SPU — System protection unit

SPU is the central point in the system to control access to memories, peripherals and other resources.

Listed here are the main features of the SPU:

General concepts

SPU provides a register interface to control the various internal logic blocks that monitor access to memory-mapped slave devices (RAM, flash, peripherals, etc) and other resources (device pins, DPPI channels, etc).

For memory-mapped devices like RAM, flash and peripherals, the internal logic checks the address and attributes (e.g. read, write, execute, secure) of the incoming transfer to block it if necessary. Whether a secure resource can be accessed by a given master is defined:
For a CPU-type master
By the security state of the CPU and the security state reported by the SPU, for the address in the bus transfer
For a non-CPU master
By the security attribute of the master that initiates the transfer, defined by a SPU register
The Figure 1 shows a simplified view of the SPU registers controlling several internal modules.
Figure 1. Simplified view of the protection of RAM, flash and peripherals using SPU
Figure: Simplified view of the SPU protection of RAM, flash and peripherals

The protection logic implements a read-as-zero/write-ignore (RAZ/WI) policy:
  • A blocked read operation will always return a zero value on the bus, preventing information leak
  • A write operation to a forbidden region or peripheral will be ignored

An error is reported through dedicated error signals. For security state violations from an M33 master this will be a SecureFault exception, for other violations this will be an SPU event. The SPU event can be configured to generate an interrupt towards the CPU.

Other resources like pins and DPPI channels are protected by comparing the security attributes of the protected resource with the security attribute of the peripheral that wants to access it. The SPU is the only place where those security attributes can be configured.

Special considerations for ARM TrustZone for Cortex®-M enabled system

For a ARM® TrustZone® for Cortex®-M enabled CPU, the SPU also controls custom logic.

Custom logic is shown as the implementation defined attribution unit (IDAU) in figure Figure 1. Full support is provided for:

  • ARM® TrustZone® for Cortex®-M related instructions, like test target (TT) for reporting the security attributes of a region
  • Non-secure callable (NSC) regions, to implement secure entry points from non-secure code

The SPU provides the necessary registers to configure the security attributes for memory regions and peripherals. However, as a requirement to use the SPU, the secure attribution unit (SAU) needs to be disabled and all memory set as non-secure in the ARM core. This will allow the SPU to control the IDAU and set the security attribution of all addresses as originally intended.

Flash access control

The flash memory space is divided in regions, each of them with configurable permissions settings.

The flash memory space is divided into 64 regions of 16 KiB.

For each region, four different types of permissions can be configured:

Read
Allows data read access to the region. Note that code fetch from this region is not controlled by the read permission but by the execute permission described below.
Write
Allows write or erase access to the region
Execute
Allows code fetch from this region, even if data read is disabled
Secure
Allows only bus accesses with the security attribute set to access the region

Permissions can be set independently. For example, it is possible to configure a flash region to be accessible only through secure transfer, being read-only (no write allowed) and non-executable (no code fetch allowed). For each region, permissions can be set and then locked by using the FLASHREGION[n].PERM.LOCK bit, to prevent subsequent modifications.

Note that the debugger is able to step through execute-protected memory regions.

The following figure shows the flash memory space and the divided regions:

Figure 2. Definition of the N=64 regions, each of 16 KiB, in the flash memory space
Figure: Regions in the flash memory space

Non-secure callable (NSC) region definition in flash

The SPU provides support for the definition of non-secure callable (NSC) sub-regions to allow non-secure to secure function calls.

A non-secure callable sub-region can only exist within an existing secure region and its definition is done using two registers:

  • FLASHNSC[n].REGION, used to select the secure region that will contain the NSC sub-region
  • FLASHNSC[n].SIZE, used to define the size of the NSC sub-region within the secure region

The NSC sub-region will be defined from the highest address in that region, going downwards. Figure below illustrates the NSC sub-regions and the registers used for their definition:

Figure 3. Non-secure callable region definition in the flash memory space
Figure: NSC region definition in the flash memory space

The NSC sub-region will only be defined if:

  • FLASHNSC[i].SIZE value is non zero
  • FLASHNSC[i].REGION defines a secure region

If FLASHNSC[i].REGION and FLASHNSC[j].REGION have the same value, there is only one sub-region defined as NSC, with the size given by the maximum of FLASHNSC[i].SIZE and FLASHNSC[j].SIZE.

