# $

Version: 1.1 (Latest)  & %   

Home / Documentation / Architectures /

CPU Architecture / M-Profile / Armv8-M / ← →
Armv8-M Memory Model and
Memory Protection User Guide

Memory Protection Unit

The MPU is an optional component in Cortex-M
processor systems. In systems that require high
reliability, the MPU can protect memory regions by
defining access permissions for different privilege
states. The MPU can also define other memory
attributes such as Cacheability, which can be
exported to system-level cache unit or memory
controllers.

In systems without an embedded OS, the MPU can be

programmed to have a static configuration. The
configuration can be used for functions including the
following:
The MPU is an optional component in Cortex-M
processor
Settingsystems. In systems
a RAM/SRAM that
region torequire high to
be read-only
reliability,
protect the MPU candata
important protect
frommemory regions by
accidental
defining access permissions for different privilege
corruption
states. The MPU
Making can also
a portion define otherspace
of RAM/SRAM memoryat the
attributes
bottomsuch as Cacheability,
of the whichtocan
stack inaccessible be stack
detect
exported to system-level cache unit or memory
overflow
controllers.
Setting a RAM/SRAM region to be XN to mitigate
code injection attacks
In systems without an embedded OS, the MPU can be
Memory Protection Unit
Defining memory attribute settings that can be
programmed to have a static configuration. The
used by system level cache or memory
configuration can be used for functions including the
controllers
following:
In systems with an embedded OS, the MPU can be
Setting a RAM/SRAM region to be read-only to
programmed at each context switch so that each
protect important data from accidental
application task can have a different MPU
corruption
configuration. In this way, you can:
Making a portion of RAM/SRAM space at the
bottom of the stack
Define memory inaccessible
access to detect
permissions so thatstack
stack
overflow
operations of an application task can only access
Setting
their owna RAM/SRAM region
allocated space, to be XNstack
to prevent to mitigate
code injection
corruption attacks
of other stacks in case of a stack leak
Defining memory
Define memory attribute
access settings so
permissions that cananbe
that
used by system
application tasklevel cache
can only or memory
have access to its own
controllers
data and a limited set of peripherals

In
Thesystems withMemory
Protected an embedded
System OS, the MPU can
Architecture be
(PMSA)
programmed at each
is the architecture context
that switch
defines so that each
the operation of the
application task canprocessors.
MPU for Cortex-M have a different
WithMPU
the development
configuration.
of the Armv8-M In architecture,
this way, you the
can:PMSA has been
updated to the PMSAv8. The MPU programmers’
Define memory access permissions so that stack
model allows privileged software to define memory
operations of an application task can only access
regions and assign memory access permissions and
their own allocated space, to prevent stack
memory attributes to each of them. The number of
corruption of other stacks in case of a stack leak
supported MPU regions can vary across devices.
Define memory access permissions so that an
Typically eight MPU regions are implemented in most
application task can only have access to its own
systems.
data and a limited set of peripherals
The MPU is software programmable and can be
The Protected Memory System Architecture (PMSA)
configured in a number of different ways using the
is the architecture that defines the operation of the
MPU regions available on a device. The MPU
MPU for Cortex-M processors. With the development
monitors instruction fetches and data accesses from
of the Armv8-M architecture, the PMSA has been
the processor and triggers a fault exception when an
updated to the PMSAv8. The MPU programmers’
access violation is detected. If the MPU is enabled,
model allows privileged software to define memory
and if a memory access violates the access
regions and assign memory access permissions and
permissions defined by the MPU or if an access to a
memory attributes to each of them. The number of
region which is not programmed by MPU is
supported MPU regions can vary across devices.
attempted, then the transfer would be blocked and a
Typically eight MPU regions are implemented in most
MemManage fault would be triggered. Some
systems.
examples of MPU violations that can result in
MemManage faults include
The MPU is software the following:
programmable and can be
configured in a number of different ways using the
The address accessed matches more than one
MPU regions available on a device. The MPU
MPU region.
monitors instruction fetches and data accesses from
The transaction does not match all of the access
the processor and triggers a fault exception when an
conditions for the MPU region being accessed.
access violation is detected. If the MPU is enabled,
The address accessed only matches the system
and if a memory access violates the access
address map and the system address map is not
permissions defined by the MPU or if an access to a
enabled.
region which is not programmed by MPU is
attempted, then the transferwith
Armv8-M implementations would
thebe blocked
Main and a
Extension
MemManage fault
have a dedicated would be
Memory triggered. Some
Management Fault
examples of MPU
(MemManage) violations
that thatbycan
is triggered result in
accesses that
MemManage faults
violate the MPU include thesettings.
configuration following:The Main
Extension also provides the MemManage Fault Status
The address accessed matches more than one
Register (MMFSR) and the MemManage Fault
MPU region.
Address Register (MMFAR) which provide
The transaction does not match all of the access
information about the cause of the fault and the
conditions for the MPU region being accessed.
address being accessed in the case of data faults.
The address accessed only matches the system
These provide useful information to RTOS kernels
address map and the system address map is not
that isolate memory on a per-thread basis, or provide
enabled.
on-demand stack allocation. If the MemManage fault
is disabledimplementations
Armv8-M or cannot be triggered because
with the the current
Main Extension
execution priorityMemory
have a dedicated is too high, then the fault
Management is
Fault
escalated
(MemManage)to a HardFault. Armv8-M
that is triggered implementations
by accesses that
without theMPU
violate the Mainconfiguration
Extension cansettings.
only useThe
theMain
HardFault exception.
Extension also provides the MemManage Fault Status
Register (MMFSR) and the MemManage Fault
For each MPU region, the following information is
Address Register (MMFAR) which provide
needed for a complete description of memory space
information about the cause of the fault and the
allocated for that MPU region:
address being accessed in the case of data faults.
These provide
Base useful
and limit information to RTOS kernels
addresses
thatMemory
isolate memory on a per-thread
type: Normal or Device basis, or provide
on-demand
Read-onlystack allocation. If the MemManage fault
or Read-Write
is disabled or cannot
Privileged be triggered because the current
or unprivileged
execution priority
Execution is too high, then the fault is
permission
escalated to a HardFault. Armv8-M implementations
Shareability
without the Main for
Cacheability, Extension
Normalcan only use the
memory
HardFault
Deviceexception.
attributes, for Device memory

