|ARM Technical Support Knowledge Articles|
Applies to: ARMv8-M
Software running on an ARMv8-M processor that supports the ARMv8-M Security Extension can branch from Non-secure to Secure state, if the following conditions are true:
Otherwise a fault occurs:
A Non-secure Callable (NSC) secure memory region is secure memory that is callable by code executing in the Non-secure state. NSC memory is introduced to hold
SG instructions, which when executed (from NSC memory), cause a transition from Secure to Non-secure state. The encoding of the
SG instruction is
0xE97FE97F. Although the encoding is carefully selected, the bit pattern might still appear in secure memory, because of the following reasons:
Suppose that ARMv8-M processors can execute
SG instructions held in (standard) secure memory. This would mean that any unintended
SG instructions are potentially vulnerable to attacks. Attackers could scan secure code for the
SG encoding. If the attacker finds any instances of the encoding, they could write code that jumps to the address of the
SG instruction, which could result in the execution of an
SG instruction from secure memory, increasing security risks significantly. This is the reason why the ARMv8-M architecture restricts
SG usage to NSC secure memory and states that any
SG instruction executed from standard secure memory behaves like a
NOP instruction, resulting in no change in security state.
Secure NSC regions can be defined using Security Attribution Unit (SAU) or Implementation Defined Attribute Unit (IDAU). The CMSIS-compliant device header file provides the
TZ_SAU_Setup() function for SAU configuration, and IDAU is defined by device vendors.
ARM Compiler 6 supports the ARMv8-M Security Extension and provides a
-mcmse command, which is required for generating secure images. Secure and Non-secure applications are built as separate projects. When generating a secure image it is also possible to create an import library for the Non-secure application to link against. The linker generates secure gateway veneers in order for the Non-secure code to branch to Secure code. Secure gateway veneers are sections of code consisting of an SG instruction followed by a long branch instruction (
B.W). It is possible to place the secure gateway veneers at a specific NSC address specified in a scatter file. Such sections may be collectively referred to using the
Veneer$$CMSE input section descriptor.
You must conform to the following rules:
In conclusion, you must configure and use a Secure NSC memory for storing secure gateway veneers only. Otherwise, your system is more liable to security risks.
Article last edited on: 2016-06-28 03:11:58
Did you find this article helpful? Yes No
How can we improve this article?