If FLASHNSC[i].REGION defines a non-secure region, then there is no non-secure callable region defined and the selected region stays non-secure.

Flash access error reporting

The SPU and the logic controlled by it will respond with a certain behavior once an access violation is detected.

The following will happen once the logic controlled by the SPU detects an access violation on one of the flash ports:

  • The faulty transfer will be blocked
  • In case of a read transfer, the bus will be driven to zero
  • Feedback will be sent to the master through specific bus error signals, if this is supported by the master. Moreover, the SPU will receive an event that can optionally trigger an interrupt towards the CPU.
  • SecureFault exception will be triggered if security violation is detected for access from Cortex®-M33
  • BusFault exception will be triggered when read/write/execute protection violation is detected for Cortex®-M33
  • FLASHACCERR event will be triggered if any access violations are detected for all master types except for Cortex®-M33 security violation

The following table summarizes the SPU behavior based on the type of initiator and access violation:

Table 1. Error reporting for flash access errors
Master type Security violation Read/Write/Execute protection violation
Cortex®-M33 SecureFault exception BusFault exception, FLASHACCERR event
EasyDMA RAZ/WI, FLASHACCERR event RAZ/WI, FLASHACCERR event
Other masters RAZ/WI, FLASHACCERR event RAZ/WI, FLASHACCERR event

For a Cortex®-M33 master, the SecureFault exception will take precedence over the BusFault exception if a security violation occurs simultaneously with another type of violation.

UICR and FICR protections

The user information configuration registers (UICR) and factory information configuration registers (FICR) are always considered as secure. FICR registers are read-only. UICR registers can be read and written by secure code only.

Writing new values to user information configuration registers must follow the procedure described in NVMC — Non-volatile memory controller. Code execution from FICR and UICR address spaces will always be reported as access violation, an exception to this rule applies during a debug session.

RAM access control

The RAM memory space is divided in regions, each of them with configurable permissions settings.

The RAM memory space is divided into 64 regions of 8 KiB.

For each region, four different types of permissions can be configured:

Read
Allows data read access to the region. Code fetch from this region is not controlled by the read permission but by the execute permission described below.
Write
Allows write access to the region
Execute
Allows code fetch from this region
Secure
Allows only bus accesses with the security attribute set to access the region

Permissions can be set independently. For example, it is possible to configure a RAM region to be accessible only through secure transfer, being read-only (no write allowed) and non-executable (no code fetch allowed). For each region, permissions can be set and then locked to prevent subsequent modifications by using the RAMREGION[n].PERM.LOCK bit.

The following figure shows the RAM memory space and the devided regions:

Figure 4. Definition of the N=64 regions, each of 8 KiB, in the RAM memory space
Figure: Region definition in RAM

Non-secure callable (NSC) region definition in RAM

The SPU provides support for the definition of non-secure callable (NSC) sub-regions to allow non-secure to secure function calls.

A non-secure callable sub-region can only exist within an existing secure region and its definition is done using two registers:

  • RAMNSC[n].REGION, used to select the secure region that will contain the NSC sub-region
  • RAMNSC[n].SIZE, used to define the size of the NSC sub-region within the secure region

The NSC sub-region will be defined from the highest address in that region, going downwards. Figure below illustrates the NSC sub-regions and the registers used for their definition:

Figure 5. Non-secure callable region definition in the RAM memory space
Figure: NSC region definition in RAM

The NSC sub-region will only be defined if:

  • RAMNSC[i].SIZE value is non zero
  • RAMNSC[i].REGION defines a secure region

If RAMNSC[i].REGION and RAMNSC[j].REGION have the same value, there is only one sub-region defined as NSC, with the size given by the maximum of RAMNSC[i].SIZE and RAMNSC[j].SIZE.

If RAMNSC[i].REGION defines a non-secure region, then there is no non-secure callable region defined and the selected region stays non-secure.

RAM access error reporting

The SPU and the logic controlled by it will respond with a certain behavior once an access violation is detected.

