You copied the Doc URL to your clipboard.

Using the ARMv8-M architectural features

An RTOS can use the two stack pointers that the ARMv8-M architecture provides within each security state. The Main Stack Pointer (MSP) can be used by software running in Thread mode and is always used by Handler mode. A second register, the Process Stack Pointer (PSP) can be used by Thread mode software. The SPSel bit in the CONTROL register configures the stack pointer register that is used by Thread mode.













Secure floating-point active.




Floating-point context active.




Sets the stack pointer to be used.




Defines the execution privilege in Thread mode.

Using both registers allows an RTOS to separate the stack that is used by a user application from the OS stack, and protects the OS stack from errors in a user thread that might cause stack corruption and affect the stack pointed to by PSP.


Simple applications without an OS do not have to use this configuration and instead can configure Thread mode to use the MSP. This use of MSP is the default stack configuration out of reset.

If the Security Extension is implemented, MSP and PSP are banked between security states. The notations MSP_NS, PSP_NS, MSP_S and PSP_S are used to indicate which banked version is being referred to, either Secure (S) or Non-secure (NS). In addition, the CONTROL.SPSel bit is also banked, allowing different stack configurations in Secure and Non-secure Thread modes.

Stack and stack limit

If the ARMv8-M architecture Security Extension is implemented, a stack limit feature is provided using stack limit registers accessible using MSR and MRS instructions.

MRS RN, <x>                ; copy the value of <x> into RN

MSR <x>, RN                ; write the value in RN into <x>.

Where <x> is one of: MSP, PSP, MSPLIM, or PSPLIM.

For example:

MRS R0, MSPLIM             ; copy MSPLIM value into R0

Secure software can also use MSP_NS, PSP_NS, MSPLIM_NS and PSPLIM_NS to access the Non-secure version of those registers.

; Execute in Secure state
MSR MSP, R1 			; set Secure MSP 
MSR MSP_NS, R2 		   ; set Non-secure MSP

The following table lists the available stack pointers and Stack limit register.


Stack pointers

Corresponding stack limit register

Secure Main Stack

Used by Secure handlers, and Secure thread when bit[1] of the Secure CONTROL register is 0.



Secure Process Stack

Used by Secure threads when bit[1] of the Secure CONTROL register is 1.



Non-secure Main Stack

Used by Non-secure handlers, and Non-secure thread when bit[1] of the Non-secure CONTROL register is 0.



(available on ARMv8-M architecture with Main Extension only)

Non-secure Process Stack

Used by Non-secure threads when bit[1] of the Non-secure CONTROL register is 1.



(available on ARMv8-M with Main extension only)

If, during a stack operation (for example, PUSH) the stack address is less than the corresponding stack limit register, a fault event is raised.

SVCall and PendSV exceptions

The SVCall and PendSV exceptions are banked between Secure and Non-secure states.

When the processor is in Secure state, the SVC exception handling sequence fetches the exception vector from the Secure vector table and executes the SVCall handler in Secure state. When the processor is in

Non-secure state, the SVC exception handling sequence fetches the exception vector from the Secure vector table and executes the SVCall handler in Non-secure state.

Similarly, the PendSVSet and PendSVClr bit in the Interrupt Control and State Register (ICSR) is banked. Secure software can also trigger Non-secure PendSV using the Non-secure alias of the ICSR(0xE002ED04).

The priority level registers for SVC and PendSV are also banked between Secure and Non-secure states.

SysTick timer

A timer is a requirement of most operating systems. ARMv8-M processors provide a basic countdown timer called SysTick that can be used to generate a periodic interrupt. SysTick reduces the need for software porting, because the SysTick programmers’ model is the same on all Cortex‑M devices. In ARMv8-M processors, the SysTick timer is an optional feature and designers can decide if the chip must include this timer or not.

In the ARMv8-M architecture, the programmers’ model of the SysTick timer remains unchanged. However, the SysTick timer is banked, so there can be two physical SysTick timers in the design:

  • When the processor is in Secure state, the Secure SysTick timer is accessed.
  • When the processor is in Non-secure state, the Non-secure SysTick timer is accessed.

Each of these timers can trigger SysTick exceptions in their corresponding security states. Secure software can also access the Non-Security SysTick registers using an alias address.

For the ARMv8-M architecture with Main Extension, there is the option of implementing just one SysTick. In this case, the SysTick timer that is implemented can be configured to be Secure or Non‑secure using bit [24] of the Interrupt Control and State Register (ICSR).

For bit [24] of this register, SysTick Targets Non-secure State (STTNS):

  • If this bit is 0 SysTick targets the Secure state (default).
  • If this bit is 1 SysTick targets the Non-secure state.

The STTNS bit is accessible only when the processor is in Secure state, and only if the design configuration of the processor selects one SysTick implementation.

An RTOS can also use device-specific timer peripherals for time keeping and task scheduling. In such case, the security domain of the timer must match the RTOS configuration. For example, if the RTOS is running in a Secure domain, the timer that is used by the RTOS must be configured to be Secure accesses only, and the corresponding interrupt must also be configured as Secure.


EXC_RETURN is an exception return mechanism.

Many real-time operating systems create threads using an exception return with an artificially created stack frame, as the following figure shows.


In the ARMv8-M architecture, EXC_RETURN has been updated as follows:









Must be 0xFF to be a valid EXC_RETURN code.


Reserved (fix to 1)






Secure or Non-secure stack.

This bit indicates whether a Secure or Non-secure stack is used.

0   Non-secure stack used.

1   Secure stack used.




Default callee register stacking.

This bit indicates whether the default stacking rules apply, or whether the callee registers, for example, R4-R11, are already on the stack.

0   Stacking of the callee saved registers skipped.

1   Default rules for stacking the callee registers are followed.




Stack Frame Type.

This bit indicates whether the stack frame is a standard integer only stack frame, or an extended stack frame with floating-point register contents.

0   Extended stack frame

1   Standard stack frame.





This bit indicates the Mode that was stacked from.

0   Handler mode.

1   Thread mode.




Stack pointer selection.

This bit indicates which stack point the exception frame resides on.

0   Main stack pointer.

1   Process stack pointer.


Reserved (fix to 0)






Exception Secure.

The security domain the exception was taken to.

0   Non-secure.

1   Secure.

Was this page helpful? Yes No