STM32MP2 ROM code resource isolation

1. Article purpose[edit source]

The purpose of this article is to describe the different requirements on system configuration (RIF, RCC) to guarantee a correct execution of the ROM code in all the supported execution contexts.

2. Introduction[edit source]

The STM32MP2 ROM code is executed in different boot and lower power exit sequences:

Cold boot to load the FSBL-A or the FSBL-M depending on main processor selection. In this context, Cortex^®-M33 and other master peripherals are under reset.
Standby exit to reload FSBL-A and restart Cortex^®-A35. In this context, Cortex^®-M33 and other master peripherals are maintained under reset. But part of the system is initialized (Mainly RIF)
D1 DStandby exit to (re)load FSBL-A and restart Cortex^®-A35. In the context, Cortex^®-M33 and other master peripherals could be running. Moreover system is fully initialized (RIF, RCC...)

Depending on main processor selection (Cortex^®-A35 TDCID or Cortex^®-M33 TDCID), ROM code has or has not the right to modify system configuration under TDCID responsibility. Moreover ROM code execution shall not impact rest of system during D1Stanby exit sequence.

Some rules on system configuration (RIF, RCC...) must be applied to guarantee STM32MP2 ROM code execution and isolation in the different contexts:

3. ROM code peripheral assignment[edit source]

3.1. Principles[edit source]

ROM code shall be able to access all resources required for its execution whatever ROM execution modes (Cold boot, Standby exit and D1 Standby exit).

Depending on ROM code execution context, part of the system could be already configured and running. System configuration should be compliant with ROM code resource needs.

RIF configuration including RIFSC and RIF-aware peripherals
RCC clock tree configuration

At each execution, ROM code checks resource access rights based on RIF registers (RIFSC and RIF-aware).

Four actions are possible:

Resource control type	What is controlled	How
Ensuring non-exclusive access on Cortex^®-A35 boot device	The ROM code first checks that either resource access rights are not set, or are statically assigned to Cortex^®-A35	The ROM code checks that either CID filtering is not configured, or is configured static and assigned to the Cortex^®-A35.
Ensuring exclusive access	The ROM code checks that either resource is statically assigned to Cortex^®-A35, or that resource is shared via its semaphore, and semaphore can be taken within 10ms.	The ROM code checks that either CID filtering is configured static and assigned to the Cortex^®-A35, or CID filtering is configured dynamic (meaning resource is shared via a semaphore) and semaphore can be taken within 10ms.
Checking security level	The ROM code checks that resource security level correspond to its needs	The ROM code checks that resource security level
Setting security level	The ROM code sets resource security level according to its needs. Indeed in that case security level used by ecosystem software could be different from ROM code one.	The ROM code sets resource security level according to its needs.

3.2. Secure peripherals[edit source]

The ROM code always ensure exclusive access and security level on these peripherals:

Peripheral	RIF resource number	RIF block	Comment	Secure level checked
BSEC clock	R103	RCC		secure
CPU1 boot, reset, IWDG management	R70	RCC		secure
CPU PWR1	R2	PWR	power control	secure
STGEN	R33	RCC	flexgen	secure
RNG	R92	RIFSC		secure

In case of secure boot when the chip is in Secured_Locked state, the ROM code always ensure exclusive access and security level on these peripherals to perform boot authentication and decryption:

Peripheral	RIF resource number	RIF block	Secure level checked
PKA	R93	RIFSC	secure
SAES	R94	RIFSC	secure
HASH	R95	RIFSC	secure
CRYP1	R96	RIFSC	secure
SYSRAM/RISAB1 & RISAB2	R74	RCC	secure
CA35SS	R106	RCC	secure

3.3. Nonsecure peripherals[edit source]

ROM code ensures non-exclusive access to nonsecure peripherals used during its execution, then it tries to set resource security level according to its needs. Note that even if ROM code has access to the resource, it will not be able to set the security level according to its need if the resource configuration is locked with a different security level.

ROM code adapts list of nonsecure peripherals according to selected boot source.

3.3.1. SDMMC1 access ensure[edit source]

Check in the following boot selection:

Cortex^®-A35 main processor

Boot from eMMC SDMMC1
Boot from SD card SDMMC1

Cortex^®-M33 main processor single boot device

Boot from eMMC SDMMC1
Boot from SD card SDMMC1

Cortex^®-M33 main processor dual boot device

Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from eMMC SDMMC1
Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from SD card SDMMC1
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from eMMC SDMMC1
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from SD card SDMMC1

The following table list resources associated to SDMMC1.

