Security and the MMU
In Non-secure state, the NS bits and NSTable bits in translation tables are ignored. Only Non-secure memory can be accessed. In Secure state, the NS bits and NSTable bits control whether a virtual address translates to a Secure or Non-secure physical address. You can use SCR_EL3.SIF to prevent the Secure world from executing from any virtual address that translates to a Non-secure physical address. Also, when in the Secure world, you can use the SCR.SIF bit to control whether Secure instruction fetches can be made to Non-secure physical memory.
Kernel access with user permissions
The LDTR or STTR instructions allow code executing at EL1 (for example, an OS) to perform memory accesses with EL0 or application permissions. This can be used, for example, to de-reference pointers that are provided with system calls, and enable the OS to check that only data accessible to the application is accessed. When executed at EL1, these instructions perform the load or store as if executed at EL0. At all other Exception levels, LDTR, and STTR behave like regular LDR or STR instructions. These are the usual size and have the same signed and unsigned variants as normal load and store instructions, but with smaller offset and restricted indexing options.