1. Article purpose[edit | edit source]
The purpose of this article is to describe the different requirements on system configuration (RIF, RCC) to guarantee a correct execution of the ROM code in all the supported execution contexts.
2. Introduction[edit | edit source]
The STM32MP2 ROM code is executed in different boot and lower power exit sequences:
- Cold boot to load the FSBL-A or the FSBL-M depending on main processor selection. In this context, Cortex®-M33 and other master peripherals are under reset.
- Standby exit to reload FSBL-A and restart Cortex®-A35. In this context, Cortex®-M33 and other master peripherals are maintained under reset. But part of the system is initialized (Mainly RIF)
- D1 DStandby exit to (re)load FSBL-A and restart Cortex®-A35. In the context, Cortex®-M33 and other master peripherals could be running. Moreover system is fully initialized (RIF, RCC...)
Depending on main processor selection (Cortex®-A35 TDCID or Cortex®-M33 TDCID), ROM code has or has not the right to modify system configuration under TDCID responsibility. Moreover ROM code execution shall not impact rest of system during D1Stanby exit sequence.
Some rules on system configuration (RIF, RCC...) must be applied to guarantee STM32MP2 ROM code execution and isolation in the different contexts:
3. ROM code peripheral assignment[edit | edit source]
3.1. Principles[edit | edit source]
ROM code shall be able to access all resources required for its execution whatever ROM execution modes (Cold boot, Standby exit and D1 Standby exit).
Depending on ROM code execution context, part of the system could be already configured and running. System configuration should be compliant with ROM code resource needs.
- RIF configuration including RIFSC and RIF-aware peripherals
- RCC clock tree configuration
At each execution, ROM code checks resource access rights based on RIF registers (RIFSC and RIF-aware).
Four actions are possible:
| Resource control type | What is controlled | How |
|---|---|---|
| Ensuring non-exclusive access on Cortex®-A35 boot device | The ROM code first checks that either resource access rights are not set, or are statically assigned to Cortex®-A35 | The ROM code checks that either CID filtering is not configured, or is configured static and assigned to the Cortex®-A35. |
| Ensuring exclusive access | The ROM code checks that either resource is statically assigned to Cortex®-A35, or that resource is shared via its semaphore, and semaphore can be taken within 10ms. | The ROM code checks that either CID filtering is configured static and assigned to the Cortex®-A35, or CID filtering is configured dynamic (meaning resource is shared via a semaphore) and semaphore can be taken within 10ms. |
| Checking security level | The ROM code checks that resource security level correspond to its needs | The ROM code checks that resource security level |
| Setting security level | The ROM code sets resource security level according to its needs. Indeed in that case security level used by ecosystem software could be different from ROM code one. | The ROM code sets resource security level according to its needs. |
3.2. Secure peripherals[edit | edit source]
The ROM code always ensure exclusive access and security level on these peripherals:
| Peripheral | RIF resource number | RIF block | Comment | Secure level checked | Cold boot | Standby exit | D1 DStandby exit |
|---|---|---|---|---|---|---|---|
| BSEC clock | R103 | RCC | secure | 
|
|
| |
| CPU1 boot, reset, IWDG management | R70 | RCC | secure |
|
|
| |
| CPU PWR1 | R2 | PWR | power control | secure |
|
|
|
| STGEN | R33 | RCC | flexgen | secure |
|
|
|
| RNG | R92 | RIFSC | secure |
|
|
|
In case of secure boot when the chip is in Secured_Locked state, the ROM code always ensure exclusive access and security level on these peripherals to perform boot authentication and decryption:
| Peripheral | RIF resource number | RIF block | Secure level checked | Cold boot | Standby exit | D1 DStandby exit |
|---|---|---|---|---|---|---|
| PKA | R93 | RIFSC | secure |
|
|
|
| SAES | R94 | RIFSC | secure |
|
|
|
| HASH | R95 | RIFSC | secure |
|
|
|
| CRYP1 | R96 | RIFSC | secure |
|
|
|
| SYSRAM/RISAB1 & RISAB2 | R74 | RCC | secure |
|
|
|
| CA35SS | R106 | RCC | secure |
|
|
|
3.3. Nonsecure peripherals[edit | edit source]
ROM code ensures non-exclusive access to nonsecure peripherals used during its execution, then it tries to set resource security level according to its needs. Note that even if ROM code has access to the resource, it will not be able to set the security level according to its need if the resource configuration is locked with a different security level.