The following will happen once the logic controlled by the SPU detects an access violation on one of the RAM ports:

  • The faulty transfer will be blocked
  • In case of a read transfer, the bus will be driven to zero
  • Feedback will be sent to the master through specific bus error signals, if this is supported by the master
  • SecureFault exception will be triggered if security violation is detected for access from Cortex®-M33
  • BusFault exception will be triggered when read/write/execute protection violation is detected for Cortex®-M33. The SPU will also generate an event that can optionally trigger an interrupt towards the CPU.
  • RAMACCERR event will be triggered if any access violations are detected for all master types but for Cortex®-M33 security violation

The following table summarizes the SPU behavior based on the type of initiator and access violation:

Table 2. Error reporting for RAM access errors
Master type Security violation Read/Write/Execute protection violation
Cortex®-M33 SecureFault exception BusFault exception, RAMACCERR event
EasyDMA RAZ/WI, RAMACCERR event RAZ/WI, RAMACCERR event
Other masters RAZ/WI, RAMACCERR event RAZ/WI, RAMACCERR event

For a Cortex®-M33 master, the SecureFault exception will take precedence over the BusFault exception if a security violation occurs simultaneously with another type of violation.

Peripheral access control

Access controls are defined by the characteristics of the peripheral.

Peripherals can have their security attribute set as:

Always secure
For a peripheral related to system control
Always non-secure
For some general-purpose peripherals
Configurable
For general-purpose peripherals that may be configured for secure only access

The full list of peripherals and their corresponding security attributes can be found in Memory. For each peripheral with ID n, PERIPHID[n]. PERM will show whether the security attribute for this peripheral is configurable or not.

If not hardcoded, the security attribute can configured using the PERIPHID[id].PERM.

At reset, all user-selectable and split security peripherals are set to be secure, with secure DMA where present.

Secure code can access both secure peripherals and non-secure peripherals.

Peripherals with split security

Peripherals with split security are defined to handle use-cases when both secure and non-secure code needs to control the same resource.

When peripherals with split security have their security attribute set to non-secure, access to specific registers and bitfields within some registers is dependent on the security attribute of the bus transfer. For example, some registers will not be accessible for a non-secure transfer.

When peripherals with split security have their security attribute set to secure, then only secure transfers can access their registers.

See Instantiation for an overview of split security peripherals. Respective peripheral chapters explain the specific security behavior of each peripheral.

Peripheral address mapping

Peripherals that have non-secure security mapping have their address starting with 0x4XXX_XXXX. Peripherals that have secure security mapping have their address starting with 0x5XXX_XXXX.

Peripherals with a user-selectable security mapping are available at an address starting with:

  • 0x4XXX_XXXX, if the peripheral security attribute is set to non-secure
  • 0x5XXX_XXXX, if the peripheral security attribute is set to secure
Note: Accesses to the 0x4XXX_XXXX address range from secure or non-secure code for a peripheral marked as secure will result in a bus-error.

Secure code accessing the 0x5XXX_XXXX address range of a peripheral marked as non-secure will also result in a bus-error.

Peripherals with a split security mapping are available at an address starting with:

  • 0x4XXX_XXXX for non-secure access and 0x5XXX_XXXX for secure access, if the peripheral security attribute is set to non-secure
    • Secure registers in the 0x4XXX_XXXX range are not visible for secure or non-secure code, and an attempt to access such a register will result in write-ignore, read-as-zero behavior
    • Secure code can access both non-secure and secure registers in the 0x5XXX_XXXX range
  • 0x5XXX_XXXX, if the peripheral security attribute is set to secure

Any attempt to access the 0x5000_0000-0x5FFF_FFFF address range from non-secure code will be ignored and generate a SecureFault exception.

The table below illustrates the address mapping for the three type of peripherals in all possible configurations

Table 3. Peripheral's address mapping in relation to its security-features and configuration
Security-features and configuration Is mapped at 0x4XXX_XXXX? Is mapped at 0x5XXX_XXXX?
Secure peripheral No Yes
Non-secure peripheral Yes No
Split-security peripheral, with attribute=secure No Yes
Split-security peripheral, with attribute=non-secure Yes, restricted functionality Yes

Special considerations for peripherals with DMA master

Peripherals containing a DMA master can be configured so the security attribute of the DMA transfers is different from the security attribute of the peripheral itself. This allows a secure peripheral to do non-secure data transfers to or from the system memories.

The following conditions must be met:

Then it is possible to select the security attribute of the DMA transfers using the field DMASEC (PERIPHID[n].PERM.DMASEC == Secure and PERIPHID[n].PERM.DMASEC == NonSecure) in PERIPHID[n].PERM.

Peripheral access error reporting

Peripherals send error reports once access violation is detected.

