Secure and Non-Secure MPU Overlap and Address Range Validation

In ARM Cortex-M systems with TrustZone enabled, the Memory Protection Unit (MPU) is a critical component for enforcing memory access rules between secure and non-secure worlds. The cmse_check_address_range function is used to validate whether a memory range provided by the non-secure world is accessible under specific conditions, such as non-secure, unprivileged, and read-write permissions. However, when both Secure MPU (MPU_S) and Non-Secure MPU (MPU_NS) are active, issues can arise if the memory regions are not properly configured.

The core issue occurs when a buffer allocated in the non-secure world (e.g., at address 0x20000000) is accessed from the secure world using cmse_check_address_range. The Secure MPU is configured to cover the same physical memory but using a secure alias address (e.g., 0x30000000). Despite the physical memory being the same, the cmse_check_address_range function triggers a secure fault because the secure MPU does not recognize the non-secure address range as valid. This indicates that the Secure MPU must explicitly define regions for both the non-secure and secure aliases of the same physical memory.

This behavior is expected due to the way ARM TrustZone and the MPU handle address translation and access permissions. The Secure MPU must be configured to recognize both the non-secure and secure address ranges for the same physical memory to avoid faults during cross-world data transfers. This requirement is often overlooked, leading to runtime faults and system instability.

Memory Region Configuration and Address Translation Mismatch

The root cause of the issue lies in the mismatch between memory region configurations in the Secure and Non-Secure MPUs and the address translation mechanisms used by TrustZone. When TrustZone is enabled, the same physical memory can be accessed using both secure and non-secure addresses. For example, a memory region located at 0x20000000 in the non-secure world might have a secure alias at 0x30000000. However, the MPU does not automatically translate between these addresses. Instead, it treats them as entirely separate regions.

The cmse_check_address_range function performs its validation based on the address provided and the permissions specified. If the Secure MPU is only configured to recognize the secure alias address (0x30000000), it will not validate the non-secure address (0x20000000) as accessible, even though they point to the same physical memory. This results in a secure fault when the function attempts to check the non-secure address range.

Additionally, the issue is exacerbated by the fact that the Secure MPU and Non-Secure MPU operate independently. The Non-Secure MPU might be correctly configured to allow access to the non-secure address range, but the Secure MPU must also be explicitly configured to recognize the same range for cross-world access. This dual configuration requirement is often missed during system setup, leading to runtime faults.

Configuring Dual MPU Regions and Validating Cross-World Access

To resolve this issue, the Secure MPU must be configured to recognize both the non-secure and secure address ranges for the same physical memory. This involves defining two separate MPU regions: one for the non-secure address range (e.g., 0x20000000) and one for the secure alias address range (e.g., 0x30000000). Both regions must have the same access permissions and attributes to ensure consistent behavior.

The following steps outline the process for configuring the MPU and validating cross-world access:

  1. Define Non-Secure MPU Region: Ensure the Non-Secure MPU is configured to allow access to the non-secure address range (0x20000000). This region should have the appropriate permissions (e.g., read-write) for the non-secure world.

  2. Define Secure MPU Region for Non-Secure Address: In the Secure MPU, define a region that covers the non-secure address range (0x20000000). This region must have the same permissions as the corresponding Non-Secure MPU region to allow cross-world access.

  3. Define Secure MPU Region for Secure Alias: In the Secure MPU, define a second region that covers the secure alias address range (0x30000000). This region should also have the same permissions as the non-secure region to ensure consistency.

  4. Use cmse_check_address_range with Correct Permissions: When calling cmse_check_address_range, ensure the permissions (e.g., CMSE_NONSECURE | CMSE_MPU_UNPRIV | CMSE_MPU_READWRITE) match the MPU configurations. This ensures the function validates the address range correctly.

  5. Test Cross-World Data Transfers: After configuring the MPU regions, test cross-world data transfers to verify that the secure fault no longer occurs. Use debug tools to monitor MPU behavior and ensure both regions are being recognized correctly.

By following these steps, the system can avoid secure faults caused by mismatched MPU configurations and ensure reliable cross-world data transfers. Proper MPU configuration is critical for systems using ARM TrustZone, as it directly impacts the security and stability of the system.

