Last edited one month ago

RIFSC internal peripheral

Applicable for STM32MP25x lines

1. Article purpose[edit source]

The purpose of this article is to:

  • briefly introduce the RIFSC peripheral and its main features,
  • indicate the peripheral instances assignment at boot time and their assignment at runtime (including whether instances can be allocated to secure contexts),
  • list the software frameworks and drivers managing the peripheral,
  • explain how to configure the peripheral.

2. Peripheral overview[edit source]

The RIFSC (RIF Security Controller) peripheral is the control interface of the RIF (Resource Isolation Framework). It provides configuration registers to:

  • define access right (CID, secure, and privilege level) for each peripheral protected by a RISUP
  • define initiator peripheral bus behavior by setting CID, secure, and privilege level (RIMU)
  • define low power RAM memory protection (RISAL)
  • define JTAG DAP configuration

On STM32MP25x lines More info.png, there are:

  • 118 RISUP to protect the different instances of peripherals. RISUP default configuration is non-secure, unprivileged, and CID filtering disabled.
  • 16 RIMU, one in front of each bus initiator peripheral (ETR, SDMMC1, SDMMC1, SDMMC3, USB3DR, USBH, ETH1, ETH2, GPU, LTDC, VDEC, and VENC). By default, RIMU are set in non-secure, unprivileged, and CID inheritance from associated peripheral RISUP (except for ETR and LTDC for which inheritance is not possible).
  • 3 RISAL to protect LPSRAM1, LPSRAM2, and LPSRAM3. By default, LPSRAM accesses are defined as non-secure, unprivileged, Cortex-M33®, and Cortex®-M0+.

Main RIFSC configuration is under TDCID processor responsibility, but all execution contexts can read it. Moreover, it is possible to modify the RISUP configuration according to following rules:

  • Only the TDCID execution context can modify the CID filtering configuration of this resource.
  • A secure execution context owning a resource can modify the security level of this resource.
  • A privilege execution context owning a resource can modify the privilege level of this resource.

The RIFSC configuration is preserved in low power mode.

Refer to the STM32 MPU reference manuals for the complete list of features and to the software frameworks and drivers introduced below to see which features are implemented.

3. Peripheral usage[edit source]

This chapter is applicable in the scope of the OpenSTLinux BSP running on the Arm® Cortex®-A processors, and the STM32CubeMPU Package running on the Arm® Cortex®-M processor.

3.1. Boot time assignment[edit source]

As soon as the STM32MP2 is powered up, the Cortex®-A35 starts to execute the ROM code, which configures and verifies the RIFSC configuration to ensure the isolation of its execution. It then executes the FSBL TF-A in secure mode, which can temporarily reconfigure some Cortex®-A35 assigned peripherals from non-secure to secure to be compliant with its execution model. The SSBL U-Boot executed in non-secure mode accesses the RIFSC to verify if a resource can be accessed by Cortex®-A35 non-secure execution. If required, U-Boot can acquire the RIF semaphore associated with the resource to grant the access.

3.1.1. On STM32MP2 series[edit source]

Click on How to.png to expand or collapse the legend...

  • means that the peripheral can be assigned to the given boot time context.
  • means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
  • means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
  • is used for system peripherals that cannot be unchecked because they are hardware connected in the device.

The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP25 reference manuals.

Domain Peripheral Boot time allocation Comment How to.png
Instance Cortex-A35
secure
(ROM code) 		Cortex-A35
secure
(TF-A BL2) 		Cortex-A35
non-secure
(U-Boot)
Security RIFSC RIFSC

3.2. Runtime assignment[edit source]

In Cortex®-A35 main processor mode, the Cortex®-A35 is the TDCID processor, which means Cortex®-A35 secure execution can completely configure the RISFC. In this mode, OP-TEE is in charge of the RISFC configuration before the startup of the other execution context. This allows the selected peripherals to be assigned to the different hardware execution context of the platform before their execution. Firmware running on the other execution contexts accesses RIFSC to verify if they can access a peripheral before trying to program it.

