ARM Technical Support Knowledge Articles

Why should I only use NSC regions for secure gateway veneers?

Applies to: ARMv8-M

Answer

Transitioning from the Non-secure state to the Secure state 

Software running on an ARMv8-M processor that supports the ARMv8-M Security Extension can branch from Non-secure to Secure state, if the following conditions are true:

Otherwise a fault occurs:

Reasons for introducing the NSC region

Non-secure Callable (NSC) secure memory region is secure memory that is callable by code executing in the Non-secure state. NSC memory is introduced to hold SG instructions, which when executed (from NSC memory), cause a transition from Secure to Non-secure state. The encoding of the SG instruction is 0xE97FE97F. Although the encoding is carefully selected, the bit pattern might still appear in secure memory, because of the following reasons:

Suppose that ARMv8-M processors can execute SG instructions held in (standard) secure memory. This would mean that any unintended SG instructions are potentially vulnerable to attacks. Attackers could scan secure code for the SG encoding. If the attacker finds any instances of the encoding, they could write code that jumps to the address of the SG instruction, which could result in the execution of an SG instruction from secure memory, increasing security risks significantly. This is the reason why the ARMv8-M architecture restricts SG usage to NSC secure memory and states that any SG instruction executed from standard secure memory behaves like a NOP instruction, resulting in no change in security state.

Tools support for Secure NSC regions and secure gateway veneers

Secure NSC regions can be defined using Security Attribution Unit (SAU) or Implementation Defined Attribute Unit (IDAU). The CMSIS-compliant device header file provides the TZ_SAU_Setup() function for SAU configuration, and IDAU is defined by device vendors.

ARM Compiler 6 supports the ARMv8-M Security Extension and provides a -mcmse command, which is required for generating secure images. Secure and Non-secure applications are built as separate projects. When generating a secure image it is also possible to create an import library for the Non-secure application to link against. The linker generates secure gateway veneers in order for the Non-secure code to branch to Secure code. Secure gateway veneers are sections of code consisting of an SG instruction followed by a long branch instruction (B.W). It is possible to place the secure gateway veneers at a specific NSC address specified in a scatter file. Such sections may be collectively referred to using the Veneer$$CMSE input section descriptor.

NSC usage constraints

You must conform to the following rules:

In conclusion, you must configure and use a Secure NSC memory for storing secure gateway veneers only. Otherwise, your system is more liable to security risks.

Related Information

Article last edited on: 2016-06-28 03:11:58

Rate this article

[Bad]
|
|
[Good]
Disagree? Move your mouse over the bar and click

Did you find this article helpful? Yes No

How can we improve this article?

Link to this article
Copyright © 2011 ARM Limited. All rights reserved. External (Open), Non-Confidential