Secure Generic Timer Access Restrictions in Non-Secure EL1
The ARM Cortex-A53 processor, part of the ARMv8-A architecture, incorporates a generic timer that is essential for timekeeping and synchronization in embedded systems. This timer is typically implemented as a secure peripheral, meaning it is accessible only from secure exception levels (EL3 or Secure EL1/EL2). When running in non-secure EL1, direct access to the secure generic timer is restricted by design to maintain the security boundary between secure and non-secure worlds. This restriction is enforced by the ARM TrustZone technology, which partitions the system into secure and non-secure states to protect sensitive resources.
The generic timer in ARMv8-A is a system-level component that provides a consistent timebase across all cores in a multi-core system. It consists of a set of registers, including the CNTPCT (Physical Count Register) and CNTFRQ (Counter Frequency Register), which are used to read the current timer value and determine the timer frequency, respectively. These registers are banked between secure and non-secure states, meaning there are separate instances for secure and non-secure accesses. However, the secure instance of the generic timer is not directly accessible from non-secure EL1, as attempting to access it will result in an exception or undefined behavior.
The inability to access the secure generic timer from non-secure EL1 poses a significant challenge for developers who need precise timing information in non-secure applications. This is particularly relevant in scenarios where non-secure software requires synchronization with secure world operations or needs to measure time intervals with high accuracy. The restriction is intentional, as it prevents non-secure software from interfering with secure world timing operations, which could compromise system security.
EL3 Service Routine and SMCCC API for Secure Timer Access
To enable non-secure EL1 software to access the secure generic timer, a secure service routine must be implemented at EL3. This routine acts as a bridge between the non-secure and secure worlds, allowing controlled access to the secure timer. The ARM Secure Monitor Call (SMC) instruction is used to trigger a transition from non-secure EL1 to EL3, where the secure service routine can execute and provide the requested timer value.
The ARM SMC Calling Convention (SMCCC) defines a standardized interface for making SMC calls, ensuring compatibility across different ARM implementations. The SMCCC specifies the use of specific registers for passing parameters and returning results, as well as a set of function identifiers for common services. To access the secure generic timer, a custom SMC function identifier can be defined, which the EL3 service routine will recognize and handle appropriately.
The EL3 service routine must perform several key tasks when handling a request for the secure timer value. First, it must validate the request to ensure it originates from a legitimate non-secure caller. This can be done by checking the calling context and any associated security credentials. Next, the routine reads the secure generic timer value from the appropriate register (e.g., CNTPCT). Finally, it returns the timer value to the non-secure caller using the SMCCC-defined return mechanism.
The non-secure EL1 code initiates the secure timer access by preparing the necessary parameters and issuing an SMC instruction with the appropriate function identifier. The SMC instruction causes an exception that transitions the processor to EL3, where the secure service routine executes. Once the routine completes, the processor returns to non-secure EL1 with the secure timer value available in the designated return register.
Implementing Secure Timer Access with EL3 and SMCCC
To implement secure timer access from non-secure EL1, developers must follow a structured approach that involves configuring the EL3 environment, defining the SMC service routine, and integrating the SMCCC API into the non-secure application. The first step is to ensure that the EL3 firmware or secure monitor is properly initialized and capable of handling SMC exceptions. This includes setting up the exception vector table and enabling the necessary system registers.
The EL3 service routine must be implemented to handle the specific SMC function identifier associated with secure timer access. The routine should begin by saving the context of the calling non-secure state, including general-purpose registers and system registers that may be modified during execution. It should then read the secure generic timer value using the appropriate register access instructions. For example, the CNTPCT register can be read using the MRRC (Move to ARM Register from Coprocessor) instruction.
After obtaining the timer value, the service routine must prepare the return value according to the SMCCC specification. This typically involves placing the timer value in a designated return register, such as X0 or W0, depending on the register width. The routine should then restore the saved context and execute an exception return instruction (e.g., ERET) to transition back to non-secure EL1.
In the non-secure EL1 application, the SMCCC API must be integrated to facilitate the SMC call. This involves defining a function that prepares the SMC call parameters, issues the SMC instruction, and processes the return value. The function should adhere to the SMCCC parameter passing conventions, ensuring that the correct function identifier and any additional parameters are placed in the appropriate registers before executing the SMC instruction.
To optimize the performance of secure timer access, developers should minimize the overhead associated with the SMC call and the EL3 service routine. This can be achieved by reducing the number of context switches and register saves/restores, as well as optimizing the code path within the service routine. Additionally, caching the timer value in non-secure memory and using it for subsequent time measurements can reduce the frequency of SMC calls, further improving performance.
The following table summarizes the key steps involved in implementing secure timer access from non-secure EL1:
| Step | Description |
|---|---|
| 1 | Initialize EL3 environment and configure SMC exception handling. |
| 2 | Implement EL3 service routine to handle secure timer access requests. |
| 3 | Define SMC function identifier for secure timer access. |
| 4 | Integrate SMCCC API into non-secure EL1 application. |
| 5 | Issue SMC call from non-secure EL1 to request secure timer value. |
| 6 | Process returned timer value in non-secure application. |
By following these steps, developers can successfully access the secure generic timer from non-secure EL1 while maintaining the security and integrity of the system. This approach leverages the ARM TrustZone technology and the SMCCC to provide a controlled and efficient mechanism for secure timer access, enabling precise timekeeping in non-secure applications.
