Visible to Intel only — GUID: zwo1710281571668
Ixiasoft
Visible to Intel only — GUID: zwo1710281571668
Ixiasoft
13.4.2.4.2. Initiator-to-CSR Firewall
The CHI protocol no longer supports a user/privilege indication like the AXI AxPROT[0] signal. This is because rich operating systems and hypervisors have a large attack surface that could potentially be compromised to circumvent system security. Therefore, only secure transactions from trusted software should be allowed to modify the system configuration.
To that end, the CSRs for the IOBank0, IOBank1, MPFE NoC sideband manager, probes, and QoS, can only be accessed by secure transactions. A firewall is implemented that checks the secure bit of a transaction against the secure state of the slave. A transaction that passes the firewall proceeds normally to the slave. A transaction that fails the Firewall receives an error response with random data. Transactions that fail the firewall are never presented to the Slave interface.
The following registers are associated with the CSR Firewall:
- MPFE_SCR.noc_csr[mpu]
- MPFE_SCR.noc_csr[f2h]
Transaction Security Bit | noc_csr[mpu] |
Result |
---|---|---|
0 – Secure | 0 – Secure | Pass – transaction sent to target |
0 – Secure | 1 – Non-Secure | Pass – transaction sent to target |
1 – Non-Secure | 0 – Secure | Fail |
1 – Non-Secure | 1 – Non-Secure | Pass – transaction sent to target |
Transaction Security Bit | noc_csr[f2h] | Result |
---|---|---|
0 – Secure | 0 – Secure | Pass – transaction sent to target |
0 – Secure | 1 – Non-Secure | Pass – transaction sent to target |
1 – Non-Secure | 0 – Secure | Fail |
1 – Non-Secure | 1 – Non-Secure | Pass – transaction sent to target |