From 0f0c28404b53bf878237dc77910e57f5919e8e1a Mon Sep 17 00:00:00 2001
From: cepetr <petr@cerninovi.cz>
Date: Wed, 7 May 2025 16:17:07 +0200
Subject: [PATCH] fix(core): fix exc_return codes for non-secure world

[no changelog]
---
 core/embed/sys/startup/stm32/sysutils.c |  5 ++++-
 core/embed/sys/syscall/stm32/syscall.c  |  5 +++++
 core/embed/sys/task/stm32/systask.c     | 10 +++++++++-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/core/embed/sys/startup/stm32/sysutils.c b/core/embed/sys/startup/stm32/sysutils.c
index e8ee886a71..d486e8eb58 100644
--- a/core/embed/sys/startup/stm32/sysutils.c
+++ b/core/embed/sys/startup/stm32/sysutils.c
@@ -188,8 +188,11 @@ __attribute((naked, no_stack_protector)) void ensure_thread_mode(void) {
       "MRS     R0, CONTROL         \n"  // Clear SPSEL to use MSP for thread
       "BIC     R0, R0, #3          \n"  // Clear nPRIV to run in privileged mode
       "MSR     CONTROL, R0         \n"
-
+#if !defined(__ARM_FEATURE_CMSE) || (__ARM_FEATURE_CMSE == 3U)
       "LDR     LR, = 0xFFFFFFF9    \n"  // Return to Secure Thread mode, use MSP
+#else
+      "LDR     LR, = 0xFFFFFFB8    \n"  // Return to Thread mode, use MSP
+#endif
       "BX      LR                  \n");
 }
 
diff --git a/core/embed/sys/syscall/stm32/syscall.c b/core/embed/sys/syscall/stm32/syscall.c
index f677e9cdb8..2209af42b4 100644
--- a/core/embed/sys/syscall/stm32/syscall.c
+++ b/core/embed/sys/syscall/stm32/syscall.c
@@ -66,8 +66,13 @@ __attribute__((naked, no_stack_protector)) static uint32_t _invoke_app_callback(
       "vmov r0, s0            \n"  // Use FPU instruction to ensure lazy
                                    // stacking
 
+#if !defined(__ARM_FEATURE_CMSE) || (__ARM_FEATURE_CMSE == 3U)
       // return to Secure Thread mode (use Secure PSP)
       "ldr lr, = 0xFFFFFFFD   \n"
+#else
+      // return to Thread mode (use PSP)
+      "ldr lr, = 0xFFFFFFBC   \n"
+#endif
       "bx lr                  \n");
 }
 
diff --git a/core/embed/sys/task/stm32/systask.c b/core/embed/sys/task/stm32/systask.c
index 6d185ee472..4e16d2a4de 100644
--- a/core/embed/sys/task/stm32/systask.c
+++ b/core/embed/sys/task/stm32/systask.c
@@ -149,7 +149,11 @@ bool systask_init(systask_t* task, uint32_t stack_ptr, uint32_t stack_size,
   memset(task, 0, sizeof(systask_t));
   task->sp = stack_ptr + stack_size;
   task->sp_lim = stack_ptr + 256;
-  task->exc_return = 0xFFFFFFED;  // Thread mode, use PSP, pop FP context
+#if !defined(__ARM_FEATURE_CMSE) || (__ARM_FEATURE_CMSE == 3U)
+  task->exc_return = 0xFFFFFFED;  // Secure Thread mode, use PSP, pop FP context
+#else
+  task->exc_return = 0xFFFFFFAC;  // Thread mode, use PSP, pop FP context
+#endif
   task->id = id;
   task->mpu_mode = MPU_MODE_APP;
   task->applet = applet;
@@ -216,7 +220,11 @@ bool systask_push_call(systask_t* task, void* entrypoint, uint32_t arg1,
   }
 
   // Return to thread mode, use PSP, pop FP context
+#if !defined(__ARM_FEATURE_CMSE) || (__ARM_FEATURE_CMSE == 3U)
   task->exc_return = 0xFFFFFFED;
+#else
+  task->exc_return = 0xFFFFFFAC;
+#endif
 
   stk_frame[STK_FRAME_R0] = arg1;
   stk_frame[STK_FRAME_R1] = arg2;