In ARMv8, execution occurs at one of four Exception levels. In AArch64, the Exception level determines the level of privilege, in a similar way to the privilege levels defined in ARMv7. The Exception level determines the privilege level, so execution at ELn corresponds to privilege PLn. Similarly, an Exception level with a larger value of n than another one is at a higher Exception level. An Exception level with a smaller number than another is described as being at a lower Exception level.
Exception levels provide a logical separation of software execution privilege that applies across all operating states of the ARMv8 architecture. It is similar to, and supports the concept of, hierarchical protection domains common in computer science.
The following is a typical example of what software runs at each Exception level:
Normal user applications.
Operating system kernel typically described as privileged.
Low-level firmware, including the Secure Monitor.
In general, a piece of software, such as an application, the kernel of an operating system, or a hypervisor, occupies a single Exception level. An exception to this rule is in-kernel hypervisors such as KVM, which operate across both EL2 and EL1.
ARMv8-A provides two security states, Secure and Non-secure. The Non-secure state is also referred to as the Normal World. This enables an Operating System (OS) to run in parallel with a trusted OS on the same hardware, and provides protection against certain software attacks and hardware attacks. ARM TrustZone technology enables the system to be partitioned between the Normal and Secure worlds. As with the ARMv7-A architecture, the Secure monitor acts as a gateway for moving between the Normal and Secure worlds.
ARMv8-A also provides support for virtualization, though only in the Normal world. This means that hypervisor, or Virtual Machine Manager (VMM) code can run on the system and host multiple guest operating systems. Each of the guest operating systems is, essentially, running on a virtual machine. Each OS is then unaware that it is sharing time on the system with other guest operating systems.
The Normal world (which corresponds to the Non-secure state) has the following privileged components:
- Guest OS kernels
Such kernels include Linux or Windows running in Non-secure EL1. When running under a hypervisor, the rich OS kernels can be running as a guest or host depending on the hypervisor model.
This runs at EL2, which is always Non-secure. The hypervisor, when present and enabled, provides virtualization services to rich OS kernels.
The Secure world has the following privileged components:
- Secure firmware
On an application processor, this firmware must be the first thing that runs at boot time. It provides several services, including platform initialization, the installation of the trusted OS, and routing of Secure monitor calls.
- Trusted OS
Trusted OS provides Secure services to the Normal world and provides a runtime environment for executing Secure or trusted applications.
The Secure monitor in the ARMv8 architecture is at a higher Exception level and is more privileged than all other levels. This provides a logical model of software privilege.
Figure 3.2 shows that a Secure version of EL2 is not available.