of the TT instruction on an address range is essential for programming in C. It is needed to check permissions on objects larger than a byte. You can use the address range check intrinsic to perform permission checks on C objects.
The syntax of this intrinsic is:
void *cmse_check_address_range(void *p, size_t size, int flags)
The intrinsic checks the address range from p to p + size – 1.
The address range check fails if p + size - 1 < p.
Some SAU, IDAU and MPU configurations block the efficient implementation of an address range check. This intrinsic operates under the assumption that the configuration of the SAU, IDAU, and MPU is constrained as follows:
  • An object is allocated in a single region.
  • A stack is allocated in a single region.
These points imply that a region does not overlap other regions.
The TT instruction returns an SAU, IDAU and MPU region number. When the region numbers of the start and end of the address range match, the complete range is contained in one SAU, IDAU, and MPU region. In this case two TT instructions are executed to check the address range.
Regions are aligned at 32-byte boundaries. If the address range fits in one 32-byte address line, a single TT instruction suffices. This is the case when the following constraint holds:
(p mod 32) + size <= 32
The address range check intrinsic fails if the range crosses any MPU region boundary.
The flags parameter of the address range check consists of a set of values defined by the macros shown in the following table:
Macro Value Description
(No macro) 0 The TT instruction without any flag is used to retrieve the permissions of an address, returned in a cmse_address_info_t structure.
CMSE_MPU_UNPRIV 4 Sets the T flag on the TT instruction used to retrieve the permissions of an address. Retrieves the unprivileged mode access permissions.
CMSE_MPU_READWRITE 1 Checks if the permissions have the readwrite_ok field set.
CMSE_MPU_READ 8 Checks if the permissions have the read_ok field set.
The address range check intrinsic returns p on a successful check, and NULL on a failed check. The check fails if any other value is returned that is not one of those listed in the table, or is not a combination of those listed.
ARM recommends that you use the returned pointer to access the checked memory range. This generates a data dependency between the checked memory and all its subsequent accesses and prevents these accesses from being scheduled before the check.
The following intrinsic is defined when the __ARM_FEATURE_CMSE macro is set to 1:
Intrinsic Description
cmse_check_pointed_object(p, f)
Returns the same value as
cmse_check_address_range(p, sizeof(*p), f)
ARM recommends that the return type of this intrinsic is identical to the type of parameter p.

Address range check intrinsic for ARMv8-M Security Extensions

The semantics of the intrinsic cmse_check_address_range() are extended to handle the extra flag and fields introduced by the ARMv8-M Security Extensions.
The address range check fails if the range crosses any SAU or IDAU region boundary.
If the macro __ARM_FEATURE_CMSE is set to 3, the values accepted by the flags parameter are extended with the values defined in the following table:
Macro Value Description
CMSE_AU_NONSECURE 2 Checks if the permissions have the secure field unset.
CMSE_MPU_NONSECURE 16 Sets the A flag on the TT instruction used to retrieve the permissions of an address.
CMSE_NONSECURE 18 Combination of CMSE_AU_NONSECURE and CMSE_MPU_NONSECURE.
Related reference
5.1 Predefined macros
Non-ConfidentialPDF file icon PDF versionARM DUI0774E
Copyright © 2014-2016 ARM. All rights reserved.