8. Illegal access controller (IAC)

8.1 IAC introduction

The RIF (resource isolation framework) is a comprehensive set of hardware blocks designed to enforce and manage the isolation of STM32 hardware resources, such as memory and peripherals.

The RIF uses the IAC (illegal access controller) to centralize the detection of RIF-related illegal accesses, managed by a secure application.

8.2 IAC main features

8.3 IAC implementation

The index of the peripherals managed by the IAC in this device is defined in Table 28 . Indexes 0 to 127 are also used in the RIFSC to configure the proper access control using RISUP blocks.

Table 28. Peripheral indexes in IAC

Peripherals 31 to 0
313029282726252423222120191817161514131211109876543210
TIM5TIM4TIM3TIM2TIM1FDCAN1/2/3LPUART1USART10UART9UART8UART7USART6UART5UART4USART3USART2USART1I3C2I3C1I2C4I2C3I2C2I2C1SAI2-SAI1SPI6/I2S6SPI5SPI4SPI3/I2S3SPI2/I2S2SPI1/I2S1
Peripherals 63 to 32
6362616059585756555453525150494847464544434241403938373635343332
-SYSCONFSPDIFRXGB-ETH-UCPDOTG1_FSOTG1_HSMDIOSSDMMC2SDMMC1MDF1ADF1LPTIM5LPTIM4LPTIM3LPTIM2LPTIM1GFXTIMTIM18TIM17TIM16TIM15TIM14TIM13TIM12TIM11TIM10TIM9TIM8TIM7TIM6
Peripherals 95 to 64
9594939291908988878685848382818079787776757473727170696867666564
-DCMIDCMIPPCSI2HOST-FMCXSPIMXSPI3XSPI2XSPI1-MCE4MCE3MCE2MCE1CRYPT1HASHSAESPKARNG------WWDGIWDGCRC-VREFBUFADC12

Table 28. Peripheral indexes in IAC (continued)

Peripherals 127 to 96
12712612512412312212112011911811711611511411311211111010910810710610510410310210110099989796
---------------------NPU - Neural ART-LTDC_L2LTDC_L1LTDC_CMNDMA2DGFXMMUGPUICACHEVENCJPEG
Peripherals 159 to 128
159158157156155154153152151150149148147146145144143142141140139138137136135134133132131130129128
-RIFSCRISAF23 (BKPSRAM)RISAF22 (AHB RAM2)RISAF21 (AHB RAM1)-RISAF15 (Cache config)RISAF14 (FMC)RISAF13 (XSPI3)RISAF12 (XSPI2)RISAF11 (XSPI1)-RISAF9 (VENGRAM)RISAF8 (CACHEAXI)RISAF7 (FLEXRAM)RISAF6 (CPU_MST)RISAF5 (NPU_MST1)RISAF4 (NPU_MST0)RISAF3 (AXISRAM2)RISAF2 (AXISRAM1)RISAF1 (TCM)IACPWR_CTRLRCCBSECTAMPRTC-HPDMA1GPDMA1EXTICM55

8.4 IAC functional description

8.4.1 IAC block diagram

Figure 9 shows the IAC block diagram, in context.

Figure 9. IAC block diagram

Figure 9. IAC block diagram. The diagram shows the Illegal Access Controller (IAC) block connected to various RIF-protected peripherals and a memory gate. The IAC block contains 'ILAC events', 'Masking and routing', 'IER', and 'ISR/ICR'. It is connected to an 'AHB bus' via 'iac_hclk' and 'iac_it' signals. The IAC also connects to an 'Interrupt control' block, which in turn connects to a 'CPU' (part of a 'Trusted CPU' system) via a 'sec_irq' signal. The diagram is labeled MSV67853V2.

