Hi experts,
Based on the manual of TZC-400, we could set up at most 8 regions with different security settings.
However, I'm wondering, when a normal world(non-secure) application read or write a specific address, how does the TZC-400 decide whether the address is secure or not?
I think region 1-8 could overlap addresses with each other so I'm confused about how to decide the security of an address.
Any suggestion or discussion is welcomed.
Thank you.
Simon
Hi Ash,
I think you already answered all my questions very clearly above so I marked the above answer as the correct one. Hope it could help other users too!
I just got last question based on your reply, when you mentioned
Secure accesses passing through filter unit 0 (i.e. from one of the A-class processors or GPU) can read and write the region, while Secure accesses passing through filter unit 1 unit 1 (i.e. from the DMA or LCD) cannot access the region.
How does the board configure the filter unit 0 for AP / GPU while filter unit 1 for DMA/LCD? I tried to search the firmware code while I don't get where it is.
I really appreciate your answer and patient, hope you have a wonderful thanksgiving!
Hi Simon,
It doesn't; that diagram is from the TZC-400 Technical Reference Manual as an example system using a TZC-400, not from the Juno documentation.
In practice on most systems you'll configure all filter units to have the same configuration, which is what happens on Juno. You can see here that each region is configured using PLAT_ARM_TZC_FILTERS, which equates to TZC_400_REGION_ATTR_FILTER_BIT_ALL, which in turn collapses to (0xF << 0), i.e. 4b1111. This mask is written to the filter_en field (bits [3:0]) of the corresponding region's REGION_ATTRIBUTES_<n> register. In other words, all configured regions are enabled for all 4 filter units.
Hope that helps.
You too
Ash
Oh I understand the part about connecting filters with regions. Sorry I don't make the question clear.
My question is how to configure the relationship between CPU/GPU/DMA/LCD with those filters. Is there any configuration like CPU needs to connect with filter 0 or DMA needs to connect with filter 3?
In what context?
If you mean something along the lines of "does the TZC-400 mandate that CPUs are connected to filter 0 while DMA engines are connected to filter 3", then no; the 4 filter units are identical in terms of functionality and system designers are free to wire them up however they want.