ARM Cortex-M33 Secure-Non-Secure Transition Failure with SG Instruction

The ARM Cortex-M33 processor, part of the ARMv8-M architecture, introduces a robust security model that allows for the partitioning of code and data into secure and non-secure worlds. This partitioning is essential for applications requiring high levels of security, such as IoT devices, where sensitive data and operations must be protected from unauthorized access. However, transitioning between these worlds can be fraught with challenges, particularly when using the SG (Secure Gateway) instruction. In this scenario, a Hard Fault is triggered when attempting to transition from the non-secure to the secure world using the SG instruction. This issue is rooted in the misconfiguration of the Implementation Defined Attribution Unit (IDAU) and the Security Attribution Unit (SAU), which are critical for defining memory regions and their security attributes.

Memory Layout and SAU Configuration Issues

The memory layout in this case is defined as follows:

  • Non-Secure Memory: 0x0200_0000 – 0x003F_FFFF
  • Secure Memory: 0x1000_0000 – 0x100F_FFFF
  • Non-Secure Callable (NSC) Memory: 0x1010_0000 – 0x101F_FFFF

The SAU is configured to define a Non-Secure Callable (NSC) region starting at 0x1010_0000 and ending at 0x101F_FFFF. The SAU configuration is as follows:

SAU->RBAR = 0x10100000;
SAU->RLAR = 0x101FFFE3;

The NSC code is placed in the NSC memory region, and the non-secure caller attempts to transition to the secure world by branching to the NSC region using the bx instruction:

ldr r0, =0x10100001;
bx r0

However, this transition results in a Hard Fault. The root cause lies in the interaction between the SAU and the IDAU. The SAU configuration alone is insufficient to ensure that the memory region is correctly marked as Non-Secure Callable. The IDAU, which is responsible for defining the security attributes of memory regions at a hardware level, must also be configured to recognize the NSC region. Without proper IDAU configuration, the SAU settings are effectively ignored, leading to the Hard Fault when the SG instruction is executed.

IDAU Configuration and NSCCFG Register Misalignment

The IDAU is a hardware component that defines the security attributes of memory regions. In the ARM Cortex-M33, the IDAU can be configured via the Non-Secure Callable Configuration (NSCCFG) register. The NSCCFG register allows software to define callable regions of memory, but only if the Secure Code and Secure RAM regions are within specific address ranges. According to the ARM documentation, the Secure Code region must be between 0x1000_0000 and 0x1FFF_FFFF, and the Secure RAM region must be between 0x3000_0000 and 0x3FFF_FFFF.

In this case, the Secure Code region is correctly defined within the required range (0x1000_0000 – 0x100F_FFFF), but the IDAU is not configured to recognize the NSC region. The NSCCFG register must be explicitly set to define the NSC region. The default configuration of the IDAU does not mark the NSC region as callable, even if the SAU is configured to do so. This misalignment between the SAU and IDAU configurations is the primary cause of the Hard Fault.

The NSCCFG register must be configured as follows to ensure that the NSC region is recognized:

NSCCFG = 0x00000001; // Enable NSC region at 0x1010_0000

Without this configuration, the IDAU will not recognize the NSC region, and the SG instruction will fail, resulting in a Hard Fault.

Debugging and Resolving the Hard Fault

To resolve the Hard Fault, the following steps should be taken:

  1. Verify SAU Configuration: Ensure that the SAU is correctly configured to define the NSC region. The SAU->RBAR and SAU->RLAR registers must be set to the correct base and limit addresses of the NSC region.

  2. Configure IDAU via NSCCFG: The NSCCFG register must be configured to enable the NSC region. This involves setting the appropriate bits in the NSCCFG register to define the NSC region within the required address range.

  3. Check Memory Layout Alignment: Ensure that the memory layout aligns with the requirements of the IDAU. The Secure Code and Secure RAM regions must be within the specified address ranges (0x1000_0000 – 0x1FFF_FFFF for Secure Code and 0x3000_0000 – 0x3FFF_FFFF for Secure RAM).

  4. Debugging with GDB: Use GDB to step through the code and verify that the SG instruction is being executed correctly. Place breakpoints in the NSC code and the Hard Fault handler to determine where the fault occurs.

  5. Verify QEMU Configuration: Ensure that the QEMU emulator is correctly configured to emulate the ARM Cortex-M33 and its security features. Misconfigurations in the emulator can lead to unexpected behavior.

  6. Review ARM Documentation: Consult the ARM Cortex-M33 Technical Reference Manual and the CoreLink SSE-200 Subsystem for Embedded Technical Reference Manual for detailed information on the SAU, IDAU, and NSCCFG register configurations.

By following these steps, the Hard Fault caused by the SG instruction can be resolved. The key takeaway is that both the SAU and IDAU must be correctly configured to ensure a smooth transition between the non-secure and secure worlds. Misconfigurations in either component can lead to unexpected behavior, including Hard Faults.

