You copied the Doc URL to your clipboard.

Fundamentals of ARMv8-A

In ARMv8-A, a program executes at one of four Exception levels. In the 64-bit Execution state, the Exception level determines the level of execution privilege, in a similar way to the privilege levels defined in ARMv7-A.

The concept of the Exception level is fundamental to the ARMv8-A architecture. All operations take place at a defined exception level, and a register can exist in one or more Exception levels. Changing a bit in a register at one Exception level can have a different effect at another Exception level.

Exception levels provide a logical separation of software execution privilege that applies across all operating states of the ARMv8-A architecture. System software determines the Exception level, and therefore the level of privilege, at which software runs. Exception levels are similar to, and support the concept of, hierarchical protection domains common in computer science.

The type of software that typically runs at each of the Exception levels is:

ELO

Normal user applications. EL0 corresponds to the lowest privilege level and is often described as unprivileged, whereas execution at any Exception level above EL0 is often referred to as privileged execution.

EL1
An operating system kernel typically described as privileged.
EL2
Hypervisor.
EL3
Low-level firmware, including the Secure Monitor..

An Exception level (ELn) with a larger value of n than another one is said to be at a higher Exception level. An Exception level with a smaller value of n than another is described as being at a lower Exception level.

In general, a piece of software, such as an application, the kernel of an operating system, or a hypervisor, occupies a single Exception level. An exception to this is in-kernel hypervisors such as KVM, which operates across both EL2 and EL1.

ARMv8-A also provides two Security states. The ARM® Architecture Reference Manual uses the terms Secure and Non-secure to refer to these System security states. Here, the Non-secure state is referred to as the Normal world. Non-secure state does not indicate any security vulnerability, but rather refers to normal operation, and is therefore the same as the Normal world. The word ‘world’ is used to emphasize the relationship between the Secure world and other states that the device is capable of.

The Operating System (OS) runs in the Normal world, in parallel with a trusted OS running in the Secure world on the same hardware. ARM TrustZone® technology enables the system to be partitioned between the Normal and Secure worlds. This provides protection against certain software attacks and hardware attacks. The Secure monitor acts as a gateway for moving between the Normal and Secure worlds. The Secure monitor in the ARMv8-A architecture is at a higher Exception level than all other software.

exception_levels.png

ARMv8-A Exception levels in the Normal and Secure worlds

ARMv8-A also provides hardware support for virtualization. In the Normal world, virtualization enables more than one OS to co-exist and operate on the same system. This means that a hypervisor or Virtual Machine Manager (VMM) can run on the system and host multiple guest operating systems. Each of the guest operating systems is then, running on a virtual machine. Each OS is unaware that it is sharing time on the system with other guest operating systems.

This means that the Normal world has the following components:

Applications
Applications running in the Normal world.
Guest Operating Systems
These include Linux or Windows running in Non-secure EL1. When running under a hypervisor, the OS kernels can be running either as a guest or a host, depending on the hypervisor model.
Hypervisor
This runs at EL2. The hypervisor, when present and enabled, switches operation between multiple Guest operating systems.

The Secure world has the following components:

Secure firmware
On an application processor, Secure firmware must be the first thing that runs at boot time. It provides several services, including platform initialization, the installation of the Trusted OS, and routing of Secure monitor calls. The Secure firmware executes at EL3.
Trusted OS
The Trusted OS provides Secure services to the Normal world and provides a runtime environment for executing Secure or trusted applications. It executes at Secure EL1 when EL3 is using AArch64 and at Secure EL3 when EL3 is using AArch32..
Was this page helpful? Yes No