Tf-M: Core: tfm_memory_check should be called privileged=true in case of NS caller
Open, NormalPublic

Description

tfm_memory_check uses the cmse_check_address_range function to check whether the current (S or NS) MPU settings allow the caller to access the memory region provided to the function.

In the current call sites the 'privileged' parameter of the function is calculated with the tfm_spm_partition_get_privileged_mode(...); function, which returns unprivileged for NS callers. When tfm_core_has_[read|write]_access_to_region is called with the 'privileged' field calculated earlier, that function sets the flag passed to cmse_check_address_range to CMSE_MPU_UNPRIV if 'privileged' is false.

cmse_check_address_range uses the TT (TTT, TTA, TTAT) instructions to check access. If 'privileged' is set to false, the TTT and TTAT instructions are used, which are checking the MPU states from the viewpoint of unprivileged access.

This means that if a privileged NS code called the secure service, the memory check will fail if the code provided a privileged memory area in the iovecs.

Fix:
In tfm_core_has_[read|write]_access_to_region CMSE_MPU_UNPRIV flags should not be added if the caller is NS.