6. Resource isolation framework security controller (RIFSC)

6.1 Introduction

Resource isolation framework (RIF) is a set of hardware blocks designed to enforce and manage isolation of STM32 hardware resources like memory and peripherals. Some resources (such as GP/HPDMA) manage their own security configuration internally (they are configured locally). Such resources are called “RIF-aware”. Most resources are “non-RIF-aware”. The RIFSC centralizes the security configuration of such non-RIF-aware resources.

6.2 RIFSC main features

• • RISC registers associated with RISUP logic (resource isolation slave unit for peripherals) sitting in front of the configuration port of non-RIF-aware peripherals, and with RCC peripheral clock control logic, assigning security and privilege levels to peripheral access and peripheral clock control.
• • RIMC registers associated with RIMU logic (resource isolation master unit), assigning non-RIF-aware bus masters the secure, privilege and compartment (CID) information they drive onto the system bus when initiating AXI transactions.
• • Secure guard, where an AXI bus master port is forced to be nonsecure when its associated configuration port is programmed nonsecure
• • Support for a special debug domain, giving greater access for the debugger

6.3 RIFSC functional description

6.3.1 RIFSC reset and clocks

The RIFSC has a single reset. After a system reset, all non-RIF-aware peripherals become non-secure and unprivileged, reachable by any CID.

6.3.2 RISUP

RISUP blocks are instantiated in front of the AHB configuration port of non-RIF-aware peripherals to filter configuration accesses.

Each non-RIF-aware peripheral is assigned a unique “RISUP index” \( p < 128 \) . Whenever the RISUP in front of peripheral \( p \) blocks an illegal access, it sends an “illegal access event” pulse to the IAC. The IAC records this event in the IAFp bit of the relevant IAC_ISRx register. Thus, the RISUP index is aligned with the IAC index.

For \( x < 4 \) and \( i < 32 \) , the filtering is determined as follows.

• • If \( \text{RIFSC\_RISC\_SECCFGx}[i] = 1 \) , then nonsecure accesses to peripheral \( p = i + 32x \) are blocked. Also, nonsecure world attempts to program RCC registers to turn off the clock of (or reset) peripheral \( p \) are blocked.

• • If RIFSC_RISC_PRIVCFGRx[i] = 1, then user accesses to peripheral p = i + 32x are blocked. Also, attempts by a user process to program RCC registers to turn off the clock of (or reset) peripheral p are blocked.

Whenever the RCC detects an illegal attempt to turn off a clock of (or reset) a peripheral, it sends an event pulse to the IAC (recorded in the IAF136 bit of the relevant IAC_ISRx register).

Note: There is no record of which peripheral was the object of this illegal attempt.

Table 20 identifies the RISUP index of each non-RIF-aware peripheral.

Table 20. RISUP indexes

The RISUP generates a bus error if an instruction fetch arrives at the peripheral.

6.3.3 RCC security settings for RIF-aware peripherals and RAMs

Table 21 shows the use made of the RIFSC to configure the security and privilege access rights for resetting or gating the clock of RIF-aware peripherals and RAMs (resources that

do not have RISUPs in front of them). Just as for all the non-RIF-aware peripherals with RISUPs mentioned above, the outputs of the registers below are also wired to the RCC.

Table 21. RISC indexes purely for RCC security control

Note: For the RIF-aware peripherals, it is the responsibility of the trusted domain software to make sure this security configuration of the control of the clock and reset of the peripheral is consistent with the internal security configuration of this peripheral.

6.3.4 RIMU

The security attributes (CID, security, privilege) of accesses made by a non-RIF-aware peripheral that is an AXI bus master, can be configured in RIMC_ATTRx registers, where x is the “RIMU index” of the peripheral. Table 22 gives the index of each of these AXI bus master peripherals, and the index of the related RISUP protecting the configuration port of this peripheral. If nonsecure world software is permitted to configure the peripheral, then the RIMU_ATTRx[MSEC] setting is ignored, and all AXI accesses initiated by the peripheral are forced to be nonsecure too. This override mechanism is referred to as “secure guard”.