ROM code adapts list of nonsecure peripherals according to selected boot source.
3.3.1. SDMMC1 access ensure[edit | edit source]
Check in the following boot selection:
- Cortex®-A35 main processor
- Boot from eMMC SDMMC1
- Boot from SD card SDMMC1
- Cortex®-M33 main processor single boot device
- Boot from eMMC SDMMC1
- Boot from SD card SDMMC1
- Cortex®-M33 main processor dual boot device
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from eMMC SDMMC1
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from SD card SDMMC1
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from eMMC SDMMC1
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from SD card SDMMC1
The following table list resources associated to SDMMC1.
| Function | RIF resource number | RIF block | Resource description | Secure level set | Check at cold boot | Check at Standby exit | Check at D1 DStandby exit |
|---|---|---|---|---|---|---|---|
| Root Clock SDMMC1 | R51 | RCC | Flexgen 51 | nonsecure |
|
|
|
| Clock GPIOE | R94 | RCC | GPIO E clock config | nonsecure |
|
|
|
| IO voltage protection | R6 | PWR | VDDIO1 (PWR_C8) | secure |
|
|
|
| GPIO PE3 | R3 | GPIOE | SDMMC1_CK | nonsecure |
|
|
|
| GPIO PE2 | R2 | GPIOE | SDMMC1_CMD | nonsecure |
|
|
|
| GPIO PE4 | R4 | GPIOE | SDMMC1_D0 | nonsecure |
|
|
|
| SDMMC1 | R76 | RIFSC | SDMMC1 controller | nonsecure |
|
|
|
3.3.2. SDMMC2 access ensure[edit | edit source]
Check in the following boot selection:
- Cortex®-A35 main processor
- Boot from eMMC SDMMC2
- Boot from SD card SDMMC2
- Cortex®-M33 main processor single boot device
- Boot from eMMC SDMMC2
- Boot from SD card SDMMC2
- Cortex®-M33 main processor dual boot device
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from eMMC SDMMC2
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from SD card SDMMC2
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from eMMC SDMMC2
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from SD card SDMMC2
The following table list resources associated to SDMMC2.
| Function | RIF resource number | RIF block | Resource description | Secure level set | Check at cold boot | Check at Standby exit | Check at D1 DStandby exit |
|---|---|---|---|---|---|---|---|
| Root Clock SDMMC2 | R52 | RCC | Flexgen 52 | nonsecure |
|
|
|
| Clock GPIOE | R94 | RCC | GPIO E clock config | nonsecure |
|
|
|
| IO voltage protection | R5 | PWR | VDDIO2 (PWR_C7) | secure |
|
|
|
| GPIO PE14 | R14 | GPIOE | SDMMC2_CK | nonsecure |
|
|
|
| GPIO PE15 | R15 | GPIOE | SDMMC2_CMD | nonsecure |
|
|
|
| GPIO PE13 | R13 | GPIOE | SDMMC2_D0 | nonsecure |
|
|
|
| SDMMC2 | R77 | RIFSC | SDMMC1 controller | nonsecure |
|
|
|
3.3.3. OCTOSPI1 access ensure[edit | edit source]
Check in the following boot selection:
- Cortex®-A35 main processor
- Boot from sNAND
- Boot from sNOR
- Boot from Hyperflash
- Cortex®-M33 main processor single boot device
- Boot from sNAND
- Boot from sNOR
- Boot from Hyperflash
- Cortex®-M33 main processor dual boot device
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from eMMC SDMMC1
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from SD card SDMMC1
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from eMMC SDMMC1
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from SD card SDMMC1
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from eMMC SDMMC2
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from SD card SDMMC2
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from eMMC SDMMC2
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from SD card SDMMC2
The following table list resources associated to OctoSPI1.
