Dice Question Streamline Icon: https://streamlinehq.com

Mechanism of GL0 SVC rerouting to GL2 and coexistence with GL1 calls

Ascertain the mechanism by which SVC exceptions executed at Guarded Level GL0 are rerouted to SPTM in GL2 (e.g., via HCR_EL2.TGE), and determine how this coexists with GL0 components calling Secure Kernel in GL1 via SVCs while Trusted Execution Monitor (TXM) calls SPTM in GL2 via SVCs, including the precise handling logic and conditions permitting these behaviors.

Information Square Streamline Icon: https://streamlinehq.com

Background

The authors describe that GL0 SVCs can be rerouted to GL2 by setting HCR_EL2.TGE, yet elsewhere GL0 components appear to call Secure Kernel at GL1, and TXM (running at GL0) calls SPTM at GL2 via SVCs. The interplay of these behaviors remains unclear.

Understanding the exact routing and coexistence conditions is crucial to properly model exception handling and cross-level communication in Apple’s guarded execution architecture.

References

The exact inner working of the request handling logic is still unknown, considering we will show in \cref{secureKernel} that GL0 components actually directly call into Secure Kernel in GL1. The exact handling mechanisms for allowing GL0 components to call into Secure Kernel at GL1 via SVCs and \gls{TXM} calling into \gls{SPTM} at GL2 via SVCs at the same time have yet to be discovered.

Modern iOS Security Features -- A Deep Dive into SPTM, TXM, and Exclaves (2510.09272 - Steffin et al., 10 Oct 2025) in Section “SPTM Request Handling — SVC/HVC Handling”, subsection “GL0 SVC Rerouting to SPTM”