1 rules for system software, 2 .6 .1 rules for system software -17 – Maxim Integrated MAXQ622 User Manual

MAXQ612/MAXQ622 User’s Guide

Maxim Integrated

2-17

This means that when using PRIVT0/PRIVT1, the privilege level cannot be raised unless all code between the writes to
PRIVT0 and PRIVT1 executes . Writing to PRIV automatically resets PRIVT0 to low .

2.6.1 Rules for System Software

While privilege levels are implemented in hardware, there are two ways user code could try to circumvent the memory
access protection:
• Manipulation of shared, common stack or registers
• Jumping or calling to code in system memory that is not an official entry point
To ensure a safe system and prevent these attacks, the system code programmer must follow the following rules:
• System code must not save and restore the privilege level. Instead, every interrupt and every system library func-

tion that raises the privilege must also unconditionally lower the privilege before exiting . If there are interrupts
that lower the privilege level, or interrupt code running outside of system space, any code that raises the privilege
must disable interrupts for the duration of the privileged operation .

Example:

interrupt:

move IGE, #0

move PRIV, #HIGH

… ; action

move PRIV, #LOW

move IGE, #1

reti

system_code:

move IGE, #0

move PRIV, #HIGH

... ; action

move PRIV, #LOW

move IGE, #1

ret

• An operation that requires high privilege levels must not call subroutines to raise the privilege level .
Example:

incorrect:

call raise_priv

… ; action

move PRIV, #LOW

correct:

move PRIV, #HIGH

… ; action

move PRIV, #LOW