The following will happen if the logic controlled by the SPU detects an access violation on one of the peripherals:

  • The faulty transfer will be blocked
  • In case of a read transfer, the bus will be driven to zero
  • Feedback is sent to the master through specific bus error signals, if this is supported by the master. If the master is a processor supporting ARM® TrustZone® for Cortex®-M, a SecureFault exception will be generated for security related errors.
  • The PERIPHACCERR event will be triggered

Pin access control

Access to device pins can be controlled by the SPU. A pin can be declared as secure so that only secure peripherals or secure code can access it. Pins declared as non-secure can be accessed by both secure and non-secure peripherals or code.

The security attribute of each pin can be individually configured in SPU's GPIOPORT[n].PERM register. When the secure attribute is set for a pin, only peripherals that have the secure attribute set will be able to read the value of the pin or change it.

Peripherals can select the pin(s) they need access to through their PSEL register(s). If a peripheral has its attribute set to non-secure, but one of its PSEL registers selects a pin with the attribute set to secure, the SPU controlled logic will ensure that the pin selection is not propagated. In addition, the pin value will always be read as zero, to prevent a non-secure peripheral from obtaining a value from a secure pin. Whereas access to other pins with attribute set as non-secure will not be blocked.

Pins can be assigned to other domains than the application domain by changing the MCUSEL value in the GPIO PIN_CNF[n] register. Domains that do not have a pin assigned to them can neither control that pin nor read its status. Any pin configuration set in a domain that doesn't have ownership of that pin will not take effect until the MCUSEL is updated to assign that pin to the domain. Within each domain, pin access is controlled by that domain's local security configuration and peripheral PSEL registers. This is illustrated in the following figure:

Note: The SPU setting will still count when the APP domain accesses its local GPIO peripheral, as local registers are still writable even though MCUSEL is set to a different domain. Any changes in the APP GPIO peripheral done to a GPIO controlled by another domain will not affect the GPIO pad until MCUSEL is changed to APP.
Figure 6. Pin access for domains other than the application domain
Figure: Pin access for domains other than the application domain

DPPI access control

Access to DPPI channels can be restricted. A channel can be declared as secure so that only secure peripherals can access it.

The security attribute of a DPPI channel is configured in DPPI[n].PERM (n=0..0). When the secure attribute is set for a channel, only peripherals that have the secure attribute set will be able to publish events to this channel or subscribe to this channel to receive tasks.

The DPPI controller peripheral (DPPIC) is a split security peripheral, i.e., its security behavior depends on the security attributes of both the DPPIC and the accessing party. See Special considerations regarding the DPPIC configuration registers for more information about the DPPIC security behavior.

If a non-secure peripheral wants to publish an event on a secure DPPI channel, the channel will ignore the event. If a non-secure peripheral subscribes to a secure DPPI channel, it will not receive any events from this channel. The following figure illustrates the principle of operation of the security logic for a subscribed channel:

Figure 7. Subscribed channel security concept
Figure: Subscribed channel security concept

No error reporting mechanism is associated with the DPPI access control logic.

Special considerations regarding the DPPIC configuration registers

DPPI channels can be enabled, disabled and grouped through the DPPI controller (DPPIC). The DPPIC is a split-security peripheral, and handles both secure and non-secure accesses.

A non-secure peripheral access will only be able to configure and control DPPI channels defined as non-secure in SPU's DPPI[n].PERM register(s). A secure peripheral access can control all DPPI channels, independently of the configuration in the DPPI[n].PERM register(s).

The DPPIC allows the creation of group of channels to be able to enable or disable all channels within a group simultaneously. The security attribute of a group of channels (secure or non-secure) is defined as follows:

  • If all channels (enabled or not) in the group are non-secure, then the group is considered non-secure
  • If at least one of the channels (enabled or not) in the group is secure, then the group is considered secure

A non-secure access to a DPPIC register, or a bitfield controlling a channel marked as secure in DPPI[n].PERM register(s), will be ignored:

  • Write accesses will have no effect
  • Read will always return a zero value

No exceptions are thrown when a non-secure access targets a register or bitfield controlling a secure channel. For example, if the bit i is set in the DPPI[n].PERM register (declaring the DPPI channel i as secure), then:

  • Non-secure write accesses to registers CHEN, CHENSET and CHENCLR will not be able to write to bit i of those registers
  • Non-secure write accesses to registers TASK_CHG[j].EN and TASK_CHG[j].DIS will be ignored if the channel group j contains at least one channel defined as secure (it can be the channel i itself or any channel declared as secured)
  • Non-secure read accesses to registers CHEN, CHENSET and CHENCLR will always read zero for the bit at position i

For the channel configuration registers (DPPIC.CHG[n]), access from non-secure code is only possible if the included channels are all non-secure, whether the channels are enabled or not. If a DPPIC.CHG[g] register included one or more secure channels, then the group gis considered as secure and only a secure transfer can read or write DPPIC.CHG[g]. A non-secure write will be ignored and a non-secure read will return zero.

