ACL — Access control lists

The Access control lists (ACL) peripheral is designed to assign and enforce access permissions to different regions of the on-chip flash memory map.

Flash memory regions can be assigned individual ACL permission schemes. The following registers are involved:

  • PERM register, where the permissions are configured.
  • ADDR register, where the word-aligned start address for the flash page is defined.
  • SIZE register, where the size of the region the permissions are applied to is determined.
Note: The size of the region in bytes is restricted to a multiple of the flash page size, and the maximum region size is limited to the flash size. See Memory for more information.
Figure 1. Protected regions of on-chip flash memory
Protected regions of on-chip flash memory

There are four defined ACL permission schemes, each with different combinations of read/write permissions, as shown in the following table.

Table 1. Permission schemes
Read Write Protection description
0 0 No protection. Entire region can be executed, read, written, or erased.
0 1 Region can be executed and read, but not written or erased.
1 0 Region can be written and erased, but not executed or read.
1 1 Region is locked for all access until next reset.
Note: If a permission violation to a protected region is detected by the ACL peripheral, the request is blocked and a Bus Fault exception is triggered.

Access control to a configured region is enforced by the hardware two CPU clock cycles after the ADDR, SIZE, and PERM registers for an ACL instance have been successfully written. The protection is only enforced if a valid start address of the flash page boundary is written into the ADDR register, and the values of the SIZE and PERM registers are not zero.

The ADDR, SIZE, and PERM registers can only be written once. All ACL configuration registers are cleared on reset (by resetting the device from any reset source), which is also the only way of clearing the configuration registers. To ensure that the desired permission schemes are always enforced by the ACL peripheral, the device boot sequence must perform the necessary configuration.

Debugger read access to a read-protected region will be Read-As-Zero (RAZ), while debugger write access to a write-protected region will be Write-Ignored (WI).

Registers

Table 2. Instances
Base address Domain Peripheral Instance Secure mapping DMA security Description Configuration
0x41080000 NETWORK ACL ACL NS NA

Access control lists

This ACL can only protect network core's local memory.

 
Table 3. Register overview
Register Offset Security Description
ACL[n].ADDR 0x800  

Start address of region to protect. The start address must be word-aligned.

 
ACL[n].SIZE 0x804  

Size of region to protect counting from address ACL[n].ADDR. Writing a '0' has no effect.

 
ACL[n].PERM 0x808  

Access permissions for region n as defined by start address ACL[n].ADDR and size ACL[n].SIZE

 
ACL[n].UNUSED0 0x80C    

Reserved

ACL[n].ADDR (n=0..7)

Address offset: 0x800 + (n × 0x10)

Start address of region to protect. The start address must be word-aligned.

Note: This register can only be written once.
Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID R/W Field Value ID Value Description
A RW1

ADDR

   

Start address of flash region n. The start address must point to a flash page boundary.

ACL[n].SIZE (n=0..7)

Address offset: 0x804 + (n × 0x10)

Size of region to protect counting from address ACL[n].ADDR. Writing a '0' has no effect.

Note: This register can only be written once.
Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID R/W Field Value ID Value Description
A RW1

SIZE

   

Size of flash region n in bytes. Must be a multiple of the flash page size.

ACL[n].PERM (n=0..7)

Address offset: 0x808 + (n × 0x10)

Access permissions for region n as defined by start address ACL[n].ADDR and size ACL[n].SIZE

Note: This register can only be written once.
Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                           C B
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID R/W Field Value ID Value Description
B RW1

WRITE

   

Configure write and erase permissions for region n. Writing a '0' has no effect.

     

Enable

0

Allow write and erase instructions to region n.

     

Disable

1

Block write and erase instructions to region n.

C RW1

READ

   

Configure read permissions for region n. Writing a '0' has no effect.

     

Enable

0

Allow read instructions to region n.

     

Disable

1

Block read instructions to region n.


This document was last updated on
2023-12-04.
Please send us your feedback about the documentation! For technical questions, visit the Nordic Developer Zone.