The Test Target instruction
To allow software to determine the security attribute of a memory location, the
TT instruction (Test Target) is used.
Test Target (
TT) queries the security state and access permissions of a
Test Target Unprivileged (
TTT) queries the security state and access permissions of a
memory location for an unprivileged access to that location.
Test Target Alternate Domain (
TTA) and Test Target Alternate Domain
TTAT) query the security state and access permissions of a
memory location for a Non-secure access to that location. These instructions are only
valid when executing in Secure state, and are UNDEFINED if used from Non-secure
When executed in the Secure state the result of this instruction is extended to return the Secure Attribution Unit (SAU) and Implementation Defined Attribution Unit (IDAU) configurations at the specific address.
For each memory region defined by the SAU and IDAU, there is an associated region number that is generated by the SAU or by the IDAU. This region number is used by software to determine if a contiguous range of memory shares common security attributes.
TT instruction returns the security attributes and region number, and
the MPU region number, from an address value. By using a
TT instruction on
the start and end addresses of the memory range, and identifying that both reside in the
same region number, software can quickly determine that the memory range, for example,
for data array or data structure, is located entirely in Non-secure space.
TT instruction is useful for determining the security state of the MPU
at that address. Although the instruction cannot be accessed in C/C++ code, there are
several intrinsics which make this functionality available to the developer.
<arm_cmse.h> header must be included before using the
The result of the
TT instruction is described by a C type containing
bit-fields. This type is used as the return type of the
Intrinsic (colored again?)
ARM recommends that a toolchain behaves as if these intrinsics would write the pointed-to memory. That prevents subsequent accesses to this memory being scheduled before this intrinsic.
The exact type signatures for
cmse_TTT_fptr() are IMPLEMENTATION DEFINED because there
is no type that is defined by the C programming language that can hold all function
ARM recommends implementing these intrinsics as macros.
Address range check intrinsic
Checking the result of the
TT instruction on an address range is essential
for programming in C. It is used to check permissions on objects larger than a byte. The
address range check intrinsic defined in this section can be used to perform permission
checks on C objects.
Some Secure Attribution Unit (SAU), Implementation Defined Attribution Unit (IDAU), and Memory Protection Unit (MPU) configurations block the efficient implementation of an address range check. This intrinsic operates under the assumption that the configuration of the SAU, IDAU, and MPU is constrained as follows:
- An object is allocated in a single region.
- A stack is allocated in a single region.
These points imply that a region does not overlap other regions.
TT instruction returns an SAU, IDAU, and MPU region number. When the region numbers
of the start and end of the address range match, the complete range is contained in one
SAU, IDAU, and MPU region. In this case two
TT instructions are executed to
check the address range.
Regions are aligned at 32-byte boundaries. If the address range fits in one 32-byte
address line, a single
TT instruction suffices.
ARM recommends that programmers use the returned pointer to access the checked memory range. This generates a data dependency between the checked memory and all its subsequent accesses and prevents these accesses from being scheduled before the check.