ARM Security Technology Building a Secure System using ...
ARM Security Technology Building a Secure System using ...
ARM Security Technology Building a Secure System using ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
TrustZone Hardware Architecture<br />
An interrupt managed by the integrated interrupt controller can be configured as a<br />
<strong>Secure</strong> interrupt by programming the appropriate bits in the Interrupt <strong>Security</strong> Register.<br />
Once and interrupt has been made <strong>Secure</strong>, no Non-secure access can modify its<br />
configuration.<br />
All interrupts managed by the integrated interrupt controller are assigned a priority to<br />
determine whether they are allowed to interrupt an exception which is already being<br />
handled by the <strong>ARM</strong> processor. The hardware ensures that a lower priority interrupt will<br />
wait until a higher priority interrupt has been cleared before it issued to the processor.<br />
The priority space is partitioned to ensure that <strong>Secure</strong> interrupts can always be<br />
configured with a higher priority than the Non-secure interrupts. Assigning the <strong>Secure</strong><br />
world a high priority interrupt can be used to prevent the Non-secure world performing<br />
a denial-of-service attack against the <strong>Secure</strong> world <strong>using</strong> interrupts.<br />
The integrated interrupt controller can support the model described earlier in this<br />
chapter, ca<strong>using</strong> <strong>Secure</strong> interrupts it controls to generate an FIQ exception and<br />
Non-secure interrupts it controls to generate an IRQ exception. In this case all interrupts<br />
are managed by the integrated interrupt controller, and no direct interrupt generation<br />
from an external interrupt controller is possible. The integrated interrupt controller can<br />
also support a number of legacy configurations which cause the FIQ and/or the IRQ<br />
exceptions to be generated by an external interrupt trigger, bypassing the integrated<br />
interrupt controller completely.<br />
It is possible to independently configure the legacy interrupt generation for FIQ and<br />
IRQ exceptions.<br />
If legacy mode is enabled only for FIQ exceptions then the integrated controller<br />
will route both <strong>Secure</strong> and Non-secure interrupts it controls to the IRQ exception<br />
vector.<br />
If legacy mode is enabled only for IRQ exceptions then the integrated controller<br />
becomes unable to generate exceptions for Non-secure interrupts, and <strong>Secure</strong><br />
interrupts will be routed to the FIQ exception vector.<br />
If legacy mode is enabled for both FIQ and IRQ exceptions then the integrated<br />
interrupt controller is bypassed completely.<br />
Note<br />
If they are used in a design, the legacy interrupt input signals to the processor cluster are<br />
typically generated by one or more external interrupt controllers. These external devices<br />
can be secured <strong>using</strong> the same methods as any other external AXI or APB slaves in a<br />
TrustZone system.<br />
3-16 Copyright © 2005-2009 <strong>ARM</strong> Limited. All rights reserved. PRD29-GENC-009492C<br />
Non-Confidential Unrestricted Access