arm - 与 LDR 相比，LDTR 等 ARM 非特权加载存储指令的应用是什么？

Question

我今天第一次遇到 LDTR ARMv8 指令。

我在 ARMv8 DB 上阅读了它的描述手册部分C3.2.5“非特权加载/存储”，据我了解，它基本上允许EL1在EL0限制下进行内存访问。

此功能的应用是什么？

这是否会让利用内核错误使内核将数据写入错误地址的攻击变得更加困难？

考虑到通常有多个进程同时运行，LDTR 如何知道要使用哪个页表转换？或者这些限制是否涉及与页表上指定的权限无关的其他类型的权限？

Answer 1

此链接为您提供了用例示例:https://developer.arm.com/documentation/102376/0100/Permissions-attributes

[...] a hypervisor can see all the resources that are allocated to a virtual machine. This is because executing at a higher exception level means that the level of privilege is also higher.

However, this is not always desirable. Malicious applications might try to trick an OS into accessing data on behalf of the application, which the application should not be able to see. This requires the OS to check pointers in systems calls.

The Arm architecture provides several controls to make this simpler. First, there is the PSTATE.PAN (Privileged Access Never) bit. When this bit is set, loads and stores from EL1 (or EL2 when E2H==1) to unprivileged regions will generate an exception (Permission Fault) [...]

Sometimes the OS does need to access unprivileged regions, for example, to write to a buffer owned by an application. To support this, the instruction set provides the LDTR and STTR instructions.

LDTR and STTR are unprivileged loads and stores. They are checked against EL0 permission checking even when executed by the OS at EL1 or EL2. Because these are explicitly unprivileged accesses, they are not blocked by PAN [...]

This allows the OS to distinguish between accesses that are intended to access privileged data and those which are expected to access unprivileged data. This also allows the hardware to use that information to check the accesses.