Example MPU Configuration Table

The following table provides an example of how the Secure and Non-Secure MPU regions should be configured for a memory region located at 0x20000000 in the non-secure world and 0x30000000 in the secure world:

MPU Address Range Permissions Attributes
MPU_NS 0x20000000-0x2000FFFF Read-Write, Unprivileged Non-Secure, Cacheable
MPU_S 0x20000000-0x2000FFFF Read-Write, Unprivileged Non-Secure, Cacheable
MPU_S 0x30000000-0x3000FFFF Read-Write, Unprivileged Secure, Cacheable

This table illustrates the dual MPU region configuration required to avoid secure faults during cross-world access. Both the non-secure and secure address ranges must be explicitly defined in the Secure MPU to ensure proper validation by cmse_check_address_range.

Debugging Tips

  • Monitor MPU Faults: Use a debugger to monitor MPU faults and identify which region is causing the issue. This can help pinpoint misconfigurations.
  • Verify Address Translation: Ensure the address translation between non-secure and secure worlds is correctly implemented in the hardware.
  • Check MPU Region Overlaps: Ensure there are no overlaps or conflicts between MPU regions that could cause unexpected behavior.

By addressing these configuration and validation steps, developers can ensure robust and secure operation of ARM Cortex-M systems with TrustZone enabled.

Similar Posts

ARM Cortex-A35 128-bit Atomic Access Limitations and Workarounds

ARM Cortex-A35 128-bit Atomic Access Limitations and Workarounds

BySystem on Chips

ARM Cortex-A35 128-bit Atomic Access Limitations The ARM Cortex-A35, based on the ARMv8.0-A architecture, is a highly efficient processor designed for low-power applications. However, one of its limitations is the lack of native support for 128-bit atomic read/write operations between multiple cores. This limitation is rooted in the ARMv8-A architecture’s atomicity model, which only guarantees

ARM Cortex-M4 BusFault on Power Reset Due to Invalid Memory Access

ARM Cortex-M4 BusFault on Power Reset Due to Invalid Memory Access

BySystem on Chips

BusFault Triggered by Invalid Pointer Dereference During System Initialization The core issue revolves around a BusFault occurring during system power-up, specifically when dereferencing a pointer (*pp_data) in the function uarte_get_async_data. The fault manifests as an access to an invalid memory address (0x0601235d), which is not a valid memory location for the system. This fault is

ARM Cortex-M4 Hardfault Triggered by Changing IRQ Priority During Execution

ARM Cortex-M4 Hardfault Triggered by Changing IRQ Priority During Execution

BySystem on Chips

ARM Cortex-M4 NVIC Priority Change During ISR Execution The ARM Cortex-M4 microcontroller, based on the ARMv7-M architecture, is designed to handle nested interrupts efficiently through its Nested Vectored Interrupt Controller (NVIC). However, a subtle yet critical issue arises when attempting to change the priority of a currently executing Interrupt Service Routine (ISR). This issue manifests

Debugging Cortex-A53 Reset Vector Issues and Halting Step Failures

Debugging Cortex-A53 Reset Vector Issues and Halting Step Failures

BySystem on Chips

Cortex-A53 Reset Vector Debugging Challenges and Halting Step Failures Debugging from the reset vector on ARM Cortex-A53 processors, particularly in complex SoCs like the Snapdragon 865 (SM8250), presents unique challenges. The reset vector is the initial entry point of the processor after a reset, and debugging at this stage is critical for low-level firmware development

ARM Cortex-A53 Erratum 820719: DSB Progress Blocking by Non-Reorderable Device Memory Stores

ARM Cortex-A53 Erratum 820719: DSB Progress Blocking by Non-Reorderable Device Memory Stores

BySystem on Chips

ARM Cortex-A53 DSB Instruction Progress Blocking Issue The ARM Cortex-A53 processor, a widely used 64-bit core in embedded systems, exhibits a specific erratum identified as 820719. This erratum describes a scenario where the execution of a stream of store instructions to non-reorderable Device memory by one or more Cortex-A53 cores can prevent a Data Synchronization

ARM PL330 DMA Controller: MEM2MEM Mode Source Address Increment Issue

ARM PL330 DMA Controller: MEM2MEM Mode Source Address Increment Issue

BySystem on Chips

ARM PL330 DMA Controller MEM2MEM Mode Configuration Challenges The ARM PL330 DMA controller is a highly configurable and efficient Direct Memory Access (DMA) engine that is widely used in embedded systems for offloading memory transfer tasks from the CPU. One of its key features is the ability to operate in MEM2MEM (Memory-to-Memory) mode, where data

Leave a Reply

Your email address will not be published. Required fields are marked *