1. Article purpose[edit | edit source]
The purpose of this article is to:
- briefly introduce the RISAF peripheral and its main features,
- indicate the peripheral instances assignment at boot time and their assignment at runtime (including whether instances can be allocated to secure contexts),
- list the software frameworks and drivers managing the peripheral,
- explain how to configure the peripheral.
2. Peripheral overview[edit | edit source]
The RISAF peripheral is part of the RIF. It is used to protect external memories and BKPSRAM accesses.
Its main features are:
- Variable sized address space memory region with 256Byte or 4kByte granularity depending on memory to protect
- Access filtering per:
- secure level
- CID filtering
- privilege level per CID
- read-only, write-only or read/write per CID
- Possibility to delegate some sub-region configuration to a specified execution context defined by delegated configuration CID. Useful to manage memory region access right at SW component level instead of requiring changes to TDCID secure OS.
Some RISAF instances support memory regions encryption. It should be used on secure regions only that are bypassed in case of tamper event, with the cypher key erased. The DDR RISAF on the STM32MP21x lines supports DDRMCE for on-the-fly traffic encryption/decryption with countermeasures. This feature, however, impacts performances.
Refer to the STM32 MPU reference manuals for the complete list of features, and to the software frameworks and drivers, introduced below, to see which features are implemented.
3. Peripheral usage[edit | edit source]
This chapter is applicable in the scope of the OpenSTLinux BSP running on the Arm® Cortex®-A processor(s), and the STM32CubeMPU Package running on the Arm® Cortex®-M processor.
On STM32MP25x lines and STM32MP23x lines , there are 4 RISAF instances. On the STM32MP21x lines , there is no RISAF5. The following table shows RISAF - External memory interface mapping and provides information regarding RISAF programming owner and default HW configuration.
RISAF registers are accessible in read by all execution context to check memory can be accessed or not.
RISAF instance | Protected interface | Owner | Nb regions | Encryption | Default configuration |
---|---|---|---|---|---|
RISAF1 | BKPSRAM (8kB) | TDCID Secure | 4 | No | Secure, privileged, TDCID only |
RISAF2 | OCTOSPI1&2 memory mapped region (256Mbyte) |
TDCID Secure | 4 | No | Secure, privileged, TDCID only |
RISAF4 | DDR (4GByte) | TDCID Secure | 15 | Yes | Secure, privileged, TDCID only |
RISAF5 | PCIe (256MByte) | TDCID Secure | 2 | No | Secure, privileged, TDCID only |
Information |
The TDCID configures all RISAF regions. The RISAF sub-regions can be modified by the compartment to which it is delegated with the right secure/privilege level. |
3.1. Boot time assignment[edit | edit source]
In Cortex-A35 main processor mode, the FSBL TF-A is in charge of DDR controller initialization and of secure OS OP-TEE loading. This implies to configure RISAF4 secure and encrypted memory regions before doing secure code loading.
3.1.1. On STM32MP21x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given boot time context.
- ☑ means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32 MPU reference manuals.
Domain | Peripheral | Boot time allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 nonsecure (U-Boot) | |||
Security | RISAF | RISAF1 | ☐ | ⬚ | ||
RISAF2 | ☐ | ⬚ | ||||
RISAF4 | ☑ | ⬚ | FSBL TF-A configures Cortex-A secure and encrypted memory regions |
3.1.2. On STM32MP23x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given boot time context.
- ☑ means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32 MPU reference manuals.
Domain | Peripheral | Boot time allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 nonsecure (U-Boot) | |||
Security | RISAF | RISAF1 | ☐ | ⬚ | ||
RISAF2 | ☐ | ⬚ | ||||
RISAF4 | ☑ | ⬚ | FSBL TF-A configures Cortex-A secure and encrypted memory regions |
3.1.3. On STM32MP25x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given boot time context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given boot time context.
- ☑ means that the peripheral is assigned by default to the given boot time context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32 MPU reference manuals.
Domain | Peripheral | Boot time allocation | Comment | |||
---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (ROM code) |
Cortex-A35 secure (TF-A BL2) |
Cortex-A35 nonsecure (U-Boot) | |||
Security | RISAF | RISAF1 | ☐ | ⬚ | ||
RISAF2 | ☐ | ⬚ | ||||
RISAF4 | ☑ | ⬚ | FSBL TF-A configures Cortex-A secure and encrypted memory regions | |||
RISAF5 | ☐ | ⬚ |
3.2. Runtime assignment[edit | edit source]
In Cortex-A35 main processor mode, the access rights of the different memory regions are configured by OP-TEE before starting the execution of the firmware running on the other execution contexts.
3.2.1. On STM32MP21x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
Refer to How to assign an internal peripheral to an execution context for more information on how to assign peripherals manually or via STM32CubeMX.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP21 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | ||||
---|---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 nonsecure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 nonsecure (STM32Cube) | |||
Security | RISAF | RISAF1 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions |
RISAF2 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions | ||
RISAF4 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions except its own |
3.2.2. On STM32MP23x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
Refer to How to assign an internal peripheral to an execution context for more information on how to assign peripherals manually or via STM32CubeMX.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP23 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | ||||
---|---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 nonsecure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 nonsecure (STM32Cube) | |||
Security | RISAF | RISAF1 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions |
RISAF2 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions | ||
RISAF4 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions except its own |
3.2.3. On STM32MP25x lines [edit | edit source]
Click on to expand or collapse the legend...
Check boxes illustrate the possible peripheral allocations supported by OpenSTLinux BSP:
- ⬚ means that the peripheral can be assigned to the given runtime context, but this configuration is not supported in OpenSTLinux BSP.
- ☐ means that the peripheral can be assigned to the given runtime context.
- ☑ means that the peripheral is assigned by default to the given runtime context and that the peripheral is mandatory for the OpenSTLinux BSP.
- ✓ is used for system peripherals that cannot be unchecked because they are hardware connected in the device.
Refer to How to assign an internal peripheral to an execution context for more information on how to assign peripherals manually or via STM32CubeMX.
The present chapter describes STMicroelectronics recommendations or choice of implementation. Additional possibilities might be described in STM32MP25 reference manuals.
Domain | Peripheral | Runtime allocation | Comment | |||||
---|---|---|---|---|---|---|---|---|
Instance | Cortex-A35 secure (OP-TEE / TF-A BL31) |
Cortex-A35 nonsecure (Linux) |
Cortex-M33 secure (TF-M) |
Cortex-M33 nonsecure (STM32Cube) |
Cortex-M0+ (STM32Cube) | |||
Security | RISAF | RISAF1 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions | |
RISAF2 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions | |||
RISAF4 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions except its own | |||
RISAF5 | ☑OP-TEE | ⬚ | ☐ | ⬚ | OP-TEE configures all regions |
4. Software frameworks and drivers[edit | edit source]
Below are listed the software frameworks and drivers managing the RISAF peripheral for the embedded software components listed in the above tables.
- TF-A: RISAF driver
- OP-TEE: RISAF driver
- TF-M: RISAF driver
- Linux: RISAF dump driver
5. How to assign and configure the peripheral[edit | edit source]
The STM32CubeMX graphical tool proposes an interface to configure the different RISAF memory regions .
It is possible to select for each region:
- the security level
- the privilege level
- if the region is encrypted or not (depends on RISAF capability)
- the authorized CIDs in read and write
The STM32CubeMX will generate associated device tree configuration for the FSBL and secure OS running on the TDCID processor.
6. References[edit | edit source]