Hi experts,
I'm using a Juno r1 board which is deployed with a Yukon Ultra-2 Ethernet Controller. Now I'm working on a project which is trying to protect some registers of this NIC based on the TrustZone technology so the best solution for me is configuring these registers as secure-world access-only. My thought is setting the physical address of these registers as secure world address while I'm not sure if it's possible or not.
If this is not feasible, then I want to know can I configure the entire NIC with S/NS attributes dynamically during the runtime? For example, when the normal world switch to the secure world, EL3 configure the NIC as secure-world device and recover it as the NS device after the secure world execution.
Any suggestion or related document is appreciated! Thank you in advance.
Simon
Hi,
There are lots of ways to implement the necessary security in hardware, the approach depends on how sophisticated the peripheral is and whether its status needs to be configurable at boot time by secure software.
I think you've picked a complicated example:-)
In my first post I was thinking about a very simple example of a CPU reading a simple secure peripheral/register. (e.g. some of the MHU registers are secure access only). This peripheral is "security aware" and some registers are only accessible using secure accesses (with AxPROT asserted).
The HDLCD example is Figure 2-7 in the Juno SoC TRM "Trustzone Display controller". The peripheral is assumed to read from a frame buffer in secure memory.
The HDLCD controller is not aware of security signals on the bus. i.e. it can't generate a secure or non secure bus transaction itself. However the SMMU (MMU-401) in front of the HDLCD can be configured so that the reads are propagated to the NIC as either Secure or Non Secure.
The System Override register is a simple custom peripheral that ensures that all accesses are propagated as Secure, regardless of the SMMU programming.
Either the port on the NIC associated with the Trusted Memory or the some logic before (or inside) the memory will generate a bus error if the access is not Secure. (i.e. If AXPROT is not asserted appropriately)
I hope that helps
MarkN.
Hi Mark,
Thank you for your kindly detailed explanation on the HDLCD controller.
I think I understand how does the transaction generated from HDLCD controller is configured as S/NS transaction. However, I'm still confused about the following case:
Assume I set the HDLCD controller as trusted on both SMMU and SEC_HDLCD register, and the controller can read the data from the secure memory. Now if a core with NS privilege generates a read transaction on the address area belong to this HDLCD controller via memory-mapped I/O, is this transaction blocked by some component?
Thank you again for your help.