1. Article purpose
- Briefly introduce the RIF (resource isolation framework) and its main features
- List the different elements that make it up
- Explain how RIF is integrated at system level
2. What is resource isolation framework?
The RIF is a fully integrated firewall solution, isolating execution contexts from each other.
RIF is an extension of isolation for multicore and multiapplication purposes.
It protects access to:
- Internal memories
- External memories
- Internal peripherals
- Peripheral features when a peripheral provides multiple features that could be assigned to different execution contexts
And from:
- Any bus master peripherals
2.1. RIF concept
RIF can be seen as an extension of the bus interconnect, adding information at each transaction to identify the emitter and filter transactions in parallel with address decoding.
To do that, a CID (compartment identifier) is assigned to each bus master (CPU and peripherals) in addition to secure, read/write, execute, and address fields.
The CPU's CID is hardwired to 1. The CID of other bus master peripherals is 0 by default but can be configured by secure software.
The following figure shows all the elements that compose a transaction, and which are used to filter access to the different resources of the device.
2.2. RIF composition
RIF consists of different elements:
- RIFSC = RIF security controller: provide configuration registers for all RIMU and RISUP.
- RIMU = resource isolation master unit: located in front of each bus master port to make the transaction unique.
- RISUP = resource isolation slave unit peripheral: located in front of each slave bus connector to filter transactions according to defined rules.
- RISAF = resource isolation slave unit for address space - full version: located in front of external memories to filter access based on variable sized address space regions.
- Address spaces protected by the RISAF are by default secure, privileged, and CID only.
- IAC = Illegal access controller: allow to configure and monitor RIF error events.
The following figure shows a generic implementation of the RIF in a device.
2.3. RIF aware peripherals
The RIF concept has been integrated directly inside some peripherals so that isolation granularity is not at the peripheral level but at the feature level.
Such peripherals are named RIF-aware peripherals.
RIF-aware peripherals are system and communication peripherals:
- Direct memory access controllers (GP/HPDMA)
- Secure clock and reset (RCC)
- Power control (PWR)
- Real time clock (RTC)
- Tamper and backup registers (TAMP)
- Liquid crystal thin film transistor display controller (LTDC)
- General purpose I/Os (GPIO)
- Extended interrupts and event controller (EXTI)
- System configuration controller (SYSCFG)
- Microcontroller debug unit (DBGMCU)
2.4. RIF protection model
2.4.1. RIF access filtering policy
As shown below, the access filtering policy differs whether peripheral or memory is accessed:
2.4.2. RIF peripheral protection model
RIF offers different protection levels for each protected peripheral resource.
RIF filtering rules are based on:
- Secure level
- Privilege level
- CID
CID filtering has three modes:
- Disabled: any masters fitting secure and privilege levels can access the resource.
- Enabled in static mode: one authorized CID value is defined. Only masters fitting the CID value, secure, and privilege levels can access the resource.
2.4.3. RIF memory protection model
RIF offers different protection levels for each chunk of memory. Chunk of memory depends on the memory type and associated RISAF protection unit.
It could be:
- Configurable region for internal and external memories protected by RISAF.
For each chunk of memory, it is possible to define some RIF rules based on:
- Global secure level
- Global privilege level (if CID filtering is disabled)
- CID filtering activation
- Read access per CID (if filtering is activated)
- Write access per CID (if filtering is activated)
- Privilege level per CID (if CID filtering is activated)
2.4.4. RIF illegal access detection
When a master with bad access rights accesses a resource (peripheral, feature, or memory) RISUP or RISAF is:
- Ignoring write request
- Returning 0 to read request
In addition, IAC (illegal access controller) notifies the TDCID processor when an illegal access occurs.
Notification can be enabled peripheral per peripheral. On illegal access detection, the CPU receives an interruption from IAC and can read information about fault access in IAC status registers.
2.5. Master peripherals RIF protection
Master peripherals generally own two bus connections:
- One control port to access configuration registers. This port may be protected by a RISUP to filter accesses according to rules defined in RIFSC.
- One initiator port to generate bus read/write accesses. This port may be extended by a RIMU to add transaction identifiers (CID, secure bit, privilege bit).
A RIMU's master secure bit can be set only if that peripheral's RISUP is set to be secure (i.e. a non-secure peripheral cannot initiate secure transactions).
2.6. Relationship between RIF and RCC
RCC is a RIF-aware peripheral. That means RCC is integrating some RIF RISUP to protect access to its different features.
RCC offers reset and clock control for all the different peripherals present in the device.
To ease programming consistency between RIFSC and RCC RIF protection, a hardware inheritance between peripheral RISUP and RCC peripheral configuration register. That means only the execution context owning the peripheral can control associated clocks and reset.
This inheritance is not implemented for RIF-aware and system peripherals, which are used simultaneously by different execution contexts.
RCC supports peripheral auto clock gating according to the peripheral owner low power state. As soon as a processor enters (LP/LPLV)Stop low power mode, all peripherals (secure and nonsecure) owned by this processor are automatically clock gated. This feature is not valid for RIF-aware and system peripherals, and RCC implements a specific owning mechanism to link clock gating on state of the system instead of state of one processor.
2.7. RISAF configuration for NPU
RISAF4/5/6 are used to partition the 2-Mbyte NPU RAM.
This memory is implemented as four RAM cuts, each with its own AXI target port, but using an interleaved (re-mapped) addressing scheme.
To retain the software normal view of memory addressing, the RISAFs protecting these RAMs are placed on the three entry ports of the NPU interconnect.
The user must program an identical partitioning into each of the three RISAFs. These RISAFs are furnished with two extra regions that the secure privileged software must configure to be transparent* (permissive) to all accesses either side of the NPU RAMs.
| Protected memory | Resource name | Target bus | IAC index | Number of configurable base regions | Granularity |
|---|---|---|---|---|---|
| NPU master 0 | RISAF4 | AXI | 142 | 11 | 4 Kbytes |
| NPU master 1 | RISAF5 | 143 | |||
| CPU master | RISAF6 | 144 |
Please refer to wiki page How_to_start_with_RIF_on_STM32N6_MCUs to learn how to configure RISAF for NPU.
2.8. RIF and debug
The CID value used by debugger (DAP) accesses onto the AXI bus is 0x7.
All RISAFs treat a 0x7 as a legal CID value, regardless of their configuration.
The secure privileged master can reprogram the DAPCID to allow the DAP to mimic another compartment (for example, to debug the security configuration).
This allows debugging the platform without modifying RIF configuration.