What is the application of the ARM unprivileged load store instructions like LDTR compared to LDR?

Question

I came across the LDTR ARMv8 instruction today for the first time.

I read its description on the ARMv8 DB manual section C3.2.5 "Load/Store unprivileged", and from what I understood it basically allows EL1 to make memory accesses with EL0 restrictions.

What is the application for this feature?

Is this something along the lines of making it harder to create an attack that uses a kernel bug to make the kernel write data to the wrong address?

How does LDTR know which page table translations to use, considering that there are generally multiple process running at the same time? Or do those restrictions refer to other types of permissions unrelated to that which is specified on page tables?

Answer 1

This link gives you an example of use case: https://developer.arm.com/documentation/102376/0100/Permissions-attributes

[...] a hypervisor can see all the resources that are allocated to a virtual machine. This is because executing at a higher exception level means that the level of privilege is also higher.

However, this is not always desirable. Malicious applications might try to trick an OS into accessing data on behalf of the application, which the application should not be able to see. This requires the OS to check pointers in systems calls.

The Arm architecture provides several controls to make this simpler. First, there is the PSTATE.PAN (Privileged Access Never) bit. When this bit is set, loads and stores from EL1 (or EL2 when E2H==1) to unprivileged regions will generate an exception (Permission Fault) [...]

Sometimes the OS does need to access unprivileged regions, for example, to write to a buffer owned by an application. To support this, the instruction set provides the LDTR and STTR instructions.

LDTR and STTR are unprivileged loads and stores. They are checked against EL0 permission checking even when executed by the OS at EL1 or EL2. Because these are explicitly unprivileged accesses, they are not blocked by PAN [...]

This allows the OS to distinguish between accesses that are intended to access privileged data and those which are expected to access unprivileged data. This also allows the hardware to use that information to check the accesses.