Chapter 7 Test target instruction
To allow software to determine the security attribute of a memory location, the TT instruction (Test Target) is used.
Test Target (TT) queries the security state and access permissions of a memory location.
Test Target Unprivileged (TTT) queries the security state and access permissions of a memory location for an unprivileged access to that location.
Test Target Alternate Domain (TTA) and Test Target Alternate Domain Unprivileged (TTAT) query the security state and access permissions of a memory location for a Non-secure access to that location. These instructions are only valid when executing in Secure state, and are UNDEFINED if used from Non-secure state.
When executed in the Secure state the result of this instruction is extended to return the Security Attribution Unit (SAU) and Implementation Defined Attribution Unit (IDAU) configurations at the specific address.
For each memory region defined by the SAU and IDAU, there is an associated region number that is generated by the SAU or by the IDAU. This region number is used by software to determine if a contiguous range of memory shares common security attributes.
The TT instruction returns the security attributes and region number, and the MPU region number, from an address value. By using a TT instruction on the start and end addresses of the memory range, and identifying that both reside in the same region number, software can quickly determine that the memory range, for example, for data array or data structure, is located entirely in Non-secure space, as shown in the following figure:
Figure 7-1 TT instruction allows software to determine if a data object is placed entirely in a Non-secure region
Note: The MPU, SAU and IDAU in Armv8-M do not allow regions to overlap.
Using this mechanism, Secure code servicing APIs in the Secure world can determine if the memory referenced by a pointer from Non-secure software has the appropriate security attribute for the API. This prevents Non-secure software from using APIs in Secure software to read out or corrupt Secure information.
As part of Arm TrustZone technology for Armv8-M, there is also a stack limit checking feature. This detects the erroneous case where an application uses more stack than expected, which can potentially cause a security lapse and the possibility of a system failure. For Armv8-M Mainline, all stack pointers have corresponding stack limit registers. There are no Baseline Limit registers for Non-secure. Non-secure programs can use the MPU for stack overflow prevention.