Creating an IRT Region

Creating an IRT Region describes how to define an IRT section in a defined memory range and assign the desired permission levels. Create an IRT region that includes the reset vector of the device which is defined by write permissions disabled. An IRT section can be defined with write permissions enabled or disabled. Immutable Root of Trust (IRT) Region Features and Usage discusses the interaction of IRT sections and write permissions. For the root of trust to be truly immutable, the section needs to be defined with write permissions disabled. If updates to the boot code are required, a second IRT region can be defined that has write permissions enabled, allowing some restricted update capability in the boot code, if desired.

To fully complete the IRT region creation, the configuration bits need to be write protected as described Creating an IRT Region. This is typically done after development is complete and is moving to production.