8.4.4.1.1 Region Access Rules

The TZC implements the following region rules:

• A region must be enabled for a filter unit to provide a valid match.
• Region 0 is always enabled.
• The TZC checks the access against Region 0 security settings only if the access cannot be found in any of the other enabled regions for that filter unit.
• Where an address maps to Region 1 or higher, the TZC checks the access against the security settings of that region.
• When Region 1 or higher is enabled, address regions can overlap, but only if they are set for different filters.
  Note:

  1. Other regions can overlap the address area of Region 0. An overlap between Region 0 and a higher region can be used to manage all access rights for a Secure OS, by defining the security of the default region, Region 0, and then defining security for higher regions overlapping the default base region. For example, Region 0 can be made inaccessible to any Non-secure masters. The Secure OS can then selectively release regions for global access later.
  2. The behavior of the TZC is undefined for configurations where Regions 1 and higher overlap when enabled on the same filter unit. When an access to an overlapping region occurs, the TZC sets a status bit to indicate an overlapping access. The TZC can generate an interrupt when this occurs. Interrupt generation is a programmable feature of the TZC. See TZC_SYS_ACTION and TZC_CPU_ACTION.