If CPU is in secure state, and calling the none-secure world method. Dose this allowed or it will generat a security fault
If you are changing secure OS, you can do that. You might need to map the normal world functions to secure world.
However, in general, this is not recommended because a malicious function can be executed with secure world privilege, which will compromise the secure world.
Thanks for you reply.
One thing want to know is that, If calling NS world method directly (which is in none-secure memory setup by SAU), for example using BL not BLNS to branch to a none-secure method address, will this leading to secure fault.
I didn’t realize that the question was about trustzone on v8-m. On v8-a, it is doable as long as the region is set as executable for both worlds by TZASC.
For Armv8-M, Secure code can call Non-secure functions (using BLXNS instruction).
When this happen, the return address is automatically pushed to Secure stack, the and LR (link register) is updated to a special value called FNC_RETURN (function return. When Non-secure function ended and return with FNC_RETURN, the real return address is extract from Secure stack.
With this method, it is not possible for Non-secure world to modify the actual return address.
In addition to Joseph's comments, please note that the Arm Compiler 6 has full support for developing with secure and non-secure world code, including the generation of the appropriate BLXNS instruction etc. Please see the below application note, written for MDK, though equally applies to the DS-5 tool if that is your preference (both toolkits include the Arm Compiler.www.keil.com/.../apnt_291.pdf
Thank you guys for help.
I just wandering about the protections about in secure state directly call to none-secure method through function pointers, not using BLXNS, just BLX. I found that it will causing fault exceptions on our testing platform.
Other than the branch instructions which are dedicated to be executed for state transitions (like BLXNS, BXNS), the existing branch instructions like BLX, BX, BL <label> instructions when executed from secure state to a non-secure state address shall result in a secure-fault.
However, if the existing branch instructions like BLX, BX, BL <label> is executed from non-secure state to a secure target address with the target state bit set to 0 shall result in usage fault.
Hope this helps.
View all questions in TrustZone for Armv8-M forum