The TZASC has the following considerations relating to change in programmers view on an active system:
When changing the setting of a TZASC region,
The current accepted AXI transaction, if it falls into that region, would act according to the previous settings for that region.
Any other outstanding AXI transactions, that falls into that region, would effect by the new settings for that region.
Given little ability to predict that the mentioned AXI transactions would effect, it is obviously desirable that there are no outstanding AXI transactions when a regions setting are changed.
In simple systems this can potentially be achieved by the core not accessing the given region during the period of the cores transition between security states. Even in these cases, the status of cached data and instructions needs to be considered.
In more complicated systems the code that changes the TZASC region settings must have to inform other AXI bus masters to desist or complete acting on that region before performing the region setting changes. After having such an action acknowledged the code must also have to instigate a suitable delay before then acting.
An example of this can be an LCD controller dealing with a frame buffer that is switching between a Normal world and Secure world use.
There is no direct mechanism to ascertain if there are any outstanding AXI transactions, and so the designer must use their system knowledge to apply reasonable mechanisms.
It is recommended that any DECERR, or TZASC interrupt handler is designed to expect, and potentially ignore events generated under these circumstances.