| Function | RIF resource number | RIF block | Resource description | Secure level set | Check at cold boot | Check at Standby exit | Check at D1 DStandby exit |
|---|---|---|---|---|---|---|---|
| Root Clock Octospi1 | R48 | RCC | Flexgen 48 | nonsecure |
|
|
|
| Octospi1 Clock gating | R110 | RCC | Octospi1 clock and reset | nonsecure |
|
|
|
| Octospi1 interface | R74 | RIFSC | Octospi1 interface | nonsecure |
|
|
|
| IOM | R111 | RIFSC | IOManager | secure |
|
|
|
| IO voltage protection | R0 | PWR | VDDIO3 & VDDIO4 (PWR_CR1) | secure |
|
|
|
| Clock GPIOB | R91 | RCC | GPIO B clock config | nonsecure |
|
|
|
| Clock GPIOD | R93 | RCC | GPIO B clock config | nonsecure |
|
|
|
| GPIO PD 0, 3-5 | R0, 3-5 | GPIOD | Port 1 config single wire | nonsecure |
|
|
|
| GPIO PD 1, 2, 6-11 | R1, 2, 6-11 | GPIOD | Port 1 hyperflash | nonsecure |
|
|
|
| GPIO PE 0, 1, 8, 10 | R0, 1, 8, 10 | GPIOE | Port 2 config single wire | nonsecure |
|
|
|
| GPIO PE 2-7, 9, 11 | R2-7, 9, 11 | GPIOE | Port 2 hyperflash | nonsecure |
|
|
|
 Information
|
| OctoSPI1 and OctoSPI2 controllers connected to the physical port thanks to the IO Manager (IOM) which support different modes (direct, swap or muxed). Mode is set by ecosystem software according to board definition. When executed D1 DStandby exit procedure, ROM code cannot modify IOM configuration set by ecosystem software to not disturb reset of the system. It is ecosystem software responsibility to set an IOM configuration that guarantee ROM code execution. |
3.3.4. FMC raw NAND[edit | edit source]
Check in the following boot selection:
- Cortex®-A35 main processor
- Boot from FMC raw NAND
- Cortex®-M33 main processor single boot device
- Boot from FMC raw NAND
- Cortex®-M33 main processor dual boot device
- Boot Cortex®-M33 from sNOR and Cortex®-A35 from FMC raw NAND
- Boot Cortex®-M33 from Hyperflash and Cortex®-A35 from FMC raw NAND
The following table list resources associated to FMC.
| Function | RIF resource number | RIF block | Resource description | Secure level set | Check at cold boot | Check at Standby exit | Check at D1 DStandby exit |
|---|---|---|---|---|---|---|---|
| Root Clock FMC | R50 | RCC | Flexgen 50 | nonsecure |
|
|
|
| FMC clock gating | R112 | RCC | FMC clock and reset | nonsecure |
|
|
|
| Clock GPIOB | R91 | RCC | GPIO B clock config | nonsecure |
|
|
|
| Clock GPIOD | R93 | RCC | GPIO D clock config | nonsecure |
|
|
|
| Clock GPIOE | R94 | RCC | GPIO E clock config | nonsecure |
|
|
|
| IO voltage protection | R5 | PWR | VDDIO2 (PWR_C7) | secure |
|
|
|
| GPIO PB 13-14 | R13-14 | GPIOB | 8bit config (12 IOs) | nonsecure |
|
|
|
| GPIO PD 12,14-15 | R12, 14-15 | GPIOD | 8bit config (12 IOs) | nonsecure |
|
|
|
| GPIO PE 6-9, 11-15 | R6-9, 11-15 | GPIOE | 8bit config (12 IOs) | nonsecure |
|
|
|
| GPIO PB 5-11 | R5-11 | GPIOB | 16bit config added | nonsecure |
|
|
|
| GPIO PD13 | R13 | GPIOD | 16bit config added | nonsecure |
|
|
|
| FMC R0 | R0 | FMC | FMC common resource | nonsecure |
|
|
|
| FMC R5 | R5 | FMC | FMC NAND controler | nonsecure |
|
|
|
| Information
|
| FMC is a RIF-aware peripheral. Each FMC internal controller could be allocated to a different execution context.
That means FMC could be used by Cortex®-M33 when ROM code is executing D1 DStandby exit sequence. As ROM code does not know about product definition, ROM code considers that common FMC resources (FMC_R0, clock, associated IOs) are configured by ecosystem software. ROM is not reconfiguring these items in case of D1 DStandby exit except if FMC clock is disabled, in this case ROM code consider FMC not used by Cortex®-M33 and do the needed FMC configuration. |
4. ROM code secure context isolation[edit | edit source]
4.1. Principles[edit | edit source]
The STM32MP2 ROM code is SESIP level 3 certified. This implies some guarantees regarding the isolation of the ROM code secure execution.