The diagram illustrates the IAC block diagram. On the left, three boxes represent 'RIF-protected peripheral #1', 'RIF-protected peripheral #n', and 'RIF component (memory gate)'. Arrows from these boxes point into a central 'IAC' block. The 'IAC' block contains four sub-components: 'ILAC events', 'Masking and routing', 'IER', and 'ISR/ICR'. An arrow labeled 'iac_hclk' points from the top right into the 'IAC' block. A double-headed arrow labeled 'AHB bus' connects the 'IAC' block to a dashed box on the right. Inside this dashed box, labeled 'Trusted CPU', are two sub-components: 'Interrupt control' and 'CPU'. An arrow labeled 'sec_irq' points from 'Interrupt control' to 'CPU'. An arrow labeled 'iac_it' points from the 'IAC' block to 'Interrupt control'. The diagram is labeled MSV67853V2 in the bottom right corner.

Figure 9. IAC block diagram. The diagram shows the Illegal Access Controller (IAC) block connected to various RIF-protected peripherals and a memory gate. The IAC block contains 'ILAC events', 'Masking and routing', 'IER', and 'ISR/ICR'. It is connected to an 'AHB bus' via 'iac_hclk' and 'iac_it' signals. The IAC also connects to an 'Interrupt control' block, which in turn connects to a 'CPU' (part of a 'Trusted CPU' system) via a 'sec_irq' signal. The diagram is labeled MSV67853V2.

8.4.2 IAC internal signals

Table 29 lists the internal signals available at IAC level, not at product level.

Table 29. IAC internal signals

NameTypeDescription
iac_hclkDigital inputAHB bus clock
iac_itDigital outputGlobal interrupt request

8.4.3 IAC reset and clocks

The IAC peripheral has a dedicated clock and reset control in the RCC.

The IAC requires its clock in order to trigger an interrupt request event.

8.4.4 IAC use in RIF

The IAC gathers illegal events generated within the system when an illegal access is detected. The IAC can then generate a secure interrupt towards the secure CPU, if needed. By default, all events in the IAC are masked.

The IAC has room for 160 interrupt sources. Each source corresponds to an IAC index from 0 to 159. The interrupt sources from non-RIF-aware peripherals occupy most of the first 128 indexes. The interrupt sources from RIF-aware peripherals and RIF firewalls occupy indexes from 128 onwards. All these sources are defined in Section 8.3 .

8.4.5 IAC management by trusted application

For each interrupt source of index <i>, an illegal access sets the IAFi flag in IAC_ISRx. A secure privileged application can clear this flag using the corresponding bit in IAC_ICRx. An IAC interrupt is triggered when IAFi is set while IAIEi is set in IAC_IERx.

Indexes between 0 to 127 are assigned to non-RIF-aware peripherals, with a RISUP block instantiated in front of its configuration port to filter configuration accesses. The programming of these RISUP blocks (in the RIFSC) uses the same index as the IAC.

Indexes 128 and above are assigned to RIF components and RIF-aware peripherals. These peripherals can block illegal accesses to their configuration registers (without RISUP).

For RIF-aware peripherals protecting a memory (RISAF), a secure privileged application can obtain, in the peripheral, more details about the cause of the illegal access event:

The IAC interrupt handler must clear IAFi in IAC_ISR before clearing the error flag(s) in the firewall peripheral xx (using xx_IACR register). Otherwise, an illegal access can occur between clearing the flags in the firewall and clearing the flag in the IAC, and the application is unaware of this error.

8.5 IAC interrupts

The RIF interrupt management in the IAC is summarized in Table 30 .

Note: Only secure privileged application can enable, read, and clear illegal access interrupts. If there is an illegal access to the IAC itself, the status flag corresponding to the IAC index in Section 8.3 is set.

Table 30. IAC interrupt request

AcronymInterrupt eventEvent flag in IAC_ISREnable control bit in IAC_IERInterrupt clear method
IACIllegal access errorIAFIAIESet IAF bit in IAC_ICR

8.6 IAC registers

All IAC registers are accessed only by words (32 bits).

8.6.1 IAC interrupt enable register x (IAC_IERx)

Address offset: 0x000 + 0x4 * x (x = 0 to 5)

Reset value: 0x0000 0000

Secure privileged, read and write only.

