13.10 TrustZone Extension
TrustZone secure software is supported through the filtering of each client access with host security bit extension signals.
TrustZone technology adds the ability to manage the access rights for Secure and Non-Secure accesses. The access rights are defined through the hardware and software configuration of the device. The operating mode is the following:
- Hosts transmit requests with the secure or non-secure Security option.
- The MATRIX, according to its configuration and the request, grants or denies the access.
The client address space is divided into one or more client regions. The client regions are generally contiguous parts of the client address space. The client region is potentially split into an access denied area (upper part) and a security region which can be split (lower part), unless the client security region occupies the whole client region. The security region itself can be split into one secure area and one non-secure area. The secure area may be independently secured for read access and for write access.
For one client region, the following characteristics are configured by hardware or software:
- Base Address of the client region
- Max Size of the client region—a maximum size for the region’s physical content
- Top Size of the client security region— the actually programmed or fixed size for the region’s physical content
- Split Size of the client security region— the size of one of the two security areas of the region
The following figure shows how the terms defined here are implemented in a client address space.
A set of security registers specifies, for each client, the client security region or client security area, the security mode required to access this client, client security region or client security area. See section MATRIX_SSRx, MATRIX_SASSRx and MATRIX_SRTSRx.
These registers can only be accessed in Secure mode.
The MATRIX propagates the security bit down to the clients to let them perform additional security checks, and the MATRIX itself allows or denies the access to the clients by means of its TrustZone embedded controller.
Access violations may be reported either by a client through the bus error response, or by the embedded TrustZone controller. In both cases, a bus error response is sent to the offending host and the error is flagged in the Host Error Status Register. An interrupt can be sent to the Secure world, if it has been enabled for that host by writing into the Host Error Interrupt Enable Register. Thus, the offending host is identified. The offending address is registered in the Host Error Address Registers, so that the client and the targeted security region are also known.
Depending on the hardware parameters and software configuration, the address space of each client security region may or may not be split into two parts, one belonging to the Secure world and the other one to the Normal world.
Five different security types of clients are supported. The number of security regions is set by design for each client, independently, from 1 to 8, totaling from 1 up to 16 security areas for each security-configurable client.