I found that when a secure function calls a non-secure function, before jumping to non-seucre state (either to thread or to handler), the registers r0-r12 (except for the reg passing argument) are cleared.
But in the case when non-secure callable function returns to non-secure function, only r0-r3 and r12 are cleared. So i think there is a risk of being exposed by r4-r11. So is this a threat to secure system?
And I want to know why don't the development tools clear all the registers in the second case?
Thanks a lot !
The app note that describes the detail of this operation is here
There is also a long list of associated documents here
in brief, the processor does part of the security job, the programmer needs to do the rest .
for example, if the secure function does not validate pointers passed as parameters then an attacker can access all secure memory via a secure function
if the secure function does not clean registers after it is done then the non secure side will be able to see that data and via repeated calls can hack the system
explained in technical detail here
in the case above, the tool inserts the proper clean up to prepare for a transition to non secure while going the other way there is nothing to clean up since secure has access to all memory any way
Thanks for your answer. I will make my question more clear.
I found that in the case when non-secure callable function returns to non-secure function, only r0-r3 and r12 registers are cleared. While in the case when secure function calls a non-secure function, all registers r0-r12 are cleared.
I think in the second case, it is secure enough to protect the register not being observed. While in the first case, r4-r11 still have the risk of being exposed. So why don't the development tools clear all the registers in the first case?
I'm sorry for jumping into the discussion.I think from r4 to r11 would be the callee saved registers.This means r4-r11 would not change in the secure world.Therefore, the observed values of r4-r11 by the function in the non-secure world after calling the secure world, would be the previous values before calling the secure world.
I hope this will help you.Best regards,Yasuhiko Koumoto.
Thanks for reply.
You mean that if necessary, the callee should push the r4-r11 and pop them at the end?
View all questions in TrustZone for Armv8-M forum