31302928272625242322212019181716
IAIE{i + 32 * x}
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw
1514131211109876543210
IAIE{i + 32 * x}
rwrwrwrwrwrwrwrwrwrwrwrwrwrwrwrw

Bits 31:0 IAIE{i + 32 * x} : Illegal access interrupt enable for peripheral {i + 32 * x} (i = 0 to 31)

Each bit is set to unmask illegal access events from peripheral {i + 32 * x}.

0: Illegal access event from peripheral does not generate interrupt (masked).

1: Illegal access event from peripheral can generate interrupts (unmasked).

8.6.2 IAC interrupt status register x (IAC_ISRx)

Address offset: 0x080 + 0x4 * x (x = 0 to 5)

Reset value: 0x0000 0000

Secure privileged, read only.

31302928272625242322212019181716
IAF{i + 32 * x}
rrrrrrrrrrrrrrrr
1514131211109876543210
IAF{i + 32 * x}
rrrrrrrrrrrrrrrr

Bits 31:0 IAF{i + 32 * x} : Illegal access interrupt enable for peripheral {i + 32 * x} (i = 0 to 31)

Each bit is set when an illegal access event occurs in the peripheral {i + 32 * x} (see Section 8.3 for details). This bit is cleared when the corresponding IAF bit is set in IAC_ICRx.

0: No illegal access event detected for the peripheral (since reset or the last time this bit was cleared).

1: At least one illegal access event has been detected for the peripheral (since the last time this bit was cleared).

8.6.3 IAC interrupt clear register x (IAC_ICRx)

Address offset: 0x100 + 0x4 * x (x = 0 to 5)

Reset value: 0x0000 0000

Secure, privileged write only.

31302928272625242322212019181716
IAF{i + 32 * x}
wwwwwwwwwwwwwwww
1514131211109876543210
IAF{i + 32 * x}
wwwwwwwwwwwwwwww

Bits 31:0 IAF{i + 32 * x} : Illegal access flag clear for peripheral {i + 32 * x} (i = 0 to 31)

Setting each bit clears the status flag of the illegal access event {i + 32 * x} in IAC_ISRx.

0: IAF {i + 32 * x} flag status not affected

1: IAF {i + 32 * x} flag status cleared in IAC_ISRx

8.6.4 IAC ILAC input status register x (IAC_IISRx)

Address offset: 0x36C + 0x4 * x (x = 0 to 5)

Reset value: 0xFFFF FF7F, 0x77FF FFFF, 0x77DF F03B, 0x0000 05FF, 0x7BEF FFEF, 0x0000 0000

31302928272625242322212019181716
ILACIN{i + 32 * x}
rrrrrrrrrrrrrrrr
1514131211109876543210
ILACIN{i + 32 * x}
rrrrrrrrrrrrrrrr

Bits 31:0 ILACIN{i + 32 * x} : Illegal access input {i + 32 * x} (i = 0 to 31)

0: ILAC input {i + 32 * x} to IAC not present

1: ILAC input {i + 32 * x} to IAC present

8.6.5 IAC register map

Table 31. IAC register map and reset values

OffsetRegister name313029282726252423222120191817161514131211109876543210
0x000 +0x4*x
(x = 0 to 5)
Last address:
0x014		IAC_IERxIAIE{i + 32 * x}
Reset value00000000000000000000000000000000
0x018-0x07CReservedReserved
0x080 +0x4*x
(x = 0 to 5)
Last address:
0x094		IAC_ISRxIAF{i + 32 * x}
Reset value00000000000000000000000000000000
0x098-0x0FCReservedReserved
0x100 +0x4*x
(x = 0 to 5)
Last address:
0x114		IAC_ICRxIAF{i + 32 * x}
Reset value00000000000000000000000000000000
0x118-0x368ReservedReserved
0x36C +0x4*x
(x = 0 to 5)
Last address:
0x384		IAC_IISRxILACIN{i + 32 * x}
Reset value0xFFFF FF7F, 0x77FF FFFF, 0x77DF F03B, 0x0000 05FF, 0x7BEF FFEF, 0x0000 0000

Refer to Section 2.3: Memory organization for the register boundary addresses.