Table 22. RIMU resource assignment

Table 22. RIMU resource assignment (continued)

RIMC registers must be initialized by the secure privileged software after the device reset. Optionally, this software can set the GLOCK bit in RIMC_CR, preventing further writes to all RIMC registers. This bit can only be cleared by a power-on reset.

The RISC_RIMC_CR register contains a DAPCID field that gives the CID value used by debugger (DAP) accesses onto the AXI bus. The reset value of this register is 0x7. All RISAFs treat a 0x7 as a legal CID value, regardless of their configuration. The secure privileged master can reprogram the DAPCID to allow the DAP to mimic another compartment (for example, to debug the security configuration).

6.4 RIFSC registers

These registers are accessible through the register interface of the RIFSC peripheral.

6.4.1 RIFSC RISC slave configuration register x (RIFSC_RISC_CR)

Address offset: 0x000

Reset value: 0x0000 0000

Secure privileged write access only. Any read access is allowed on this register. Writes are ignored if GLOCK is set in this register.

Bits 31:1 Reserved, must be kept at reset value.

Bit 0 GLOCK : Global lock

This bit locks the configuration of RIFSC RISC registers until next reset. This bit is cleared by default and, once set, it cannot be reset until global RIFSC reset.

0: RIFSC RISC registers are writable.

1: All writes to RIFSC RISC registers are ignored.

6.4.2 RIFSC RISC slave security configuration register x (RIFSC_RISC_SECCFGRx)

Address offset: 0x010 + 0x4 * x, (x = 0 to 5)

Reset value: 0x0000 0000

Nonsecure or unprivileged writes to this register are ignored, while any read is allowed. Writes are ignored if GLOCK is set in RIFSC_RISC_CR.

Bits 31:0 SEC{i + 32 * x} : security configuration for peripheral {i + 32 * x} (i = 0 to 31)

0: Secure and nonsecure data access are granted to the peripheral {i + 32 * x}.

1: Secure data access only are granted to the peripheral {i + 32 * x}.

6.4.3 RIFSC RISFC slave privileged register x (RIFSC_RISC_PRIVCFGRx)

Address offset: 0x030 + 0x4 * x, (x = 0 to 5)

Reset value: 0x0000 0000

Unprivileged writes to this register are ignored, while any read is allowed. Writes are ignored if GLOCK is set in RIFSC_RISC_CR.

Bits 31:0 PRIV{i + 32 * x} : privileged-only access permission for peripheral {i + 32 * x} (i = 0 to 31)

0: Privileged and unprivileged data access are granted to the peripheral {i + 32 * x}.

1: Privileged data access only are granted to the peripheral {i + 32 * x}.

Note: If corresponding SEC{i + 32 * x} bit is set in RIFSC_RISC_SECCFGRx, this bit can only be written by a secure privileged application.

6.4.4 RIFSC RISC slave resource configuration lock register x (RIFSC_RISC_RCFGLOCKRx)

Address offset: 0x050 + 0x4 * x, (x = 0 to 5)

Reset value: 0x0000 0000

Secure privileged write access only. Any read access is allowed on this register. Writes are ignored if GLOCK is set in this register.

Bits 31:0 RLOCK{i + 32 * x} : resource lock for peripheral {i + 32 * x} (i = 0 to 31)

This bit is set to lock the peripheral resource {i + 32 * x}. It is cleared by default and, once set, this bit cannot be cleared until the RIFSC RISC peripheral is reset.

0: SEC{i + 32 * x} in RIFSC_RISC_SECCFGRx and PRIV{i + 32 * x} in RIFSC_RISC_PRIVCFG Rx are writable.

1: Writes to SEC{i + 32 * x} and PRIV{i + 32 * x} are ignored.

6.4.5 RIFSC RIMC master configuration register (RIFSC_RIMC_CR)

Address offset: 0xC00

Reset value: 0x0000 0710

Secure privileged write access only. Any read access is allowed on this register. Writes are ignored if GLOCK is set in RIFSC_RIMC_CR.

Bits 31:11 Reserved, must be kept at reset value.

Bits 10:8 DAPCID[2:0] : debug access port compartment ID

This bitfield defines the CID of the DAP.

Bits 7:1 Reserved, must be kept at reset value.

