How to do from Secure(EL3) to Non-secure Exception level transition in ARMV8-A ?

Hi.  For background reading I suggest you take a look at the "Boot: Bare Metal" guide linked to from this page:

developer.arm.com/.../learn-the-architecture

Specifically chapter 5.5, it talks about moving between Exception levels.

On to your specific question, there's a couple of things that could be going wrong.  The value in ESR_EL3 when you re-enter EL3 should tell you what.  Common problems:

• SCR_EL3.RW
  There are two things that control the Execution state (AArch32 or AArch64) of lower ELs.  There's the value you're programming into the SPSR_EL3 before the ERET, and the RW bits (SCR_EL3.RW and HCR_EL2.RW).  When entering EL2 from EL3, you need to make sure that SCR_EL3.RW is set to match what you're putting in the SPSR (i.e. they both say AArch64 or both say AArch32).
  
  
• SCR_EL3.NS
  On Armv8.0 and Armv8.2-A processors, EL2 only exists in Non-secure state.  The SCR_EL3.NS bit controls whether lower ELs are Non-secure or Secure.  So to enter EL2 you need to have configured the NS bit to be 1 (Non-secure)

• EL2 MMU registers
  The SCTLR_EL2 register controls the MMU and caches for EL2 - it does NOT have a defined reset value.  You need to make sure you've initialized it to a safe initial value before entering EL2 for the first time.  Writing 0 to it is usually enough.
  
  
• Address space
  Again assuming an 8.0 or 8.2 processor.  In Non-secure state you can only access Non-secure physical addresses.  You need to make sure that the address you enter EL2 at is a NS physical address.

.global test_el3_to_el2_asm
.p2align 2
.type test_el3_to_el2_asm,%function
test_el3_to_el2_asm:

#store return address into C world - this will be retrieved from SMC handler
adr x0,return_addr
str x30,[x0]

#set sp_el1 to sp_el3 in order for the code in C test function to work
ldr x0, =__stack_end__
mov x1, #1000
sub x0, x0, x1
bic x0, x0, #0xf
msr sp_el1, x0
mov x1, #1000
sub x0, x0, x1
bic x0, x0, #0xf
msr sp_el0, x0
mov x1, #1000
sub x0, x0, x1
bic x0, x0, #7
msr sp_el2, x0


//Initialize SCTLR_EL2 and HCR_EL2 to save values before entering EL2.
MSR SCTLR_EL2, XZR
MSR HCR_EL2, XZR
MRS X0, HCR_EL2
ORR X0, X0, #(1<<19)
ORR X0, X0, #(1<<31)
MSR HCR_EL2, X0


//clear CPTR_EL3 and CPTR_EL2 to prevent trapping of accesses to CPACR at EL1
bl clear_cptr_el3_el2_asm

// Determine the EL2 Execution state.

MRS X0, SCR_EL3
ORR X0, X0, #(1<<10) // RW EL2 Execution state is AArch64.
ORR X0, X0, #(1<<0) //NS=1 El1 Non Secure state
BIC X0, X0, #(1<<3)
MSR SCR_EL3, x0
isb

MOV X0, #0b01001 // DAIF=0000
MSR SPSR_EL3, X0 
isb

// Determine EL2 entry.
ADR X0, el2_entry // el2_entry points to the first instruction of
MSR ELR_EL3, X0 // EL2 code.
ERET

el2_entry:
nop
add x0, x0, #1
smc 0x0

Hi @Martin Weidmann  , Thanks for reply... above is my code for Transition from EL3 to EL2 and again return to EL3 but the problem is while Executing first instruction in EL2 mode then it goes to again EL3 mode and goes to unexpected handler.

Please check above code suggest me .

Thank You.

Regards, 

Sanjay Kumar

Can you share the ELR_EL3, SPSR_EL3 and ESR_EL3 values when execution returns to EL3?  Also, what's the address of el2_entry (for comparison to the reported ELR value)?

NO after execution first instruction of EL2 mode, it is remains in EL2 mode only but it goes into unexpected handler..so i cant read EL3 regions registers.