Hello,
I'm reading the article "An Exploration of ARM TrustZone Technology" and a question was raised into my head when I reached the subsection "TZPC and TZASC". It is mentioned that by experimenting with the Versatile Express platform some insights were discovered. Namely, TZASC secures physical addresses via SMC (Static Memory Controller), while TZPC secures physical addresses via DMC (Dynamic MC). In summary, TZASC secures on-chip RAM, namely SRAM; and TZPC secures off-chip RAM, namely DRAM.
I don't know if you're familiar with ARM TrustZone documentation, but in this white paper of ARM http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GE..., it is mentioned in the sections 4.1.4 and 4.1.7 the opposite of what was mentioned by your article.
I look forward to your answer about this. I am studying the TrustZone architecture and reading this has just bugged me. I don't if I miss something here.
Thank you in advance, Mohamed Sabt
Hi Mohamed,
On 05/09/2014 04:23 PM, mohamed sabt wrote:
Hello,
I'm reading the article "An Exploration of ARM TrustZone Technology" and a question was raised into my head when I reached the subsection "TZPC and TZASC". It is mentioned that by experimenting with the Versatile Express platform some insights were discovered. Namely, TZASC secures physical addresses via SMC (Static Memory Controller), while TZPC secures physical addresses via DMC (Dynamic MC). In summary, TZASC secures on-chip RAM, namely SRAM; and TZPC secures off-chip RAM, namely DRAM.
Well, that is only half correct, let me cite from the article:
"In principal, it should be possible to secure another memory controller by a TZASC too, but on the platform, it is restricted to the SMC. These physical address regions correspond to the I/O resources of peripheral devices, some SRAM, and flash memory. Most of these components are placed on the motherboard."
So with respect to the "Coretile Express A9x4" test SoC from ARM, the TZASC protects off-chip peripherals of the motherboard. The TZASC however is not limited to such a use case, as mentioned too.
With respect to the TZPC: it protects several on-SoC devices including the DMC which connects to the off-SoC DRAM of the daughterboard. Thereby, the DRAM can only be assigned as a whole to either the secure, or unsecure world.
I don't know if you're familiar with ARM TrustZone documentation, but in this white paper of ARM http://infocenter.arm.com/help/topic/com.arm.doc.prd29-genc-009492c/PRD29-GE..., it is mentioned in the sections 4.1.4 and 4.1.7 the opposite of what was mentioned by your article.
From my understanding our article, and the mentioned whitepaper doesn't
contradict at all. The ARM paper describes that the main reason to use a TZASC: "is to partition a single AXI slave, such as an off-SoC DRAM, into multiple security domains". The AXI slave in case of the Coretile SoC is the SMC, which controls amongst others the motherboard's SRAM. Regarding the TZPC the ARM paper states that: "the TrustZone Protection Controller (TZPC) is a configurable signal control block which can be placed on the APB bus to supply control signals to other components on the SoC". In our article we claim: "The TZPC is used to protect on-chip peripherals (e.g., the TZPC and TZASC themselves) as well as bus accesses to external subsystems." With external bus accesses we mean the access control of the TZPC with regard to the DMC.
I look forward to your answer about this. I am studying the TrustZone architecture and reading this has just bugged me. I don't if I miss something here.
I hope that clarifies your question.
Regards Stefan
Thank you in advance, Mohamed Sabt
Is your legacy SCM system holding you back? Join Perforce May 7 to find out: • 3 signs your SCM is hindering your productivity • Requirements for releasing software faster • Expert tips and advice for migrating your SCM now http://p.sf.net/sfu/perforce
Genode-main mailing list Genode-main@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/genode-main
-
mohamed sabt -
Stefan Kalkowski