Functional Description
ARM DDI 0397G
Copyright © 2006-2010 ARM. All rights reserved.
2-20
ID031010
Non-Confidential
Topology issues
It might be possible to suffer timing attacks because of the topology configuration
you chose. For example, if two cascaded switches exist with a shared AXI link
between them, then continuous non-secure accesses to a non-secure slave might
block secure transactions to a different secure slave.
Resets
It might be possible to carry out a secure attack by resetting only parts of a data
path, whether it be a data path section in an individual clock domain within a
network, or within a master or slave.
Slave interface security
At configuration time, each slave interface, whether it belongs to the AXI or AHB protocol, has
the following options for setting the security assignment of all its transactions:
•
input from the external master, for AXI masters only
•
tied-off to always issue transactions as secure
•
tied-off to always issue transactions as non-secure.
Internal programmers view
The programmers view is always secure access only. Any non-secure transaction intended to
access a register, input to a configuration, returns a DECERR, and no register access is provided.
Note
If you configure a dedicated configuration port to gain access to the GPV, then you must connect
it to a secure master, or have a security check that is external to the AMBA Network
Interconnect.
Security checking for master interfaces
You can configure each master interface to be:
Always secure
The master rejects non-secure transactions.
Always non-secure
The master accepts both secure and non-secure transactions.
Boot secure
You can use software to configure whether it permits secure and non-secure
transactions to access components attached to this master using the Always
secure and Always non-secure options above.
Note
•
If you change the security of a master interface, the change does not occur simultaneously
for all the masters in the system because of the distributed nature of the GPV.
•
Outstanding transactions, or active lock sequences, underway within the network at the
time of the security update use the old security settings for their security check.
For an APB master interface, where multiple slaves exist on a single interface, each APB slave
has its own security check.
If an incoming transaction is non-secure, either because the slave interface is configured to be
non-secure, or the input security bit is set be non-secure, then if that transaction is intended for
a master interface that is currently secure, then that transaction is returned with a DECERR, and
the transaction is not transferred to the slave.