Hard Processor System Technical Reference Manual: Agilex™ 5 SoCs

ID 814346
Date 7/19/2024
Public

A newer version of this document is available. Customers should click here to go to the newest version.

Document Table of Contents

13.4.2.4.3. F2SDRAM Firewall

The MPFE NoC implements a F2SDRAM firewall on the output of the MPFE_TBU that support 8 memory regions. The firewall region can be configured by software to be as small as 64 kbytes or as large as 128 Gbytes, aligned to a 64 kbyte boundary.

The F2SDRAM firewall verifies that every fabric transaction sets AxUSER[7:0] to 0xE0 so that soft logic is not able to spoof the master ID of any other requestor like a core, TSN, DMA, and so on, in an attempt to work around the masterID firewall or other security features.

By convention, accesses from F2SDRAM:

  • AxUSER[7:0] must be set to 0xE0
  • AxUSER[8] = 1, then AxPROT settings are used to determine security
  • AxUSER[8] = 0, then AxPROT settings are over-written, and transactions are non-secure
Note:

The following registers are associated with the F2SRAM firewall:

  • DDR_SCR.region<n>addr_base
  • DDR_SCR.region<n>addr_baseext
  • DDR_SCR.region<n>addr_limit
  • DDR_SCR.region<n>addr_limitext

For the F2SDRAM path, the firewall checks the Secure bit of a transaction (AxPROT[1]) against the Secure state of the slave (AxUSER[8]), as described in the following table.

F2SDRAM AxPROT[1] AxUSER[8] Result
0 – Secure 0 Non-Secure – transacation only allowed in 8 regions for F2SDRAM
0 – Secure 1 Secure – transaction allowed for entire SDRAM space
1 – Non-Secure 0 Non-Secure – transacation only allowed in 8 regions for F2SDRAM
1 – Non-Secure 1 Non-Secure – transacation only allowed in 8 regions for F2SDRAM
Note: If AxUSER[8] = 0, then the F2SDRAM master can never get to any regions outside of the 8 regions enabled in the firewall for F2SDRAM access.