18.12 TrustZone Technology
TrustZone secure software is supported through the filtering of each client access with host security bit extension signals.
TrustZone technology adds the ability to manage the access rights for secure and non-secure accesses. The access rights are defined through the hardware and software configuration of the device. The operating mode is as follows:
- Hosts transmit requests with the secure or non-secure Security option.
- The MATRIX, according to its configuration and the request, grants or denies the access.
The client address space is divided into one or more client regions. The client regions are generally contiguous parts of the client address space. The client region is potentially split into an access denied area (upper part) and a security region which can be split (lower part), unless the client security region occupies the whole client region. The security region itself can be split into one secure area and one non-secure area. The secure area may be independently secure for read access and for write access.
For one client region, the following characteristics are configured by hardware or software:
- Base Address of the client region
- Max size of the client region: the maximum size for the region’s physical content
- Top size of the client security region: the actually programmed or fixed size for the region’s physical content
- Split size of the client security region: the size of the lower security area of the region.
The following figure shows how the terms defined here are implemented in a client address space.
A set of security registers allows to specify, for each client, the client security region or client security area, the security mode required to access this client, client security region or client security area.
Additional Bus Matrix security registers allow to specify, for each peripheral bus client, the security mode required to access this client (see See MATRIX_SPSELR).
See MATRIX_SSR.
These registers can only be accessed in Secure mode.
The MATRIX propagates the security bit down to the clients to let them perform additional security checks, and the MATRIX itself allows or denies the access to the clients by means of its TrustZone embedded controller.
Access violations may be reported either by a client through the bus error response (example from the system bus/peripheral bus bridge), or by the Bus Matrix embedded TrustZone controller. In both cases, a bus error response is sent to the offending host and the error is flagged in MATRIX_MESR. An interrupt can be sent to the Secure world, if it has been enabled for that host by writing into MATRIX_MEIER. Thus, the offending host is identified. The offending address is registered in the MATRIX_MEAR, so that the client and the targeted security region are also known.
Depending on the hardware parameters and software configuration, the address space of each client security region may or may not be split into two parts, one belonging to the Secure world and the other one to the Normal world.
Five different security types of clients are supported. The number of security regions is set by design for each client, independently, from 1 to 8, totalling from 1 up to 16 security areas for security configurable clients.