ROM code defines some RIF configuration rules on ecosystem software to:
- guarantee that all secure internal peripherals used by ROM code are exclusively assigned to the Cortex®-A35 secure context during ROM code execution and can't preempted by another secure processor running in parallel of the ROM code.
- guarantee that no processor and no bus master peripheral can access secure resources (peripheral and memories) owned by ROM code. That means no master with secure level and CID1 RIF configuration shall be active during ROM code execution
4.2. Rules on secure SYSRAM[edit | edit source]
SYSRAM is protected by RISAB1 and RISAB2 which are under the control of Cortex®-A35 secure context. This is an exception in the RIF as normally all the control of all the RIF units is under the main processor secure context (TDCID) responsibility. This allows to guarantee the SYSRAM isolation during ROM code execution whatever main processor selection.
4.3. Rules on secure peripherals RIF protection[edit | edit source]
When Cortex®-A35 is the main processor, Cortex®-A35 secure context controls RIF configuration. When ROM code is running, no other master can modify RIF configuration. Checking access to secure peripheral is enough to guarantee ROM code exclusive access.
When Cortex®-M33 is the main processor, the Cortex®-M33 secure context controls RIF configuration. When ROM code is running, Cortex®-M33 secure context can modify RIF configuration which can compromise ROM code exclusive access. To guarantee ROM code exclusive access to secure peripherals, associated RIF configuration must be locked.
In addition to access checking, ROM code also verifies RIF lock status. If not set, ROM code goes in failure mode.
The following table list all RIF locks checked by ROM code in Cortex®-M33 main processor, Secured_Locked boot.
| Peripheral | RIF resource number | RIF block | Secure level checked | D1 DStandby exit lock check |
|---|---|---|---|---|
| BSEC clock | R103 | RCC |
|
|
| CPU1 boot, reset, IWDG management | R70 | RCC |
|
|
| CPU PWR1 | R2 | PWR |
|
|
| STGEN | R33 | RCC |
|
|
| RNG | R92 | RIFSC |
|
|
| PKA | R93 | RIFSC |
|
|
| SAES | R94 | RIFSC |
|
|
| HASH | R95 | RIFSC |
|
|
| CRYP1 | R96 | RIFSC |
|
|
| SYSRAM/RISAB2 | R74 | RCC |
|
|
| CA35SS | R106 | RCC |
|
|
4.4. Rules on master peripherals RIF protection[edit | edit source]
During ROM code execution, it shall not be possible for another master to access peripherals and memories assigned to ROM code secure context (CID1 secure).
For that, ROM code checks RIFSC RIMU configuration to detect any master with CID1 secure configuration:
- RIFSC RIMU sets to secure and RIFSC RISUP also set to secure (if RIFSC RISUP is set to nonsecure, this tie RIMU secure level to nonsecure)
- RISFC RIMU sets to CID1 or RIFSC RIMU set in CID inheritance mode and RIFSC RISUP set to CID1
If the RIF configuration of a master matches CID1 secure one, ROM code verifies if this peripheral is running or not in associated RCC registers (clock enabled).
In such case, ROM code goes in failure mode. Note that in case of SD or eMMC boot, only SDMMC interfaces that are not used for that boot are checked here.
In the case of Cortex®-M33 main processor, Cortex®-M33 can modify RIFSC RISUP and RIMU during ROM code execution. In addition to access right verification, ROM code also verifies that RIMU and associated RISUP are locked.
The following table sums up the master peripheral RIFSC resources checked by ROM code.
| Bus master peripheral | RIFSC RIMU index | RIFSC RISUP index | D1 DStandby exit RISUP lock check |
|---|---|---|---|
| SDMMC1 | 1 | 76 |
|
| SDMMC2 | 2 | 77 |
|
| SDMMC3 | 3 | 78 |
|
| USB3DR | 4 | 66 |
|
| USBH | 5 | 63 |
|
| ETH1 | 6 | 60 |
|
| ETH2 | 7 | 61 |
|
| PCIE | 8 | 68 |
|
| GPU | 9 | 79 |
|
| DCMIPP | 10 | 87 |
|
| LTDC | 11, 12, 13 | NA |
|
| VDEC | 14 | 89 |
|
| VENC | 15 | 90 |
|