Function	RIF resource number	RIF block	Resource description	Secure level set
Root Clock SDMMC1	R51	RCC	Flexgen 51	nonsecure
Clock GPIOE	R94	RCC	GPIO E clock config	nonsecure
IO voltage protection	R6	PWR	VDDIO1 (PWR_C8)	secure
GPIO PE3	R3	GPIOE	SDMMC1_CK	nonsecure
GPIO PE2	R2	GPIOE	SDMMC1_CMD	nonsecure
GPIO PE4	R4	GPIOE	SDMMC1_D0	nonsecure
SDMMC1	R76	RIFSC	SDMMC1 controller	nonsecure

3.3.2. SDMMC2 access ensure[edit source]

Check in the following boot selection:

Cortex^®-A35 main processor

Boot from eMMC SDMMC2
Boot from SD card SDMMC2

Cortex^®-M33 main processor single boot device

Boot from eMMC SDMMC2
Boot from SD card SDMMC2

Cortex^®-M33 main processor dual boot device

Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from eMMC SDMMC2
Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from SD card SDMMC2
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from eMMC SDMMC2
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from SD card SDMMC2

The following table list resources associated to SDMMC2.

Function	RIF resource number	RIF block	Resource description	Secure level set
Root Clock SDMMC2	R52	RCC	Flexgen 52	nonsecure
Clock GPIOE	R94	RCC	GPIO E clock config	nonsecure
IO voltage protection	R5	PWR	VDDIO2 (PWR_C7)	secure
GPIO PE14	R14	GPIOE	SDMMC2_CK	nonsecure
GPIO PE15	R15	GPIOE	SDMMC2_CMD	nonsecure
GPIO PE13	R13	GPIOE	SDMMC2_D0	nonsecure
SDMMC2	R77	RIFSC	SDMMC1 controller	nonsecure

3.3.3. OCTOSPI1 access ensure[edit source]

Check in the following boot selection:

Cortex^®-A35 main processor

Boot from sNAND
Boot from sNOR
Boot from Hyperflash

Cortex^®-M33 main processor single boot device

Boot from sNAND
Boot from sNOR
Boot from Hyperflash

Cortex^®-M33 main processor dual boot device

Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from eMMC SDMMC1
Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from SD card SDMMC1
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from eMMC SDMMC1
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from SD card SDMMC1
Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from eMMC SDMMC2
Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from SD card SDMMC2
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from eMMC SDMMC2
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from SD card SDMMC2

The following table list resources associated to OctoSPI1.

Function	RIF resource number	RIF block	Resource description	Secure level set
Root Clock Octospi1	R48	RCC	Flexgen 48	nonsecure
Octospi1 Clock gating	R110	RCC	Octospi1 clock and reset	nonsecure
Octospi1 interface	R74	RIFSC	Octospi1 interface	nonsecure
IOM	R111	RIFSC	IOManager	secure
IO voltage protection	R0	PWR	VDDIO3 & VDDIO4 (PWR_CR1)	secure
Clock GPIOB	R91	RCC	GPIO B clock config	nonsecure
Clock GPIOD	R93	RCC	GPIO B clock config	nonsecure
GPIO PD 0, 3-5	R0, 3-5	GPIOD	Port 1 config single wire	nonsecure
GPIO PD 1, 2, 6-11	R1, 2, 6-11	GPIOD	Port 1 hyperflash	nonsecure
GPIO PE 0, 1, 8, 10	R0, 1, 8, 10	GPIOE	Port 2 config single wire	nonsecure
GPIO PE 2-7, 9, 11	R2-7, 9, 11	GPIOE	Port 2 hyperflash	nonsecure

Information

OctoSPI1 and OctoSPI2 controllers connected to the physical port thanks to the IO Manager (IOM) which support different modes (direct, swap or muxed). Mode is set by ecosystem software according to board definition. When executed D1 DStandby exit procedure, ROM code cannot modify IOM configuration set by ecosystem software to not disturb reset of the system. It is ecosystem software responsibility to set an IOM configuration that guarantee ROM code execution.

3.3.4. FMC raw NAND[edit source]

Check in the following boot selection:

Cortex^®-A35 main processor

Boot from FMC raw NAND

Cortex^®-M33 main processor single boot device

Boot from FMC raw NAND

Cortex^®-M33 main processor dual boot device

Boot Cortex^®-M33 from sNOR and Cortex^®-A35 from FMC raw NAND
Boot Cortex^®-M33 from Hyperflash and Cortex^®-A35 from FMC raw NAND

The following table list resources associated to FMC.

Function	RIF resource number	RIF block	Resource description	Secure level set
Root Clock FMC	R50	RCC	Flexgen 50	nonsecure
FMC clock gating	R112	RCC	FMC clock and reset	nonsecure
Clock GPIOB	R91	RCC	GPIO B clock config	nonsecure
Clock GPIOD	R93	RCC	GPIO D clock config	nonsecure
Clock GPIOE	R94	RCC	GPIO E clock config	nonsecure
IO voltage protection	R5	PWR	VDDIO2 (PWR_C7)	secure
GPIO PB 13-14	R13-14	GPIOB	8bit config (12 IOs)	nonsecure
GPIO PD 12,14-15	R12, 14-15	GPIOD	8bit config (12 IOs)	nonsecure
GPIO PE 6-9, 11-15	R6-9, 11-15	GPIOE	8bit config (12 IOs)	nonsecure
GPIO PB 5-11	R5-11	GPIOB	16bit config added	nonsecure
GPIO PD13	R13	GPIOD	16bit config added	nonsecure
FMC R0	R0	FMC	FMC common resource	nonsecure
FMC R5	R5	FMC	FMC NAND controler	nonsecure

Information

FMC is a RIF-aware peripheral. Each FMC internal controller could be allocated to a different execution context.

