Hi,
I have two main questions, about the handling of group 0 interrupts:
I know a secure OS should not try to fight against the EL3 secure monitor, but I want to understand things clearly before porting our OS / Monitor to armv8 / gic-v3
Thank you !
V.
1. from my understanding of the GIC-v3 documentation, any secure OS (EL1, SCR.NS == 0) has access to ICC_IGRPEN0_EL1:Am I correct when I say that this means that any secure OS can disable group 0 interrupt, which could prevent the secure monitor at EL3 to receive group 0 interrupt ?Is the only way to prevent this is to trap access to ICC_SRE_EL1 using ICC_SRE_EL3.Enable ?
1. from my understanding of the GIC-v3 documentation, any secure OS (EL1, SCR.NS == 0) has access to ICC_IGRPEN0_EL1:
Whether S.EL1 can access ICC_IGRPEN0_EL1 depends on the setting of SCR_EL3.FIQ.
If FIQ==1 (FIQs routed to EL3), accesses to ICC_IGRPEN0_EL1 at S.EL1 will trap to EL3.
2 .Also, any secure OS seems to have access to GICD_IGROUPRn and GICD_IGRPMODRn registers:Is there a way to prevent a secure OS to switch a group 0 interrupt into a (for example) group 1 Secure interrupt ?Is the only way to be defensive about the previous point is to trap all interrupt to EL3 ?I know a secure OS should not try to fight against the EL3 secure monitor, but I want to understand things clearly before porting our OS / Monitor to armv8 / gic-v3
Not really. There is no equivalent to Stage 2 translation that EL3 can use to restrict S.EL1's access to the address space.
Generally S.EL1 and EL3 are considered the same level of trust, so there isn't really a need for EL3 to defend itself from S.EL1.
Ok, that's what I had understood.
Thank you for the additional info.