ARM ARM1176JZF-S Technical Reference Manual page 77

2.2.2 How the Secure model works
ARM DDI 0301H
ID012310
This section describes how the Secure model works from a program perspective and includes:
• The NS bit and Secure Monitor mode
• Secure memory management on page 2-5
• System boot sequence on page 2-8
• Secure interrupts on page 2-8
• Secure peripherals on page 2-8
• Secure debug on page 2-9.
The NS bit and Secure Monitor mode
The Non-secure (NS) bit determines if the program execution is in the Secure or Non-secure
world. The NS bit is in the Secure Configuration Register (SCR) in coprocessor CP15, see c1,
Secure Configuration Register on page 3-52. All the modes of the core, except the Secure
Monitor, can operate in either the Secure or Non-secure worlds, so there are both Secure and
Non-secure User modes and Secure and Non-secure privileged modes, see Operating modes on
page 2-17 and Registers on page 2-18.
Note
An attempt to access the SCR directly in User modes, Secure or Non-secure, or in Non-secure
privileged modes, makes the processor enter the Undefined exception trap. SCR can only be
accessed in Secure privileged modes.
Secure Monitor mode is a privileged mode and is always Secure regardless of the state of the
NS bit. The Secure Monitor is code that runs in Secure Monitor mode and processes switches
to and from the Secure world. The overall security of the software relies on the security of this
code along with the Secure boot code.
When the Secure Monitor transfers control from one world to the other it must save the
processor context, that includes register banks, from one world and restore those for the other
world. The processor hardware automatically shadows and changes context information in
CP15 registers appropriately.
If the Secure Monitor determines that a change from one world to the other is valid it writes to
the NS bit to change the world in operation. Although all Secure privileged modes can access
the NS bit, it is strongly recommended that you only use the Secure Monitor to change the NS
bit. See the ARM Architecture Reference Manual for more information.
A Secure Monitor Call (SMC) is used to enter the Secure Monitor mode and perform a Secure
Monitor kernel service call. This instruction can only be executed in privileged modes, so when
a User process wants to request a change from one world to the other it must first execute a SVC
instruction. This changes the processor to a privileged mode where the Supervisor call handler
processes the SVC and executes a SMC, see Exceptions on page 2-36.
Note
An attempt by a User process to execute an SMC makes the processor enter the Undefined
exception trap.
The Secure Monitor mode is responsible for the switch from one world to the other. You must
only modify the SCR in Secure Monitor mode.
The recommended way to return to the Non-secure world is to:
1. Set the NS bit in the SCR.
Copyright © 2004-2009 ARM Limited. All rights reserved.
Non-Confidential, Unrestricted Access
Programmer's Model
2-4