The DPPIC can subscribe to secure or non-secure channels through SUBSCRIBE_CHG[n] registers in order to trigger task for enabling or disabling groups of channels. But an event from a non-secure channel will be ignored if the group subscribing to this channel is secure. An event from a secure channel can trigger both secure and non-secure tasks.

External domain access control

Other domains with their own CPUs can access peripherals, flash and RAM memories. The SPU allows controlling accesses from those bus masters.

The external domains can access application MCU memories and peripherals. External domains are assigned security attributes as described in register EXTDOMAIN[n].PERM.

Table 4. Register mapping for external domains
Domain Capability register Permission register
Network MCU EXTDOMAIN[n].PERM (n=0..0), SECUREMAPPING field EXTDOMAIN[n].PERM (n=0..0), SECATTR field

The figure below illustrates how the security control units are used to assign security attributes to transfers initiated by the external domains:

Figure 8. Access control from external domains
Figure: Access control from external domains

TrustZone for Cortex-M ID allocation

Flash and RAM regions, as well as non-secure and secure peripherals, are assigned unique TrustZone® IDs.

Note: TrustZone® ID should not be confounded with the peripheral ID used to identify peripherals.

The table below shows the TrustZone® ID allocation:

Table 5. TrustZone ID allocation
Regions TrustZone Cortex-M ID
Flash regions 0..63 0..63
RAM regions 0..63 64..127
UICR 252
FICR 252
CACHEDATA 252
CACHEINFO 252
Non-secure peripherals 253
Secure peripherals 254

Registers

Table 6. Instances
Base address Domain Peripheral Instance Secure mapping DMA security Description Configuration
0x50003000 APPLICATION SPU SPU S NA

System protection unit

   
Table 7. Register overview
Register Offset Security Description
EVENTS_RAMACCERR 0x100  

A security violation has been detected for the RAM memory space

 
EVENTS_FLASHACCERR 0x104  

A security violation has been detected for the flash memory space

 
EVENTS_PERIPHACCERR 0x108  

A security violation has been detected on one or several peripherals

 
PUBLISH_RAMACCERR 0x180  

Publish configuration for event RAMACCERR

 
PUBLISH_FLASHACCERR 0x184  

Publish configuration for event FLASHACCERR

 
PUBLISH_PERIPHACCERR 0x188  

Publish configuration for event PERIPHACCERR

 
INTEN 0x300  

Enable or disable interrupt

 
INTENSET 0x304  

Enable interrupt

 
INTENCLR 0x308  

Disable interrupt

 
CAP 0x400  

Show implemented features for the current device

 
CPULOCK 0x404  

Configure bits to lock down CPU features at runtime

 
EXTDOMAIN[n].PERM 0x440  

Access for bus access generated from the external domain n

List capabilities of the external domain n

 
DPPI[n].PERM 0x480  

Select between secure and non-secure attribute for the DPPI channels.

 
DPPI[n].LOCK 0x484  

Prevent further modification of the corresponding PERM register

 
GPIOPORT[n].PERM 0x4C0  

Select between secure and non-secure attribute for pins 0 to 31 of port n.

Retained

GPIOPORT[n].LOCK 0x4C4  

Prevent further modification of the corresponding PERM register

 
FLASHNSC[n].REGION 0x500  

Define which flash region can contain the non-secure callable (NSC) region n

 
FLASHNSC[n].SIZE 0x504  

Define the size of the non-secure callable (NSC) region n

 
RAMNSC[n].REGION 0x540  

Define which RAM region can contain the non-secure callable (NSC) region n

 
RAMNSC[n].SIZE 0x544  

Define the size of the non-secure callable (NSC) region n

 
FLASHREGION[n].PERM 0x600  

Access permissions for flash region n

 
RAMREGION[n].PERM 0x700  

Access permissions for RAM region n

 
PERIPHID[n].PERM 0x800  

List capabilities and access permissions for the peripheral with ID n

 

