External Memory Interface Handbook Volume 3: Reference Material: For UniPHY-based Device Families

ID 683841
Date 3/06/2023
Public
Document Table of Contents

4.6.4.8. Memory Protection

The single-port controller has address protection to allow the software to configure basic protection of memory from all masters in the system. If the system has been designed exclusively with AMBA masters, TrustZone® is supported. Ports that use Avalon-MM can be configured for port level protection.

Memory protection is based on physical addresses in memory. The single-port controller can configure up to 20 rules to allow or prevent masters from accessing a range of memory based on their AxIDs, level of security and the memory region being accessed. If no rules are matched in an access, then default settings take effect.

The rules are stored in an internal protection table and can be accessed through indirect addressing offsets in the protruledwr register in the CSR. To read a specific rule, set the readrule bit and write the appropriate offset in the ruleoffset field of the protruledwr register.

To write a new rule, three registers in the CSR must be configured:

  1. The protportdefault register is programmed to control the default behavior of memory accesses when no rules match. When a bit is clear, all default accesses from that port pass. When a bit is set, all default accesses from that port fails. The bits are assigned as follows:
    Table 32.   protportdefault register 

    Bits

    Description

    31:10

    reserved

    9

    When this bit is set to 1, deny CPU writes during a default transaction.

    When this bit is clear, allow CPU writes during a default transaction.

    8

    When this bit is set to 1, deny L3 writes during a default transaction.

    When this bit is clear, allow L3 writes during a default transaction.

    7

    When this bit is set to 1, deny CPU reads during a default transaction.

    When this bit is clear, allow CPU reads during a default transaction.

    6

    When this bit is set to 1, deny L3 reads during a default transaction.

    When this bit is clear, allow L3 reads during a default transaction.

    5:0

    When this bit is set to 1, deny accesses from FPGA-to-SDRAM ports 0 through 5 during a default transaction.

    When this bit is clear, allow accesses from FPGA-to-SDRAM ports 0 through 5 during a default transaction.

  2. The protruleid register gives the bounds of the AxID value that allows an access
  3. The protruledata register configures the specific security characteristics for a rule.

Once the registers are configured, they can be committed to the internal protection table by programming the ruleoffset field and setting the writerule bit in the protruledwr register.

Secure and non-secure regions are specified by rules containing a starting address and ending address with 1 MB boundaries for both addresses. You can override the port defaults and allow or disallow all transactions.

The following table lists the fields that you can specify for each rule.

Table 33.  Fields for Rules in Memory Protection Table

Field

Width

Description

Valid

1

Set to 1 to activate the rule. Set to 0 to deactivate the rule.

Port Mask 7

10

Specifies the set of ports to which the rule applies, with one bit representing each port, as follows: bits 0 to 5 correspond to FPGA fabric ports 0 to 5, bit 6 corresponds to AXI L3 interconnect read, bit 7 is the CPU read, bit 8 is L3 interconnect write, and bit 9 is the CPU write.

AxID_low7

12

Low transfer AxID of the rules to which this rule applies. Incoming transactions match if they are greater than or equal to this value. Ports with smaller AxIDs have the AxID shifted to the lower bits and zero padded at the top.

AxID_high 7

12

High transfer AxID of the rules to which this rule applies. Incoming transactions match if they are less than or equal to this value.

Address_low

12

Points to a 1MB block and is the lower address. Incoming addresses match if they are greater than or equal to this value.

Address_high

12

Upper limit of address. Incoming addresses match if they are less than or equal to this value.

Protection

2

A value of 0x0 indicates that the rule applies to non-secure transactions; a value of 0x1 indicates the rule applies to non-secure transactions. Values 0x2 and 0x3 set the region to shared, meaning both secure and non-secure accesses are valid.

Fail/allow

1

Set this value to 1 to force the operation to fail or succeed.

Each port has a default access status of either allow or fail. Rules with the opposite allow/fail value can override the default. The system evaluates each transaction against every rule in the memory protection table. If a transaction arrives at a port that defaults to access allowed, it fails only if a rule with the fail bit matches the transaction. Conversely, if a transaction arrives at a port that has the default rule set to access denied, it allows access only if there is a matching rule that forces accessed allowed. Transactions that fail the protection rules return a slave error (SLVERR).

The recommended sequence for writing a rule is:

  1. Write the protruledwr register fields as follows:
    • ruleoffset = offset selected by user that points to indirect offset in an internal protection table..
    • writerule = 0
    • readrule = 0
  2. Write the protruleaddr, protruleid, and protruledata registers so you configure the rule you would like to enforce.
  3. Write the protruledwr register fields as follows:
    • ruleoffset = offset of the rule that needs to be written
    • writerule = 1
    • readrule = 0

Similarly, the recommended sequence for reading a rule is:

  1. Write the protruledwr register fields as follows:
    • ruleoffset = offset of the rule that needs to be written
    • writerule = 0
    • readrule = 0
  2. Write the protruledwr register fields as follows:
    • ruleoffset = offset of the rule that needs to be read
    • writerule = 0
    • readrule = 1
  3. Read the values of the protruleaddr, protruleid, and protruledata registers to determine the rule parameters.

The following figure represents an overview of how the protection rules are applied. There is no priority among the 20 rules. All rules are always evaluated in parallel.

Figure 47. SDRAM Protection Access Flow Diagram

Exclusive transactions are security checked on the read operation only. A write operation can occur only if a valid read is marked in the internal exclusive table. Consequently, a master performing an exclusive read followed by a write, can write to memory only if the exclusive read was successful.

7

Although AxID and Port Mask could be redundant, including both in the table allows possible compression of rules. If masters connected to a port do not have contiguous AxIDs, a port-based rule might be more efficient than an AxID-based rule, in terms of the number of rules needed.