For
Theeach
MPUMPUmustregion, the following
be enabled information
after being is If
programmed.
needed
the MPUforis anot
complete
enabled,description of memory
then the processor space
does not
allocated for that
have visibility MPUconfiguration.
of MPU region: For each region,
the memory attributes define the ordering and
Base and limit addresses
merging behaviors of that region, as well as caching
Memory type: Normal or Device
and buffering attributes.
Read-only or Read-Write
The Privileged or unprivileged
following figure shows an example of a memory
mapExecution permission
with four MPU regions and the attributes for
Shareability
each:
Cacheability, for Normal memory
Figure 1. MPU
Device regions
attributes, example
for Device memory

The MPU must be enabled after being programmed. If

the MPU is not enabled, then the processor does not
have visibility of MPU configuration. For each region,
the memory attributes define the ordering and
merging behaviors of that region, as well as caching
and buffering attributes.

The following figure shows an example of a memory

map with four MPU regions and the attributes for
each:

Figure 1. MPU regions example

Note
With the MPU enabled, an access to an address
that does not match any MPU regions ( No
region in the above figure) will fault unless the
access is privileged and
MPU_CTRL.PRIVDEFENA is set (see
[MPU_CTRL, MPU Control Register]). In this
case the default memory map would be applied.

← →

No
With Rate this page:
the MPU enabled, an access to an address
region
⭐ ⭐any
that does not match ⭐MPU ⭐⭐ regions (
in the above figure) will fault unless the
access is privileged and
Note
MPU_CTRL.PRIVDEFENA is set (see
Developing
[MPU_CTRL,on Arm
MPU Control Register]). In this
case the default memory map would be applied.
AI and ML

Android Development

Automotive

Cloud-to-Edge and Networking

Gaming, Graphics and Rate

VR this page:

High Performance Computing

⭐⭐⭐ ⭐⭐
Internet of Things

Windows on Arm

Architecture
AMBA

Compression Technologies

CoreSight Architectures

CPU Architecture

GPU Architectures

Instruction Sets

Security Architectures

System Architectures

Products
CPU Processors

Graphics and Multimedia

Physical IP

System IP

SoC Design and Simulation

Software Development Tools

Support
Design Reviews and Checklists

Training

Documentation

Licensing

Downloads

Contact Support

Arm Security Center

Community
Communities

Forums

Blogs

About Arm
Leadership

Security

News

Contact Us

Arm Offices

    

Cookie Policy Glossary Terms of Use Privacy Policy

Accessibility Subscription Center Trademarks

Copyright © 1995-2024 Arm Limited (or its affiliates). All

rights reserved.