Intel® Agilex™ Hard Processor System Technical Reference Manual

ID 683567
Date 2/14/2023
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

6.1.2.1.1. Firewall Description

TrustZone is enforced by firewalls implemented on the slave datapath. After reset, every slave on the system interconnect is in the secure state. This feature is referred to as Boot Secure.

To change the security state of a slave requires a secure write to the appropriate SCR.

Firewalls check the secure bit of a transaction against the secure state of the slave. A transaction that passes the Firewall proceeds normally to the slave. A transaction that fails the Firewall results an error response with data set to 0. Transactions that fail the firewall are never presented to the slave interface.

The SCRs, implemented in the system interconnect, control the security state of each slave. The SCR is an internal target on the system interconnect, accessed through the service network. You can configure the slave security state on a per-master basis. This means that the SCR associated with each slave contains multiple secure state bits, one for each master allowed to access it.

Firewalls work in the following order:

  1. Based on the transaction's destination slave, fetch the entire slave SCR.
  2. Based on the transaction's originating master, read the master-specific secure bit in the SCR.
  3. Compare the secure bit with the transaction's secure attribute to determine if the transaction should pass the firewall.

The table below shows how the secure state of a slave is used with the transaction security bit to determine if a transaction passes or fails.

Table 50.  Slave Security Decision Table
Transaction Security Bit Slave Security State (SCR) Result
0–Non-Secure 0–Secure Fail
1–Secure 0–Secure Pass: transaction sent to target
0–Non-Secure 1–Non-Secure Pass: transaction sent to target
1–Secure 1–Non-Secure Pass: transaction sent to target