1. Article purpose[edit source]
2. Introduction[edit source]
3. ROM code peripheral assignment[edit source]
3.1. Principles[edit source]
ROM code shall be able to access all resources required for its execution whatever ROM execution context (Cold boot, Standby exit and D1 Standby exit).
Depending on ROM code execution context, part of the system could be already configured and running. System configuration should be compliant with ROM code resource needs.
- RIF configuration including RIFSC and RIF-aware peripherals
- RCC clock tree configuration
At each execution ROM code checks resource access rights based on RIF registers.
Two controls are possible:
Resource control type | What is controlled | How |
---|---|---|
Ensuring direct access | The ROM code first checks that either resource access rights are not set, or are statically assigned to A35 ; if yes it sets resource security level according to its needs. | The ROM code checks that either CID filtering is not configured, or is configured static and assigned to the A35. If yes it sets resource security level according to its needs. |
Checking access | The ROM code first checks that resource security level correspond to its needs, then it checks that either resource is statically assigned to A35, or that resource is shared via its semaphore, and semaphore can be taken within 10 ms. | The ROM code first checks that resource security level ; then it checks that either CID filtering is configured static and assigned to the A35, or CID filtering is configured dynamic (meaning resource is shared via a semaphore) and semaphore can be taken within 10 ms. |
3.2. Secure peripherals[edit source]
The ROM code always does a "check access" control on these peripherals:
Peripheral | RIF resource number | RIF block | Comment | Secure level checked |
---|---|---|---|---|
BSEC | R103 | RCC | 1 | |
BSEC | R70 | RCC | 1 | |
CPU PWR1 | R2 | PWR | power control | 1 |
STGEN | R33 | RCC | flexgen | 1 |
CPU1 | R70 | RCC | lowpwr,irq,iwdg,reset regs access | 1 |
In case of secure boot when the chip is in CLOSED-LOCKED state, the ROM code always does a "check access" control on these peripherals:
Peripheral | RIF resource number | RIF block | Secure level checked |
---|---|---|---|
RNG | R92 | RIFSC | 1 |
PKA | R93 | RIFSC | 1 |
SAES | R94 | RIFSC | 1 |
HASH | R95 | RIFSC | 1 |
CRYP1 | R96 | RIFSC | 1 |
SYSRAM/RISAB2 | R74 | RCC | 1 |
BSEC | R103 | RCC | 1 |
CA35SS | R106 | RCC | 1 |
3.3. Non-secure peripherals[edit source]
list depends on selected boot source
3.3.1. SDMMC1 access ensure[edit source]
Clock || R51 || RCC || Flexgen 51 || 0 IO || R6 || PWR || VDDIO1 || IO volt mon (PWR_C8) || 1Function | RIF resource number | RIF block | Resource description | Secure level checked |
---|
Coming soon |
Note:
- IOM not reconfigured in D1Standby exit --> right configuration to be done by ecosystem SW
- FMC R0 common register not reconfigured in D1Standby exit --> right configuration to be done by ecosystem SW
4. ROM code secure context isolation[edit source]
4.1. Principles[edit source]
- guarantee that all secure IPs used by ROM code can't preempted by another secure processor running in parallel of the ROM code.
- Guarantee that no bus master processors and peripherals can access ROM code resources (peripheral and memories)
--> No master with CID1 and Secure RIF configuration shall be active during ROM code execution
table droit d'accès avec common + lock in case of M33TD
4.2. Rules Secure peripherals RIF protection[edit source]
table avec resources