8.4.5.2 Filters

On the TZC-400, each port has its own dedicated filter. Each filter must be configured by software; up to nine regions can be associated to a filter. A region is a memory space with particular access permissions.

TZC0 and TZC1 regions must be programmed in a consistent way. For each region, program Region ID Access register as follows:
  • Set bit 0 (NSAID_RD_EN field) to allow NS read accesses. The bit default value is 0 and only S read accesses are allowed.
  • Set bit 16 (NSAID_WD_EN field) to allow NS write accesses. The bit default value is 0 and only S write accesses are allowed.

Region 0 is the background region and defines the two extremities of the accessible memory range and the default access permission. This region is not optional. Accessing an address out of region 0 is always denied.

Up to eight additional regions can be defined and superimposed on region 0 but must never overlap each other. Each region can describe different access permissions (read enabled, write enabled, secure access rights, not secure access rights).

Finally, different regions can be associated to different ports (or, simply, the same regions can be associated to all ports).

In case of access permission violation, an interrupt can be generated, and denied access information (address, port, type, etc.) can be retrieved in Status registers. An interrupt can also be issued in case of programming errors (overlapping regions, for example).

Note:

The two TZC-400 controllers have been merged into a combined 5-port TZC-400. There is only one interrupt line, comprised of ORed interrupts of the two controllers.

After reset, the TZC-400 blocks all accesses to DDR. It must be configured before any DDR access. The DDRC clock must be enabled before configuring TZC-400.

Speculative access is forbidden in order to prevent the TZC-400 from propagating accesses even when they fail the security permissions (this would not result in any successful access, but would lead to some visible activity on DDR ports). This restriction implies that the 'fast path' feature cannot be used in TZC-400 (this feature offers more bandwidth but requires setting Speculative Access mode).

Peripheral ID Type Security
ID_TZC User interface Always Secure