Cortex-A35 processor, AArch64 mode. Before setting up MMU and GIC, I'm trying to go from EL3 to non-secure EL1:
msr VTTBR_EL2, xzr
mov x0, SCR_EL3.RES1 or SCR_EL3.NS or SCR_EL3.RW or SCR_EL3.ST
msr SCR_EL3, x0
mov x1, SPSR.M.AArch64_EL1h or SPSR_EL3.A or SPSR_EL3.I or SPSR_EL3.F
msr SPSR_EL3, x1
adr x2, __el1
msr ELR_EL3, x2
; all other system registers are set to their reset values.
; SCTLR_EL1 = 0x00C50838
; HCR_EL2 = 0x0000000000000002
mov x10, 0xff220000 ; this simply turns on the LED on the board,
mov w11, 0x0020 ; for testing only
str w11, [x10, 4] ;
str w11, [x10, 0] ;
Switching to the secure EL1 (SCR_EL3.NS not set) works fine and the LED turns on. However, it doesn't work when I try to go to non-secure EL1.
I also tried setting HCR_EL2.RW, but it didn't work:
HCR_EL2.RW, but it didn't work
mov x0, HCR_EL2.RW
msr HCR_EL2, x0
What am I missing?
It is very possible that the GPIO controller of LED is secure device, which can only be programmed in secure state.
From the TrustZone guide (https://developer.arm.com/documentation/102418/0100/TrustZone-in-the-processor) I learned that memory can be treated as secure. Probably this could be the case. Unfortunately, I don't have a debugger and all my debugging comes from output messages over UART or flashing LEDs. A scenario I can think of is: going NS.EL1, changing some variable, then going secure again and printing it over UART to confirm I enter EL1 and peripherals are in the secure addreess space. JFYI I'm working with the Rockchip RK3308-based board. Will post my further findings here.
View all questions in Cortex-A / A-Profile forum