In processors supporting TrustZone, how is secure memory access protected from a non- secure world application accessing it?

For example, we define a region to be secure. If a non secure app is trying to acess that region, what protection mechanism exists in hardware which will prevent that?

  • A single physical core can execute code from both the

    Normal world and the Secure world in a time-sliced fashion. The memory system is similarly

    divided. An additional bit, indicating whether the access is Secure or Non-Secure (the NS bit)

    is added to all memory system transactions, including cache tags and access to system memory

    and peripherals. This can be considered as an additional address bit, giving a 32-bit physical

    address space for the Secure world and a completely separate 32-bit physical address space for

    the Normal world.

    If a non secure app access a secure region the slave would respond by issuing SLVERR on its response(RRESP for read & BRESP for write) channel.

    Additionally, if an app needs to access a secure region it can do that by first going into the monitor mode and then writing to this register SCR NS bit.

    The NS bit in the Secure Configuration Register (SCR) in CP15 indicates which world the core

    is currently in. In Monitor mode, the core is always executing in the Secure world, regardless of

    the value of the SCR NS-bit that is used to signal which world you were previously in.

  • TrustZone provides two physical address spaces, Secure and Non-secure.

    When in Non-secure state (also known as "Normal world"), _all_ virtual addresses translate to Non-secure physical addresses.  There is nothing software can do to override this.

    When in Secure state, virtual addresses can translate to either Secure or Non-secure physical addresses.  This is controlled by a bit in the translation tables (*).

    The type of address (Secure or Non-secure) is signaled for each bus transaction,  If using AXI, the signal is AxPROT[1].

    A Non-secure access (AxPROT[1]==1) to a Secure peripheral/address range will get blocked by the memory system.

    How does the memory system determine if a peripheral/address range is Secure/Non-secure?  It can hard wired, or could be configurable.  For example, using a TrustZone Address Space Controller (TZASC).  Alternatively, many interconnects have registers to program whether a given slave is Secure/Non-secure.

    Some peripherals, such as the GIC, will accept both Secure and Non-secure accesses.  The peripheral internally uses the AxPROT signal to gate access to certain functionality.  E.g. only Secure acceses can configure "secure" interrupts.

    (* The bit is still there in Non-secure state, but ignored by hardware)