Visible to Intel only — GUID: lbk1710281611239
Ixiasoft
Visible to Intel only — GUID: lbk1710281611239
Ixiasoft
13.4.2.4.3. F2SDRAM Firewall
The MPFE NoC implements a F2SDRAM firewall on the output of the MPFE_TBU that support 8 memory regions. The firewall region can be configured by software to be as small as 64 kbytes or as large as 128 Gbytes, aligned to a 64 kbyte boundary.
The F2SDRAM firewall verifies that every fabric transaction sets AxUSER[7:0] to 0xE0 so that soft logic is not able to spoof the master ID of any other requestor like a core, TSN, DMA, and so on, in an attempt to work around the masterID firewall or other security features.
By convention, accesses from F2SDRAM:
- AxUSER[7:0] must be set to 0xE0
- AxUSER[8] = 1, then AxPROT settings are used to determine security
- AxUSER[8] = 0, then AxPROT settings are over-written, and transactions are non-secure
The following registers are associated with the F2SRAM firewall:
- DDR_SCR.region<n>addr_base
- DDR_SCR.region<n>addr_baseext
- DDR_SCR.region<n>addr_limit
- DDR_SCR.region<n>addr_limitext
For the F2SDRAM path, the firewall checks the Secure bit of a transaction (AxPROT[1]) against the Secure state of the slave (AxUSER[8]), as described in the following table.
F2SDRAM AxPROT[1] | AxUSER[8] | Result |
---|---|---|
0 – Secure | 0 | Non-Secure – transaction only allowed in 8 regions for F2SDRAM |
0 – Secure | 1 | Secure – transaction allowed for entire SDRAM space |
1 – Non-Secure | 0 | Non-Secure – transaction only allowed in 8 regions for F2SDRAM |
1 – Non-Secure | 1 | Non-Secure – transaction only allowed in 8 regions for F2SDRAM |