Hi all,
The main differences in ARMv8 EL3 is that it has its own MMU and it can only be entered via SMC and exit via ERET instruction. ERET instruction reads from ELR_EL3 (Exception Link register) and continue execution from that address (of course changing context before).
So, does it possible to "manually" change context and write destination address in ELR_EL3 register and perform ERET inst. Exactly, set new context (SP, NS bit, gp reg...), write address from EL2 memory space to ELR_EL3 ( Hypervisor memory space, which is non secure), perform ERET, and continue execution there?
Thanks
Yes, ELR_EL3 (and the other ELR_ELn registers) is writeable. So if you wanted to return to a different address you can simply overwrite it. If you wanted to return to a different EL/execution state, you'd also have to modify SPSR_EL3.
This is essentially what happens when during context switching. The OS saves off the ELR_EL1/SPSR_EL1 value to the tasks context. Then loads in the values for the new context.
One note.. SMC is not the only exception type that cause entry to EL3. You can also route IRQs/FIQs/SErrors to EL3.