52.5.1 TrustZone Security Attributes
The TZAESB security attribute for each core can be configured to process accesses coming from the secure world on one core and accesses coming from the non-secure world on the other core. Thus, the TZAESB can process two concurrent secure and non-secure data streams. In this configuration, secure accesses are routed to the TZAESB core with a secure attribute and non-secure accesses are routed to the TZAESB core with a non-secure attribute.
Both cores can be configured with the same security attribute to process only one type of access (non-secure or secure), thus doubling encryption performance with respect to standard levels.
The TZAESB core security attribute configuration is done by the TrustZone Peripheral Manager (TZPM) block. Refer to the section “TrustZone Peripheral Manager (TZPM)” for more details.
The TrustZone AES Bridge Address Space Controller (TZAESBASC) defines regions (either secure or non-secure) to the distant memory based on address table definitions. Based on the region definition and the address of the access, the TZAESBASC modifies the secure attribute of the access. Refer to the section “TrustZone AES Bridge Address Space Controller (TZAESBASC)” for more details.
| TZAESB Core 1 TZPM Security Bit Configuration |
TZAESB Core 0 TZPM Security Bit Configuration |
Non-secure Access to Core 1 User Interface | Non-secure Access to Core 0 User Interface | Non-secure Memory Access through TZAESB | Secure Memory Access through TZAESB | Notes |
|---|---|---|---|---|---|---|
| Secure | Non-secure | Denied | Accepted | Access to non-secure regions will be accepted and use Core 0, Access to secure regions will be denied. | Accepted, access to secure regions will use core 1 and access to non-secure regions will use Core 0. | Secure world can decrypt both secure and non-secure regions. |
| Secure | Secure | Denied | Denied | Denied | Accepted only if target region is secure,
denied otherwise. Accepted access will use the first available core (increased performances) |
Both cores must have the same configuration. Performances are increased (both cores can work in parallel). |
| Non-secure | Non-secure | Accepted | Accepted | Accepted | Accepted | Both cores must have the same configuration. Performances are increased (both cores can work in parallel). |
| Non-secure | Secure | NA | NA | NA | NA | Forbidden configuration |