Hello, On 10/7/20 1:23 PM, Ahmad Fatoum wrote: > My findings[1] back then were that U-Boot did set the eXecute Never bit only > on > OMAP, but not for other platforms. So I could imagine this being the root > cause > of Patrick's issues as well:
Rereading my own link, my memory is a little less fuzzy: eXecute Never was being set, but was without effect due Manager mode being set in the DACR: > The ARM Architecture Reference Manual notes[1]: > > When using the Short-descriptor translation table format, the XN > > attribute is not checked for domains marked as Manager. > > Therefore, the system must not include read-sensitive memory in > > domains marked as Manager, because the XN bit does not prevent > > speculative fetches from a Manager domain. > To avoid speculative access to read-sensitive memory-mapped peripherals > on ARMv7, we'll need U-Boot to use client domain permissions, so the XN > bit can function. > This issue has come up before and was fixed in de63ac278 > ("ARM: mmu: Set domain permissions to client access") for OMAP2 only. > It's equally applicable to all ARMv7-A platforms where caches are > enabled. > [1]: B3.7.2 - Execute-never restrictions on instruction fetching Hope this helps, Ahmad > The CPU is speculatively executing from the region that the firewalled DRAM > is mapped at. > > barebox now configures XN for non-RAM before it turns on the MMU. You should > do that as well (in ARM arch code, not only for stm32mp1). Additionally, > you will want to XN map the region where your OP-TEE sits at. > > [1]: https://community.nxp.com/thread/511925 > > Cheers > Ahmad > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |