This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VTTBR_EL2 getting populated at EL1 ?

Hi,

I am facing an issue where after doing "eret" to EL1 when I see from DS-5 debugger MMU view I can see VTTBR_EL2 entries.

It seems that at EL1 level VTTBR_EL2 is visible as debugger is able to parse that memory ?  I am confused as my Linux doesn't map VTTBR_EL2 address memory.

Also I can not populate the "memory view" for this address.

I am also trying to figure out if this because my Stage 2 TLB is not invalid. What is the correct way to invalidate TLB for stage 2 page tables ?

Thanks.

Parents
  • The _ELn suffix on register names denotes the minimum privilege needed to access that register.  So an _EL2 register is not accessible at EL1 or 0, but is accessible at EL2 or EL3.  Therefore software running at EL1 cannot access VTTBR_EL2.

    VTBBR_EL2 points to a table in memory.  This physical address range containing this table might be visible at EL1.  So if software already knew the address (or could make an educated guess) it might be able to access the table itself.  EL2 has a way to prevent this - stage 2 translation (which appropriately enough is what VTTBR_EL2 is used for).  Therefore generally it would be a programming for NS.EL1 to be able to access the physical memory used by EL2 for stage 2 translation tables.  Or for that matter, pretty much any of the memory used by the EL2 software.

    Now debug is a little different.  If you connect with a JTAG debugger (e.g. DS-5), then what you can see is based on a number of signals (e.g. is secure debug allowed).  For ARM's Juno development board, you can see everything.  So, it is quite possible for DS-5 to show information about EL2 register, or non-NS.EL1 accessible memory, while in NS.EL1.

    If you need to invalidate the TLBs, this is done using TLBI instructions.  The arguments which control whether stage 1/2/both are invalidated.  But you'll need to be in EL2 to to use many of the ones relevant to your scenario.

Reply
  • The _ELn suffix on register names denotes the minimum privilege needed to access that register.  So an _EL2 register is not accessible at EL1 or 0, but is accessible at EL2 or EL3.  Therefore software running at EL1 cannot access VTTBR_EL2.

    VTBBR_EL2 points to a table in memory.  This physical address range containing this table might be visible at EL1.  So if software already knew the address (or could make an educated guess) it might be able to access the table itself.  EL2 has a way to prevent this - stage 2 translation (which appropriately enough is what VTTBR_EL2 is used for).  Therefore generally it would be a programming for NS.EL1 to be able to access the physical memory used by EL2 for stage 2 translation tables.  Or for that matter, pretty much any of the memory used by the EL2 software.

    Now debug is a little different.  If you connect with a JTAG debugger (e.g. DS-5), then what you can see is based on a number of signals (e.g. is secure debug allowed).  For ARM's Juno development board, you can see everything.  So, it is quite possible for DS-5 to show information about EL2 register, or non-NS.EL1 accessible memory, while in NS.EL1.

    If you need to invalidate the TLBs, this is done using TLBI instructions.  The arguments which control whether stage 1/2/both are invalidated.  But you'll need to be in EL2 to to use many of the ones relevant to your scenario.

Children
No data