That means FMC could be used by Cortex^®-M33 when ROM code is executing D1 DStandby exit sequence. As ROM code does not know about product definition, ROM code considers that common FMC resources (FMC_R0, clock, associated IOs) are configured by ecosystem software. ROM is not reconfiguring these items in case of D1 DStandby exit except if FMC clock is disabled, in this case ROM code consider FMC not used by Cortex^®-M33 and do the needed FMC configuration.

4. ROM code secure context isolation[edit source]

4.1. Principles[edit source]

The STM32MP2 ROM code is SESIP level 3 certified. This implies some guarantees regarding the isolation of the ROM code secure execution.
ROM code defines some RIF configuration rules on ecosystem software to:

guarantee that all secure internal peripherals used by ROM code are exclusively assigned to the Cortex^®-A35 secure context during ROM code execution and can't preempted by another secure processor running in parallel of the ROM code.
guarantee that no processor and no bus master peripheral can access secure resources (peripheral and memories) owned by ROM code. That means no master with secure level and CID1 RIF configuration shall be active during ROM code execution

4.2. Rules on secure SYSRAM[edit source]

SYSRAM is protected by RISAB1 and RISAB2 which are under the control of Cortex^®-A35 secure context. This is an exception in the RIF as normally all the control of all the RIF units is under the main processor secure context (TDCID) responsibility. This allows to guarantee the SYSRAM isolation during ROM code execution whatever main processor selection.

4.3. Rules on secure peripherals RIF protection[edit source]

When Cortex^®-A35 is the main processor, Cortex^®-A35 secure context controls RIF configuration. When ROM code is running, no other master can modify RIF configuration. Checking access to secure peripheral is enough to guarantee ROM code exclusive access.

When Cortex^®-M33 is the main processor, the Cortex^®-M33 secure context controls RIF configuration. When ROM code is running, Cortex^®-M33 secure context can modify RIF configuration which can compromise ROM code exclusive access. To guarantee ROM code exclusive access to secure peripherals, associated RIF configuration must be locked.
In addition to access checking, ROM code also verifies RIF lock status. If not set, ROM code goes in failure mode.

The following table list all RIF locks checked by ROM code in Cortex^®-M33 main processor, Secured_Locked boot.

Peripheral	RIF resource number	RIF block
BSEC clock	R103	RCC
CPU1 boot, reset, IWDG management	R70	RCC
CPU PWR1	R2	PWR
STGEN	R33	RCC
RNG	R92	RIFSC
PKA	R93	RIFSC
SAES	R94	RIFSC
HASH	R95	RIFSC
CRYP1	R96	RIFSC
SYSRAM/RISAB2	R74	RCC
CA35SS	R106	RCC

4.4. Rules on master peripherals RIF protection[edit source]

During ROM code execution, it shall not be possible for another master to access peripherals and memories assigned to ROM code secure context (CID1 secure).

For that, ROM code checks RIFSC RIMU configuration to detect any master with CID1 secure configuration:

RIFSC RIMU sets to secure and RIFSC RISUP also set to secure (if RIFSC RISUP is set to nonsecure, this tie RIMU secure level to nonsecure)
RISFC RIMU sets to CID1 or RIFSC RIMU set in CID inheritance mode and RIFSC RISUP set to CID1

If the RIF configuration of a master matches CID1 secure one, ROM code verifies if this peripheral is running or not in associated RCC registers (clock enabled).
In such case, ROM code goes in failure mode. Note that in case of SD or eMMC boot, only SDMMC interfaces that are not used for that boot are checked here.

In the case of Cortex^®-M33 main processor, Cortex^®-M33 can modify RIFSC RISUP and RIMU during ROM code execution. In addition to access right verification, ROM code also verifies that RIMU and associated RISUP are locked.

The following table sums up the master peripheral RIFSC resources checked by ROM code.

Bus master peripheral	RIFSC RIMU index	RIFSC RISUP index
SDMMC1	1	76
SDMMC2	2	77
SDMMC3	3	78
USB3DR	4	66
USBH	5	63
ETH1	6	60
ETH2	7	61
PCIE	8	68
GPU	9	79
DCMIPP	10	87
LTDC	11, 12, 13	NA
VDEC	14	89
VENC	15	90

Warning

In addition, ROM code checks that no HPDMA channel owned by CID1 secure context is not armed.