Implementing Correct SAU and IDAU Configurations

To implement the correct SAU and IDAU configurations, the following code snippets can be used:

SAU Configuration:

SAU->RBAR = 0x10100000; // Base address of NSC region
SAU->RLAR = 0x101FFFE3; // Limit address of NSC region

IDAU Configuration:

NSCCFG = 0x00000001; // Enable NSC region at 0x1010_0000

NSC Code:

.thumb_func
.section NSC,"aw"
.globl nsc_call
nsc_call:
    sg
    nop
    nop
    nop

Non-Secure Caller Code:

ldr r0, =0x10100001;
bx r0

By ensuring that both the SAU and IDAU are correctly configured, the transition from the non-secure to the secure world using the SG instruction can be achieved without triggering a Hard Fault. This configuration ensures that the NSC region is correctly recognized and that the security attributes of the memory regions are properly enforced.

Conclusion

The Hard Fault encountered when using the SG instruction on the ARM Cortex-M33 is a result of misconfigurations in the SAU and IDAU. The SAU defines the memory regions and their security attributes, but the IDAU must also be configured to recognize these regions. The NSCCFG register plays a critical role in enabling the NSC region, and without proper configuration, the SG instruction will fail. By following the steps outlined above and ensuring that both the SAU and IDAU are correctly configured, the transition between the non-secure and secure worlds can be achieved smoothly, avoiding Hard Faults and ensuring the security of the system.

This issue highlights the importance of understanding the interaction between different hardware components in ARM architectures, particularly when dealing with security features. Proper configuration and debugging are essential to ensure that the system operates as intended, and that sensitive data and operations are protected from unauthorized access.

Similar Posts

Precision and Implementation of Fixed-Point Arithmetic on ARM Processors

Precision and Implementation of Fixed-Point Arithmetic on ARM Processors

BySystem on Chips

Understanding Fixed-Point Arithmetic Precision in ARM Processors Fixed-point arithmetic is a critical topic in embedded systems, especially when dealing with processors that lack a Floating-Point Unit (FPU). The precision of fixed-point arithmetic is inherently tied to the bit-width of the processor and the specific fixed-point representation used. For a 16-bit processor, the precision is determined

Cortex-M3 Address Translation Issue Due to Bit-Banding Implementation

Cortex-M3 Address Translation Issue Due to Bit-Banding Implementation

BySystem on Chips

Cortex-M3 Address Translation via Bit-Banding Mechanism The Cortex-M3 processor, a widely used ARM core in embedded systems, is designed with an optional feature called bit-banding. Bit-banding allows individual bits in specific memory regions to be accessed directly through a dedicated alias region. This feature is particularly useful for atomic bit manipulation, as it avoids the

ARM Cortex-M1 Compatibility Issues with Xilinx Vivado 2020.1 and Beyond

ARM Cortex-M1 Compatibility Issues with Xilinx Vivado 2020.1 and Beyond

BySystem on Chips

ARM Cortex-M1 ITCM Update Failures in Xilinx Vivado 2020.1 The ARM Cortex-M1, a popular soft-core processor designed for FPGA implementations, has been widely used in embedded systems due to its flexibility and compatibility with FPGA toolchains. However, users have reported significant issues when attempting to use the Cortex-M1 with Xilinx Vivado 2020.1 and later versions.

ARM Cortex-A76 MMU Initialization Failure During Bare Metal Kernel Boot

ARM Cortex-A76 MMU Initialization Failure During Bare Metal Kernel Boot

BySystem on Chips

Cortex-A76 MMU Translation Table Initialization and EL2 to EL1 Transition Issues The core issue revolves around the failure to initialize the Memory Management Unit (MMU) translation tables correctly on an ARM Cortex-A76 processor during the boot process of a bare metal kernel. The problem manifests when the kernel attempts to transition from Exception Level 2

ARM Cortex-A9 Cache Initialization and Code Execution in Multi-Core RTOS Environments

ARM Cortex-A9 Cache Initialization and Code Execution in Multi-Core RTOS Environments

BySystem on Chips

ARM Cortex-A9 Cache Behavior During Secondary Core Initialization In ARM Cortex-A9 multi-core systems, cache initialization and management are critical for ensuring correct and efficient execution of code, especially in environments where each core runs its own instance of a Real-Time Operating System (RTOS). The Cortex-A9 processor features a unified L1 cache and an optional L2

QACTIVE, QDENY, and PWAKEUP in AMBA Low Power Interface

QACTIVE, QDENY, and PWAKEUP in AMBA Low Power Interface

BySystem on Chips

QACTIVE Assertion and QDENY Dependency in AMBA Q-Channel The AMBA Low Power Interface (Q-Channel) is a critical component in ARM-based SoC designs, enabling efficient power management by facilitating communication between power controllers and peripheral devices. The Q-Channel consists of several signals, including QACTIVE, QDENY, and PWAKEUP, which play pivotal roles in managing power states. A

Leave a Reply

Your email address will not be published. Required fields are marked *