I am running on Cortex-R82 FVP.
EL2: MPU disabled with background region also disabled. EL1: MPU enabled with multiple non-overlapping regions, background region disabled.
SCTLR_EL[2|1].WXN is set to 0.
Behavior: In EL1, when I write to a normal memory MPU region that has write and execute permissions enabled (around memory location 0x86400, if it matters), the write operation causes a fault. The issue disappears when the region is marked non-executable (prbar.XN bit is set).
My question is, if this is expected behavior or if it is an FVP parameter/bug? If it is expected, would be grateful if I could be pointed to the documentation that explains it further.
What syndrome is reported in the fault case? (I'm guessing permission fault, but thought it worth sanity checking)
What are two different values you're writing into PRBAR?
Thanks for your reply, Martin! We ran the tests, and the issue is slightly different from what I explained above. Apart from "behavior" above, everything else holds true.
Actual behavior: code does not execute from a memory region with write permissions, and results in an abort.
Case: Execute from memory worksprbar_el1: 0x56502c -> region marked as RO for EL1/EL0prlar_el1: 0x56811f
Case: Execution from memory failsprbar_el1: 0x565024 -> region marked as RW for EL1/EL0prlar_el1: 0x56811fExecption Syndrom 0x8600000c Instruction Abort taken without a change in Exception levelFAR 0x5662a0 (0xd2800007 MOV x7,#0)
Thanks, that makes a bit more sense.
I'm more familiar with the A-profile, which has a rule that a region which has write-permission at EL0 can _never_ be executable at EL1.
From the A-profile spec (DDI0487, rev L.b), this is covered by R_VWLLR:
For stage 1 translations that support two Exception levels, if UnprivWrite is present, then PrivExecute is removed.
Adding to my post:
R-profile is a little different. When the MPU is disabled there is a special case:
“If the value of SCTLR_EL1.{M, BR} is {0, 1}, then for the Secure EL1&0 translation regime, any memory region that is writable at EL0 is also executable from EL1 if that address is marked as executable by the Background region.”