EVENTS_RAMACCERR

Address offset: 0x100

A security violation has been detected for the RAM memory space

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

EVENTS_RAMACCERR

   

A security violation has been detected for the RAM memory space

     

NotGenerated

0

Event not generated

     

Generated

1

Event generated

EVENTS_FLASHACCERR

Address offset: 0x104

A security violation has been detected for the flash memory space

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

EVENTS_FLASHACCERR

   

A security violation has been detected for the flash memory space

     

NotGenerated

0

Event not generated

     

Generated

1

Event generated

EVENTS_PERIPHACCERR

Address offset: 0x108

A security violation has been detected on one or several peripherals

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

EVENTS_PERIPHACCERR

   

A security violation has been detected on one or several peripherals

     

NotGenerated

0

Event not generated

     

Generated

1

Event generated

PUBLISH_RAMACCERR

Address offset: 0x180

Publish configuration for event RAMACCERR

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID B                                               A A A A A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

CHIDX

 

[255..0]

Channel that event RAMACCERR will publish to.

B RW

EN

     

     

Disabled

0

Disable publishing

     

Enabled

1

Enable publishing

PUBLISH_FLASHACCERR

Address offset: 0x184

Publish configuration for event FLASHACCERR

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID B                                               A A A A A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

CHIDX

 

[255..0]

Channel that event FLASHACCERR will publish to.

B RW

EN

     

     

Disabled

0

Disable publishing

     

Enabled

1

Enable publishing

PUBLISH_PERIPHACCERR

Address offset: 0x188

Publish configuration for event PERIPHACCERR

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID B                                               A A A A A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

CHIDX

 

[255..0]

Channel that event PERIPHACCERR will publish to.

B RW

EN

     

     

Disabled

0

Disable publishing

     

Enabled

1

Enable publishing

INTEN

Address offset: 0x300

Enable or disable interrupt

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                         C B A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

RAMACCERR

   

Enable or disable interrupt for event RAMACCERR

     

Disabled

0

Disable

     

Enabled

1

Enable

B RW

FLASHACCERR

   

Enable or disable interrupt for event FLASHACCERR

     

Disabled

0

Disable

     

Enabled

1

Enable

C RW

PERIPHACCERR

   

Enable or disable interrupt for event PERIPHACCERR

     

Disabled

0

Disable

     

Enabled

1

Enable

INTENSET

Address offset: 0x304

Enable interrupt

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                         C B A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

RAMACCERR

   

Write '1' to enable interrupt for event RAMACCERR

     

Set

1

Enable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

B RW

FLASHACCERR

   

Write '1' to enable interrupt for event FLASHACCERR

     

Set

1

Enable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

C RW

PERIPHACCERR

   

Write '1' to enable interrupt for event PERIPHACCERR

     

Set

1

Enable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

INTENCLR

Address offset: 0x308

Disable interrupt

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                         C B A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

RAMACCERR

   

Write '1' to disable interrupt for event RAMACCERR

     

Clear

1

Disable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

B RW

FLASHACCERR

   

Write '1' to disable interrupt for event FLASHACCERR

     

Clear

1

Disable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

C RW

PERIPHACCERR

   

Write '1' to disable interrupt for event PERIPHACCERR

     

Clear

1

Disable

     

Disabled

0

Read: Disabled

     

Enabled

1

Read: Enabled

CAP

Address offset: 0x400

Show implemented features for the current device

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000001 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1
ID Access Field Value ID Value Description
A R

TZM

   

Show ARM TrustZone status

     

NotAvailable

0

ARM TrustZone support not available

     

Enabled

1

ARM TrustZone support is available

CPULOCK

Address offset: 0x404

Configure bits to lock down CPU features at runtime

Write '1' to any position to set the corresponding lock bit, which will remain set until the next reset

Any '0' writes to this register will be ignored

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                      

E

D

C

B

A

Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

LOCKSVTAIRCR

   

Write '1' to prevent updating the secure interrupt configuration until the next reset

When set to '1', this lock bit prevents changes to:
  • The Secure vector table base address
  • Handling of Secure interrupt priority
  • BusFault, HardFault, and NMI security target

     

Locked

1

Disables writes to the VTOR_S, AIRCR.PRIS, and AIRCR.BFHFNMINS registers

     

Unlocked

0

These registers can be updated

B RW

LOCKNSVTOR

   

