performance: 0.414 device: 0.408 ppc: 0.355 graphic: 0.306 hypervisor: 0.251 vnc: 0.234 socket: 0.227 kernel: 0.224 arm: 0.222 architecture: 0.220 semantic: 0.216 PID: 0.208 x86: 0.196 TCG: 0.187 VMM: 0.181 i386: 0.180 risc-v: 0.180 network: 0.178 user-level: 0.172 files: 0.169 virtual: 0.152 boot: 0.143 permissions: 0.133 mistranslation: 0.131 peripherals: 0.127 register: 0.117 KVM: 0.103 assembly: 0.094 debug: 0.087 qemu-system-arm regression: NonSecure World can change Secure World MMU mapping. Description of problem: A NonSecure execution context is able to override MMU L1 translation table flags set by Secure context on Secure World memory. This is not consistent with the same code running on real hardware and it's a regression over past qemu releases as 9.0.0 behaves correctly. Steps to reproduce: This has been tested with [GoTEE-example](https://github.com/usbarmory/GoTEE-example) as follows: ``` # building tamago wget https://github.com/usbarmory/tamago-go/archive/refs/tags/latest.zip unzip latest.zip cd tamago-go-latest/src && ./all.bash cd ../bin && export TAMAGO=`pwd`/go # building and running GoTEE-example wget https://github.com/usbarmory/GoTEE-example/archive/refs/heads/master.zip unzip master.zip cd GoTEE-example export TARGET=usbarmory && make clean && make nonsecure_os_go && make trusted_applet_go && make trusted_os && make qemu ``` # Additional information: The issue relates to the fact that the NonSecure World, at startup, configures the MMU with the NX bit for the entire address space not belonging to its firmware .text area. On real hardware this MMU configuration by NonSecure world does not affect the Secure World translation tables. On qemu 9.1.0, however it does and this is inconsistent with real hardware behavior. On qemu 9.0.0 the behaviour is correct so the issue has been introduced between these two releases. The switch between Secure and NonSecure is done [here](https://github.com/usbarmory/GoTEE/blob/7e62563c0628fed3ee0aebb4702e22be9bb636e3/monitor/exec_arm.s#L73). The MMU first level address table which sets the NX bit is done [here](https://github.com/usbarmory/tamago/blob/273d67cd811dfcb1782c0fe596ac14d43d0ce117/arm/mmu.go#L85).