(no title)

Likewise the RISC-V PMP can divide M-mode and U-mode memory just like the SAU divides Secure and Non-secure memory; the SAU is just another layer of MPU. Secure/Non-secure interrupt targeting can be implemented by de-privileging an M-mode handler head into a U-mode handler tail, etc. You can read more about this stuff in chapter 10 of the datasheet (in particular section 10.6.2 covers the mapping of RISC-V modes to AHB bus attributes), but the short version is that the RISC-V cores have enough security features that you could put together a competent secure boot implementation.

Really this attack has little to do with the cores, and everything to do with the fact it is possible to bypass the guard reads in the OTP power-up state machine and read invalid values into the critical flag state. If the flag assignment had been different we would have seen either a different hole -- e.g. direct through Arm Mem-APs into OTP, which perhaps these journalists would blame on the Arm cores -- or no hole.