3.2.1. On STM32MP25x lines More info.png[edit source]

Click on How to.png to expand or collapse the legend...

STM32MP25 internal peripherals

Check boxes illustrate the possible peripheral allocations supported by STM32 MPU Embedded Software:

  • means that the peripheral can be assigned to the given runtime context.
  • means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the STM32 MPU Embedded Software distribution.
  • means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in STM32 MPU Embedded Software distribution.
  • is used for system peripherals that cannot be unchecked because they are hardware connected in the device.

The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP25 reference manuals.

Domain Peripheral Runtime allocation Comment How to.png
Instance Cortex-A35
secure
(OP-TEE /
TF-A BL31) 		Cortex-A35
non-secure
(Linux) 		Cortex-M33
secure
(TF-M) 		Cortex-M33
non-secure
(STM32Cube) 		Cortex-M0+
Warning.png
(STM32Cube)
Security RIFSC RIFSC OP-TEE

4. Software frameworks and drivers[edit source]

Below are listed the software frameworks and drivers managing the RIFSC peripheral for the embedded software components listed in the above tables.

5. How to assign and configure the peripheral[edit source]

The peripheral assignment can be done via the STM32CubeMX graphical tool (and manually completed if needed).
According to the selected assignment, STM32CubeMX is generating the RIFSC device tree configuration that the secure OS running on the TDCID processor will program.
This tool also helps to enable the peripheral support in the different software components by generating:

  • partial device trees enabling the selected peripherals for the OpenSTLinux software components,
  • HAL initialization code for the STM32CubeMPU Package for the selected peripherals.

6. References[edit source]



Resource Isolation Framework Security Controller - NEW

Resource Isolation Framework

Resource Isolation Slave Unit for Peripherals - NEW

Resource Isolation Master Unit - NEW

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

Resource Isolation Slave unit for Address space protection (Lite version) - NEW

debug and test protocol, named from the Joint Test Action Group that developed it

Debug Access Port

USB Host (STM32 specific)

Graphics processing units

LCD TFT display controller (STM32 specific)

Video decoder - NEW

Video encoder - NEW

Cortex®

Trusted Domain Compartment IDentifier - NEW

Board support package

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Arm logo.png

Read only memory

First stage boot loader

Trusted firmware for Arm® Cortex®-A

Second stage boot loader

Das U-Boot -- the universal boot loader (see U-Boot)

Boot loader stage 2

Open portable trusted execution environment

Linux® is a registered trademark of Linus Torvalds.

Operating system

Hardware abstraction layer

Resource Isolation Framework Security Controller - NEW

Resource Isolation Framework

Resource Isolation Slave Unit for Peripherals - NEW

Resource Isolation Master Unit - NEW

Random access memory (Early computer memories generally hadserial access. Memories where any given address can be accessed when desired were then called "random access" to distinguish them from the memories where contents can only be accessed in a fixed order. The term is used today for volatile random-acces ssemiconductor memories.)

Resource Isolation Slave unit for Address space protection (Lite version) - NEW

debug and test protocol, named from the Joint Test Action Group that developed it

Debug Access Port

USB Host (STM32 specific)

Graphics processing units

LCD TFT display controller (STM32 specific)

Video decoder - NEW

Video encoder - NEW

Cortex®

Trusted Domain Compartment IDentifier - NEW

Board support package

Arm® is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere. Arm logo.png

Read only memory

First stage boot loader

Trusted firmware for Arm® Cortex®-A

Second stage boot loader

Das U-Boot -- the universal boot loader (see U-Boot)

Boot loader stage 2

Open portable trusted execution environment

Linux® is a registered trademark of Linus Torvalds.

Operating system

Hardware abstraction layer

Retrieved from "https://wiki.stmicroelectronics.cn/stm32mpu/index.php?title=RIFSC_internal_peripheral&oldid=107276"