Write '1' to prevent updating the non-secure vector table base address until the next reset

When set to '1', this lock bit prevents changes to the Non-secure interrupt vector table base address register VTOR_NS

     

Locked

1

The address of the non-secure vector table is locked

     

Unlocked

0

The address of the non-secure vector table can be updated

C RW

LOCKSMPU

   

Write '1' to prevent updating the secure MPU regions until the next reset

When set to '1', this lock bit prevents changes to programmed Secure MPU memory regions and all writes to the registers are ignored

     

Locked

1

Disables writes to the MPU_CTRL, MPU_RNR, MPU_RBAR, MPU_RLAR, MPU_RBAR_An and MPU_RLAR_An from software or from a debug agent connected to the processor in Secure state

     

Unlocked

0

These registers can be updated

D RW

LOCKNSMPU

   

Write '1' to prevent updating the Non-secure MPU regions until the next reset

When set to '1', this lock bit prevents changes to programmed Non-secure MPU memory regions already programmed. All writes to the registers are ignored

     

Locked

1

Disables writes to the MPU_CTRL_NS, MPU_RNR_NS, MPU_RBAR_NS, MPU_RLAR_NS, MPU_RBAR_A_NSn and MPU_RLAR_A_NSn from software or from a debug agent connected to the processor

     

Unlocked

0

These registers can be updated

E RW

LOCKSAU

   

Write '1' to prevent updating the secure SAU regions until the next reset

When set to '1', this lock bit prevents changes to Secure SAU memory regions already programmed. All writes to the registers are ignored

     

Locked

1

Disables writes to the SAU_CTRL, SAU_RNR, SAU_RBAR and SAU_RLAR registers from software or from a debug agent connected to the processor

     

Unlocked

0

These registers can be updated

EXTDOMAIN[n].PERM (n=0..0)

Address offset: 0x440 + (n × 0x4)

Access for bus access generated from the external domain n

List capabilities of the external domain n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               C       B     A A
Reset 0x00000002 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0
ID Access Field Value ID Value Description
A R

SECUREMAPPING

   

Define configuration capabilities for TrustZone Cortex-M secure attribute

Note: This does not affect DPPI in the external domain

     

NonSecure

0

The bus access from this external domain always have the non-secure attribute set

     

Secure

1

The bus access from this external domain always have the secure attribute set

     

UserSelectable

2

Non-secure or secure attribute for bus access from this domain is defined by the EXTDOMAIN[n].PERM register

B RW

SECATTR

   

Peripheral security mapping

Note: This bit has effect only if EXTDOMAIN[n].PERM.SECUREMAPPING reads as UserSelectable

     

NonSecure

0

Bus accesses from this domain have the non-secure attribute set

     

Secure

1

Bus accesses from this domain have secure attribute set

C RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

DPPI[n].PERM (n=0..0)

Address offset: 0x480 + (n × 0x8)

Select between secure and non-secure attribute for the DPPI channels.

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID f e d c b a Z Y X W V U T S R Q P O N M L K J I H G F E D C B A
Reset 0xFFFFFFFF 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
ID Access Field Value ID Value Description
A-f RW

CHANNEL[i] (i=0..31)

   

Select secure attribute.

     

Secure

1

Channeli has its secure attribute set

     

NonSecure

0

Channeli has its non-secure attribute set

DPPI[n].LOCK (n=0..0)

Address offset: 0x484 + (n × 0x8)

Prevent further modification of the corresponding PERM register

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

LOCK

   

     

Locked

1

DPPI[n].PERM register can't be changed until next reset

     

Unlocked

0

DPPI[n].PERM register content can be changed

GPIOPORT[n].PERM (n=0..1) ( Retained )

Address offset: 0x4C0 + (n × 0x8)

This register is a retained register

Select between secure and non-secure attribute for pins 0 to 31 of port n.

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID f e d c b a Z Y X W V U T S R Q P O N M L K J I H G F E D C B A
Reset 0xFFFFFFFF 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
ID Access Field Value ID Value Description
A-f RW

PIN[i] (i=0..31)

   

Select secure attribute attribute for PIN i.

