[ARM Cortex-A]: Permission fault due to code region mapped as read/write

Question

When I try to execute code from a region mapped as read/write (AP[2] == 0), the CPU issues a permission fault (exception class == 0b100001, instruction fault status code == 0b001111). When I change the mapping to read-only (AP[2] == 1), the permission fault goes away. Is this expected behavior from the MMU? I thought executing code from a region mapped as read/write was allowed. Could someone point me to a section in the "Arm Architecture Reference Manual" that explains this?

For reference:

• See ARM DDI 0487I.a, page D8-5136 for information about the AP (access permission) bits
• See ARM DDI 0487I.a, page D17-5657 for information about exception class 0b100001 (Instruction Abort taken without a change in Exception level)
• See ARM DDI 0487I.a, page D17-5680 for information about instruction fault status code 0b001111 (Permission fault, level 3)

Answer 1

ARM DDI 0487I.a, page D8-5142 has the answer.

Preventing execution from writable locations

There are register control fields that can be used to force writable memory to be treated as XN, PXN, or UXN, regardless of the value of the corresponding descriptor fields.

For a stage 1 translation in a translation regime that supports two Exception levels, the corresponding SCTLR_ELx.WXN field does all of the following:

• If the value is 0, then there is no effect on access permissions.
• If the value is 1, then all of the following apply:
  • If the memory region is writable from EL0, then it is treated as Unprivileged execute-never, regardless of the value of the Block descriptor or Page descriptor UXN field.
  • If the memory region is writable from the higher Exception level, ELx, then it is treated as Privileged execute-never, regardless of the value of the Block descriptor or Page descriptor PXN field.