1. Field of the Invention
This invention relates to the field of data processing systems. More particularly, this invention relates to data processing systems having security mechanisms which control access to a given memory address in dependence upon access control data.
2. Description of the Prior Art
It is known to provide data processing systems in which memory access control circuitry is used to control whether access is permitted to a given memory address depending upon access control data. As an example, known systems such as ARM processors produced by ARM Limited of Cambridge England, provide privileged mode operation and user mode operation and memory address regions can be defined by access control data such that they are only accessible when operating in the privileged mode of operation. Other known computer systems implement hardware capability lists whereby the ability to access key CPU control resources can be granted on a resource-by-resource or an application-by-application basis. Such systems use a segmented memory system to support multi-user operating systems and implement permission hierarchies analogous to, but finer grained than, the user/privileged split discussed above as well as providing support for a form of virtual addressing. A discussion of such computer architectures may be found in “Capability-Based Computer Systems” by Henry M Levy, Digital Equipment Corporation, 1984.
The flexibility to be able to program the access control data for use by the memory access control circuitry is desirable as this permits the hardware to be used with a variety of different software subject to the necessary programming of the access control data. However, a significant vulnerability within such systems is unauthorized code changing the access control data so as to provide undesired access to given memory addresses. When operating in the privileged mode access is normally available to all parts of the system. In user mode it may be necessary to call for a service in the privileged mode which is provided by privileged mode code. Entry into the privileged mode is by an exception vector and is strictly controlled.
One way of addressing the above problems is to provide mechanisms such as the TrustZone features (which can be considered as an extra layer of privilege) provided by some of the processors of ARM Limited Cambridge England. These processors provide a secure state of operation and can restrict the ability to change memory access control data to operations taking place within the secure state and then tightly control the code capable of operating in a secure state as well as the ways in which entry and exit can be made to the secure state. Whilst such mechanisms can provide a high degree of security, they typically require significant amount of investment in the writing of suitable software code to operate in the secure state such that the software code has the ability to appropriately control a large number of different aspects of the non-secure states of operation. In addition, as the code which executes in the secure state becomes larger, more complex and more capable, it generally also itself becomes more vulnerable to security problems. As a general principle, small, simple code is more secure and is less likely to contain security vulnerabilities unwittingly introduced as code complexity increases.