ARMv8-M Exception Handling and Security State Transition Constraints
The ARMv8-M architecture introduces a robust security model that partitions the system into Secure and Non-secure states. This partitioning is critical for modern embedded systems, particularly in applications requiring robust security measures such as IoT devices, automotive systems, and industrial controllers. One of the key aspects of this architecture is the handling of exceptions, which include interrupts, faults, and system calls. The ARMv8-M Architecture Reference Manual explicitly states that Secure software must ensure that when changing the target Security state of an exception, the exception is not pending or active. This requirement is crucial to prevent UNPREDICTABLE behavior, which can lead to system instability, security vulnerabilities, or even complete system failure.
The term "exception" in this context encompasses all types of exceptions, including external interrupts. External interrupts are a subset of exceptions triggered by external hardware events, such as GPIO pin changes, timer overflows, or communication peripherals like UART, SPI, or I2C. When an exception is pending, it means that the exception has been triggered but has not yet been serviced by the processor. When an exception is active, it means that the processor is currently executing the exception handler for that particular exception.
The architecture mandates that the Security state of an exception must not be changed while the exception is pending or active. This is because the Security state determines the privilege level and access rights of the exception handler. Changing the Security state while the exception is pending or active can lead to inconsistencies in the system’s security model, potentially allowing unauthorized access to secure resources or causing the system to enter an undefined state.
Pending or Active Exceptions and Security State Transition Risks
The primary risk associated with changing the Security state of an exception while it is pending or active is the potential for UNPREDICTABLE behavior. This behavior can manifest in several ways, depending on the specific circumstances of the Security state transition and the nature of the exception. For example, if an external interrupt is pending and the Security state is changed from Secure to Non-secure, the interrupt handler may execute in the Non-secure state with access to Secure resources, leading to a security breach. Conversely, if the Security state is changed from Non-secure to Secure while an exception is active, the exception handler may lose access to Non-secure resources, causing the system to crash or behave erratically.
Another risk is the potential for race conditions. If the Security state is changed while an exception is pending, there is a window of time during which the exception may become active before the Security state transition is complete. This can lead to a situation where the exception handler executes with inconsistent Security state settings, resulting in undefined behavior. Additionally, the ARMv8-M architecture does not guarantee the atomicity of Security state transitions, meaning that other exceptions or interrupts may occur during the transition, further complicating the situation.
The ARMv8-M architecture provides mechanisms to manage exceptions and Security state transitions safely. These mechanisms include the ability to disable interrupts, check the pending status of exceptions, and ensure that exceptions are not active before changing the Security state. However, these mechanisms must be used correctly to avoid the risks associated with Security state transitions during exception handling.
Safe Practices for Changing Security State During Exception Handling
To safely change the Security state of an exception in the ARMv8-M architecture, it is essential to follow a set of best practices that ensure the exception is neither pending nor active during the transition. The first step is to disable interrupts globally to prevent new exceptions from being triggered while the Security state transition is in progress. This can be done using the CPSID instruction, which disables all interrupts by setting the PRIMASK register. Disabling interrupts ensures that no new exceptions can become pending during the Security state transition.
Once interrupts are disabled, the next step is to check the pending status of all exceptions. This can be done by examining the Interrupt Control and State Register (ICSR) in the System Control Block (SCB). The ICSR provides information about the pending status of exceptions, including external interrupts. If any exceptions are pending, they must be cleared or serviced before proceeding with the Security state transition. This ensures that no exceptions are in the pending state when the Security state is changed.
After ensuring that no exceptions are pending, the next step is to verify that no exceptions are active. This can be done by examining the Execution Program Status Register (EPSR) in the Program Status Register (PSR). The EPSR contains the ISR_NUMBER field, which indicates the currently active exception. If an exception is active, the Security state transition must be delayed until the exception handler has completed execution. This ensures that no exceptions are active when the Security state is changed.
Once it has been confirmed that no exceptions are pending or active, the Security state can be changed safely. This is typically done using the Secure Fault Mask Register (SFMASK) or the Non-secure Fault Mask Register (NSFMASK), depending on the desired Security state. After changing the Security state, interrupts can be re-enabled using the CPSIE instruction, which clears the PRIMASK register and allows interrupts to be processed again.
In addition to these steps, it is important to consider the impact of Security state transitions on other system components. For example, changing the Security state may affect the behavior of memory protection units (MPUs), debug interfaces, and other security-related features. It is essential to ensure that these components are configured correctly for the new Security state to avoid unintended side effects.
The following table summarizes the key steps for safely changing the Security state of an exception in the ARMv8-M architecture:
| Step | Action | Description |
|---|---|---|
| 1 | Disable Interrupts | Use the CPSID instruction to disable all interrupts globally. |
| 2 | Check Pending Exceptions | Examine the ICSR to check for pending exceptions. Clear or service any pending exceptions. |
| 3 | Verify Active Exceptions | Examine the EPSR to verify that no exceptions are active. Delay the Security state transition if an exception is active. |
| 4 | Change Security State | Use the SFMASK or NSFMASK to change the Security state. |
| 5 | Re-enable Interrupts | Use the CPSIE instruction to re-enable interrupts globally. |
By following these steps, developers can ensure that Security state transitions are performed safely and without causing UNPREDICTABLE behavior in the ARMv8-M architecture. This is critical for maintaining the integrity and security of embedded systems, particularly in applications where security is a top priority.
