文章目录
在切换secure和non-secure模式的时候,通常有两种方法:
- 使用SMC指令
- 写SCR寄存器的NS比特位
下面谈谈这两种方法的区别:
SMC 指令
SMC指令将会产生一个进入EL3的异常,而EL3绝对不会在Non-secure的状态下实现。所以自然而然地可以使系统进入Secure 模式。并且会无视 SCR.NS 位,即不管NS为多少,都可以进入Secure状态。
SMC #0 ; set secure mode
SMC #1 ; set non-secure mode
SCR.NS
Non-secure 下访问不了SCR寄存器,所以只能在secure状态下将NS位写1,进入Non-secure状态。而不能在Non-secure状态下访问SCR,将NS位写0,进入Secure状态。
总的来说,使用SMC指令可以随意在secure和non-secure状态下切换,而通过读写SCR.NS的方式只能将Secure切换成Non-secure。
AArch64
SMC(Secure Monitor Call)指令
SMC指令将会产生一个进入EL3的异常,但是只可以在EL1以及其更高的异常等级时执行,当在EL0时执行SMC指令时,其行为是UNDEFINED。如果 HCR_EL2.TSC 和SCR_EL3.SMD都为0,在EL1以及其更高的异常等级时执行,将会产生一个Secure Monitor Call 异常,
- EL0 Applications.
- EL1 OS kernel and associated functions that are typically described as privileged.
- EL2 Hypervisor.
- EL3 Secure monitor
HCR_EL2.TSC :Traps to EL2 of EL1 execution of SMC instructions
捕获SMC 指令,如果在当前的security state下,EL2被使能,可以将EL1执行的SMC 指令捕获至EL2。
- 如果在AArch 64下执行,这个捕获将会被记录在 EC value 0x17。
- 如果在AArch 32下执行,这个捕获将会被记录在 EC value 0x13。
HCR_EL2.TSC = 0b0
This control does not cause any instructions to be trapped.
HCR_EL2.TSC = 0b1
If EL3 is implemented, then any attempt to execute an SMC instruction at EL1 is trapped to EL2, when EL2 is enabled in the current Security state, regardless of the value of SCR_EL3.SMD.
If EL3 is not implemented, FEAT_NV is implemented, and HCR_EL2.NV is 1, then any attempt to execute an SMC instruction at EL1 using AArch64 is trapped to EL2, when EL2 is enabled in the current Security state.
If EL3 is not implemented, and either FEAT_NV is not implemented or HCR_EL2.NV is 0, then it is IMPLEMENTATION DEFINED whether:
• Any attempt to execute an SMC instruction at EL1 is trapped to EL2, when EL2 is enabled in the current Security state.
• Any attempt to execute an SMC instruction is UNDEFINED.
In AArch32 state, the Armv8-A architecture permits, but does not require, this trap to apply to conditional SMC instructions that fail their condition code check, in the same way as with traps on other conditional instructions.
SCR_EL3.SMD : Disabling EL3, EL2, and EL1 execution of SMC instructions
SCR_EL3寄存器的SMD位可以disable 在EL1以及更高的异常等级上SMC指令的执行, from both Security states and both Execution states, reported using an ESR_ELx.EC value of 0x00.
- SCR_EL3.SMD = 0b0:SMC instructions are enabled at EL3, EL2 and EL1.
- SCR_EL3.SMD = 0b1:SMC instructions are UNDEFINED.
SCR_EL3 寄存器
AArch32
SMC 指令
AArch32 PE modes
AArch32的mode有:
- Monitor mode:总是在secure EL3上执行。
- Hyp mode: 总是在Non-secure EL2上执行。
- System, Supervisor, Abort, Undefined, IRQ, and FIQ modes, 这些模式执行的Exception level取决于当前的安全状态。
- User mode,总是在EL0上执行。
在AArch64中不支持这些mode, Mode的概念只特定于AArch32,同时上述mode可以在指定的异常等级下执行,此时的异常等级必须支持AArch32状态。
Monitor mode只会实现在Secure state下,并且仅当 EL3 使用 AArch32 时。
Hyp mode只会实现在Non-secure状态下,并且仅当EL2使用AArch32时。
System, FIQ, IRQ, Supervisor, Abort, and Undefined modes,由安全状态决定:
In Secure state If either:
• EL3 is using AArch32.
• EL3 is using AArch64 and EL1 is using AArch32.
In Non-secure state If EL1 is using AArch32:
• User mode is implemented if EL0 is using AArch32
Monitor mode
AArch32的monitor mode是Secure的EL3 模式,这意味着它总是处于Secure state下,并且会无视 SCR.NS bit。 使用SMC指令可以进入Secure Monitor Call 异常,从而进入Monitor 模式,在Non-secure的EL1或者Secure EL3模式下,执行SMC指令将会产生Secure Monitor Call 异常。
当EL3使用AArch32时,在Monitor 模式下执行的软件:
- 可以访问Secure和Non-secure的寄存器。
- 异常处理结束后可以返回secure 或者Non-secure模式。
这意味着,Monitor mode提供提供了在secure 或者Non-secure状态之间切换的唯一推荐方法。
SCR Secure Configuration Register 寄存器
SCR 是一个32-bit 寄存器,访问SCR寄存器,需要满足两个条件:当前使用AArch32 状态,并且EL3被实现,该寄存器定义了当前安全状态的配置,特别是:
- 安全状态:secure和non-secure
- 当IRQ,FIQ或者External abort发生时,当前处理器会跳转到什么mode。
- 当SCR.NS=1,即non-secure模式下,是否能改变PSTATE.F or PSTATE.A状态位。
NS, bit [0]
Non-secure bit. 处理器必须处于Monitor mode下,可以决定当前的安全状态:
- 0b0 PE is in Secure state.
- 0b1 PE is in Non-secure state.