STM32MP25 firewall configuration

Applicable for STM32MP25x lines

This article describes how the STM32MP2 series firewall should be configured to allow STM32 MPU Embedded Software distribution execution.


1. Overview[edit source]

The objective of this articles is to provide guidelines for system firewall configuration taking into account the different platform constraints. On STM32MP2 series, system firewall to protect internal RAM, external memories and internal peripheral is realized by Resource Isolation Framework.
A minimal coherent RIF configuration is required to execute STM32 MPU Embedded Software distribution and support the different low power modes.

2. RIF initial hardware configuration[edit source]

The RIF is made up of several protection units like described in Resource Isolation Framework overview.
The initial hardware configuration depends on the type of peripheral/memory to protect and their usage by the ROM code.

  • RIFSC RISUP protected peripherals: Non-secure, Unprivileged and CID filtering disabled.
  • RIFSC RIMU for bus master peripherals: Non-secure, in RISUP inherited CID mode. This implies a CID0 for all bus master peripherals as RISUP initial configuration is CID filtering disabled.
  • RISAF protected external memories: Default region0 only accessible by main processor (TDCID) in secure mode (CID1 Secure when Cortex-A35 is the main processor, CID2 secure when Cortex-M33 is the main processor).
  • RISAB protected internal memories: No CID filtering, but security level depends on protected memory.
  • GPIO: GPIO is RIF-aware. By default, Secure, Unprivileged and no CID filtering.
  • RCC: RCC is RIF-aware. By default, Non-secure, Unprivileged and CID filtering disabled.

According to above statement, a minimal RIF configuration should be performed by the secure OS running on main processor (TDCID) to allow a correct and coherent execution for the embedded SW:

  • Secure level of GPIO should be aligned with execution level of SW component in charge of IO configuration.
  • Secure level of RISAB should be aligned with execution level of SW component in charge of IO configuration.
  • RISAF regions should be programmed to allow the different bus master.

3. ROM code constraints[edit source]

The STM32MP25x lines More info.png ROM code which is running on Cortex-A35, shall be certified SESIP level3. This implies a certain number of security and isolation rules to guarantee ROM code execution:

  • All secure and non secure HW resources required by ROM code shall be accessible respectively to the Cortex-A35 secure and non-secure each time the ROM code is executed (cold boot, application reset, low power exit).
    • RIFSC RISUP configuration associated to ROM code resources shall allow Cortex-A35 access
  • It shall not be possible to change RIF configuration of secure resources used by ROM code during its execution.
    • When Cortex-M33 is the main processor (TDCID), RIFSC RISUP configuration associated to ROM code secure resources must be locked.
  • No active bus master peripheral shall have same RIF configuration as Cortex-A35 secure context executing secure ROM code.
    • If a RIFSC RIMU of a bus master peripheral is defined as Secure and CID1, its associated clock must be disabled during ROM code execution.

ROM code is checking RIFSC and RISAB1&2 (dedicated to SYSRAM protection) configurations. If one setting doesn't match ROM code requirements, ROM code stops its execution and goes in failure.

4. STM32MPU Embedded Software default configuration[edit source]

STM32MPU Embedded Software proposes a default ecosystem configuration that:

  • enables Cortex-A35 and Cortex-M33 secure OS
  • enables isolation between Cortex-A35 and Cortex-M33
  • enables LTDC secure layer
  • enables authenticated Cortex-M33 coprocessor

To do that, RIF is configured to assign peripherals and features to the different execution contexts with the following rules:

  • The peripherals and resources used by Cortex-A35 secure OS are configured in secure, privilege and CID1 filtering
  • The peripherals and resources used by Cortex-M33 secure OS are configured in secure, privilege and CID2 filtering
  • The peripherals and resources shared by Cortex-A35 and by Cortex-M33 secure OS are configured in Secure, Privilege and semaphore filtering
  • The peripherals and resources used by Cortex-A35 non-secure OS are in non-secure, privilege and CID1 filtering
  • The peripherals and resources used by Cortex-M33 non-secure OS are in non-secure, privilege and CID2 filtering
  • The GPIO associated to one peripheral are configured with the same configuration as associated peripheral
  • RCC and PWR system resources (resources common to several execution contexts) are configured to be controlled by the main processor (TDCID) secure OS.
  • All peripherals used by ROM code are configured with access rights compliant with ROM code execution.

Regarding memories, RISAB and RISAF shall be configured according to product memory mapping.

  • memory region exclusively used by a SW component shall be configured to allow only access of execution context (security level, privilege level and CID) running the SW component.
  • memory region used by secure OS can be defined as encrypted
  • memory region shared between to SW components (for inter OS or processor communication) shall be configured to both execution contexts

About bus master peripheral, it is important to define the identity of their accesses by configuring RIFSC RIMU. There are two possible methods:

  • inherit from RIFSC RISUP protecting peripheral configuration register accesses: In that case, peripheral accesses will be identical to SW component controlling the peripheral. Peripheral can be seen as an extension of the execution context. There no impact on RISAF and RISAB configuration.
  • Define a dedicated configuration by setting security and privilege levels and specific CID. In that case, RISAF and RISAB configuration must be adapted to allow peripheral to access memory regions shared with SW component controlling it.

OSTL RIF ecosystem configuration for ST reference board is available in external device tree repository.

5. STM32MPU Embedded Software open configuration[edit source]

STM32MPU Embedded Software proposes also a minimal RIF firewall configuration named open configuration. The objective of this configuration is to let resources as much as possible available to Cortex-A35 non-secure and Cortex-M33 non-secure contexts and allow all SW components execution. For that, this minimal configuration is following these rules:

  • Secure resources (peripherals and memory regions) used by either Cortex-A35 or Cortex-M33 secure OS are defined as secure. CID filtering may be enabled
  • Access to peripherals (and associated IOs) unused by secure OSes are defined as non-secure, unprivileged and CID filtering disabled
  • Bus master peripherals accesses remain at their default value (non-secure, unprivileged and CID0)
  • Memory regions unused by secure OSes are configured to allow accesses from any bus master peripherals (non-secure, unprivileged, RW for all CID)

STM32MPU Embedded Software RIF open configuration is available in https://github.com/STMicroelectronics/optee_os.git

6. How to configure RIF[edit source]

The memory mapping is defined in each SW component device tree file using Reserved_memory bindings. Customer can change name, based address, size and access rights of each region according to its product needs.

To ensure the consistency of the system, memory declarations of each SW component have to be updated according to the expected configuration.

ST recommends to use CubeMX tools to generate coherent memory mapping with associated access rights.

Microprocessor unit

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

Resource Isolation Framework

Read only memory

Resource Isolation Slave Unit for Peripherals - NEW

Trusted Domain Compartment IDentifier - NEW

Cortex®

General-purpose input/output (A realization of open ended transmission between devices on an embedded level. These pins available on a processor can be programmed to be used to either accept input or provide output to external devices depending on user desires and applications requirements.)

Reset and clock control

Operating system

input/output

Resource Isolation Framework Security Controller - NEW

Resource Isolation Master Unit - NEW

LCD TFT display controller (STM32 specific)

Resource Isolation Slave unit for Address space protection (Block-based) - NEW

Resource Isolation Slave unit for Address space protection (Full version) - NEW

Retrieved from "https://wiki.st.com/stm32mpu/index.php?title=STM32MP25_firewall_configuration&oldid=98499"