Bit 0 GLOCK : global lock

This bit is used to lock the configuration of RIFSC RIMC registers until next reset. This bit is cleared by default and, once set, it cannot be reset until global RIFSC reset.

0: RIFSC RIMC registers are writable.

1: All writes to RIFSC RIMC registers are ignored.

6.4.6 RIFSC RIMC master attribute register x (RIFSC_RIMC_ATTRx)

Address offset: 0xC10 + x * 0x4 (x = 0 to 12)

Reset value: 0x0000 0000

Secure privileged write access only. Any read access is allowed on this register.

Bits 31:10 Reserved, must be kept at reset value.

Bit 9 MPRIV : master privileged

Value of the privileged flag on the interconnect for this master.
0: This master is unprivileged.
1: This master is privileged.

Bit 8 MSEC : master secure

Value of the secure flag on the interconnect for this master.
0: This master is nonsecure.
1: This master is secure.

Bit 7 Reserved, must be kept at reset value.

Bits 6:4 MCID[2:0] : master CID

Value of the CID flag on the interconnect for this master. This bitfield cannot be written with a value of 0x7 (write to MCID[2:0] is ignored).

Bits 3:0 Reserved, must be kept at reset value.

6.4.7 RIFSC peripheral protection status register 0 (RIFSC_PPSR0)

Address offset: 0xFB0

Reset value: 0xFFFF FF7F

Bits 31:0 PPEN{i} : peripheral protection enable {i} ( \( i = 0 \) to \( 31 \) )

0: SEC{i}, PRIV{i}, and RLOCK{i} bits are not present.
1: SEC{i}, PRIV{i}, and RLOCK{i} bits are present.

6.4.8 RIFSC peripheral protection status register 1 (RIFSC_PPSR1)

Address offset: 0xFB4

Reset value: 0x77FF FFFF

Bits 31:0 PPEN{i + 32} : peripheral protection enable {i + 32} (i = 0 to 31)

• 0: SEC{i + 32}, PRIV{i + 32}, and RLOCK{i + 32} bits are not present.
• 1: SEC{i + 32}, PRIV{i + 32}, and RLOCK{i + 32} bits are present.

6.4.9 RIFSC peripheral protection status register 2 (RIFSC_PPSR2)

Address offset: 0xFB8

Reset value: 0xF7DF F03B

Bits 31:0 PPEN{i + 64} : peripheral protection enable {i + 64} (i = 0 to 31)

• 0: SEC{i + 64}, PRIV{i + 64}, and RLOCK{i + 64} bits are not present.
• 1: SEC{i + 64}, PRIV{i + 64}, and RLOCK{i + 64} bits are present.

6.4.10 RIFSC peripheral protection status register 3 (RIFSC_PPSR3)

Address offset: 0xFBC

Reset value: 0x0000 05FF

Bits 31:0 PPEN{i + 96} : peripheral protection enable {i + 96} (i = 0 to 31)

0: SEC{i + 96}, PRIV{i + 96}, and RLOCK{i + 96} bits are not present.

1: SEC{i + 96}, PRIV{i + 96}, and RLOCK{i + 96} bits are present.

6.4.11 RIFSC peripheral protection status register 4 (RIFSC_PPSR4)

Address offset: 0xFC0

Reset value: 0xBBEF FFEF

Bits 31:0 PPEN{i + 128} : peripheral protection enable {i + 128} (i = 0 to 31)

0: SEC{i + 128}, PRIV{i + 128}, and RLOCK{i + 128} bits are not present.

1: SEC{i + 128}, PRIV{i + 128}, and RLOCK{i + 128} bits are present.

6.4.12 RIFSC peripheral protection status register 5 (RIFSC_PPSR5)

Address offset: 0xFC4

Reset value: 0x7DDE EF7F

Bits 31:0 PPEN{i + 160} : peripheral protection enable {i + 160} (i = 0 to 31)

0: SEC{i + 160}, PRIV{i + 160}, and RLOCK{i + 160} bits are not present.

1: SEC{i + 160}, PRIV{i + 160}, and RLOCK{i + 160} bits are present.

6.4.13 RIFSC register map

Table 23. RIFSC register map and reset values