You copied the Doc URL to your clipboard.

3. Functional description

The TZPC provides a software interface to set up memory areas as secure or non-secure. It does this in two ways:

  • Programmable protection bits that can be allocated to areas of memory as determined by an external decoder.

  • Programmable region size value for use by an AXI TrustZone Memory Adapter (TZMA). You can use this to split the RAM into two regions:

    • one secure

    • one non-secure.

This programmable flexibility enables you to reuse a single SoC design for different applications at different times. This enables the best use of memory and other system resources. It is assumed that the specific secure and non-secure requirements for an application are determined during:

  • the SoC boot-up

  • OS or secure kernel port development work.

This means that the secure and non-secure memory partitioning is not expected to change dynamically during normal software operation because it is fixed at compile time and is only configured once during system boot-up. Ensure that this boot-up is always made in secure-state to guarantee full security protection.

The APB protocol does not support protection signals. The TZPC relies on external protection to provide security for its registers. Implement these in a secure AXI-APB bridge or an AXI decoder.

You must use a secure software protocol before relying on any security settings that have been changed. This might include, but is not limited to:

  • verifying that instructions to change the security settings have propagated across the interconnect to their final destination

  • clearing any storage locations that have changed security status

  • flushing caches and page tables

  • stopping other masters.

Figure 2 shows a TZPC configured in a typical TrustZone-enabled design.

Figure 2. Typical configuration

Typical configuration

The other components that Figure 2 shows are:

AXI master

This initiates read and write transactions.

AXI bus infrastructure

This is typically a bus matrix or interconnect. You can use the PrimeCell Configurable AXI Interconnect (PL300) to implement this. See the PrimeCell AXI Configurable Interconnect (Pl300) Technical Reference Manual for more information.

AXI-APB bridge

This connects between the AXI and APB domains. See the PrimeCell Infrastructure AMBA 3 AXI-APB Bridge (BP135) Technical Overview and Design Manual for more information.


This determines the legality of a transaction and blocks it if the TZPC deems it as illegal. See the PrimeCell Infrastructure AMBA 3 AXI TrustZone Memory Adaptor (BP141) Technical Overview and Design Manual for more information.

AXI Memory Interface

This provides a single-port memory interface that you can configure for synchronous SRAM or ROM. See the PrimeCell Infrastructure AMBA 3 AXI memory Interface (BP140) Technical Overview and Design Manual for more information.

Was this page helpful? Yes No