     

Secure

1

Pin i has its secure attribute set

     

NonSecure

0

Pin i has its non-secure attribute set

GPIOPORT[n].LOCK (n=0..1)

Address offset: 0x4C4 + (n × 0x8)

Prevent further modification of the corresponding PERM register

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                                               A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

LOCK

   

     

Locked

1

GPIOPORT[n].PERM register can't be changed until next reset

     

Unlocked

0

GPIOPORT[n].PERM register content can be changed

FLASHNSC[n].REGION (n=0..1)

Address offset: 0x500 + (n × 0x8)

Define which flash region can contain the non-secure callable (NSC) region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               B    

A

A

A

A

A

A

Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

REGION

   

Region number

B RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

FLASHNSC[n].SIZE (n=0..1)

Address offset: 0x504 + (n × 0x8)

Define the size of the non-secure callable (NSC) region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               B         A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

SIZE

   

Size of the non-secure callable (NSC) region n

     

Disabled

0

The region n is not defined as a non-secure callable region. Normal security attributes (secure or non-secure) are enforced.

     

32

1

The region n is defined as non-secure callable with a 32-byte size

     

64

2

The region n is defined as non-secure callable with a 64-byte size

     

128

3

The region n is defined as non-secure callable with a 128-byte size

     

256

4

The region n is defined as non-secure callable with a 256-byte size

     

512

5

The region n is defined as non-secure callable with a 512-byte size

     

1024

6

The region n is defined as non-secure callable with a 1024-byte size

     

2048

7

The region n is defined as non-secure callable with a 2048-byte size

     

4096

8

The region n is defined as non-secure callable with a 4096-byte size

B RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

RAMNSC[n].REGION (n=0..1)

Address offset: 0x540 + (n × 0x8)

Define which RAM region can contain the non-secure callable (NSC) region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               B    

A

A

A

A

A

A

Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

REGION

   

Region number

B RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

RAMNSC[n].SIZE (n=0..1)

Address offset: 0x544 + (n × 0x8)

Define the size of the non-secure callable (NSC) region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               B         A A A A
Reset 0x00000000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
ID Access Field Value ID Value Description
A RW

SIZE

   

Size of the non-secure callable (NSC) region n

     

Disabled

0

The region n is not defined as a non-secure callable region. Normal security attributes (secure or non-secure) are enforced.

     

32

1

The region n is defined as non-secure callable with a 32-byte size

     

64

2

The region n is defined as non-secure callable with a 64-byte size

     

128

3

The region n is defined as non-secure callable with a 128-byte size

     

256

4

The region n is defined as non-secure callable with a 256-byte size

     

512

5

The region n is defined as non-secure callable with a 512-byte size

     

1024

6

The region n is defined as non-secure callable with a 1024-byte size

     

2048

7

The region n is defined as non-secure callable with a 2048-byte size

     

4096

8

The region n is defined as non-secure callable with a 4096-byte size

B RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

FLASHREGION[n].PERM (n=0..63)

Address offset: 0x600 + (n × 0x4)

Access permissions for flash region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               E       D   C B A
Reset 0x00000017 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1
ID Access Field Value ID Value Description
A RW

EXECUTE

   

Configure instruction fetch permissions from flash region n

     

Enable

1

Allow instruction fetches from flash region n

     

Disable

0

Block instruction fetches from flash region n

B RW

WRITE

   

Configure write permission for flash region n

     

Enable

1

Allow write operation to region n

     

Disable

0

Block write operation to region n

C RW

READ

   

Configure read permissions for flash region n

     

Enable

1

Allow read operation from flash region n

     

Disable

0

Block read operation from flash region n

D RW

SECATTR

   

Security attribute for flash region n

     

Non_Secure

0

Flash region n security attribute is non-secure

     

Secure

1

Flash region n security attribute is secure

E RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

RAMREGION[n].PERM (n=0..63)

Address offset: 0x700 + (n × 0x4)

Access permissions for RAM region n

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID                                               E       D   C B A
Reset 0x00000017 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1
ID Access Field Value ID Value Description
A RW

EXECUTE

   

Configure instruction fetch permissions from RAM region n

     

Enable

1

Allow instruction fetches from RAM region n

     

Disable

0

Block instruction fetches from RAM region n

B RW

WRITE

   

Configure write permission for RAM region n

     

Enable

1

Allow write operation to RAM region n

     

Disable

0

Block write operation to RAM region n

C RW

READ

   

Configure read permissions for RAM region n

     

Enable

1

Allow read operation from RAM region n

     

Disable

0

Block read operation from RAM region n

D RW

SECATTR

   

Security attribute for RAM region n

     

Non_Secure

0

RAM region n security attribute is non-secure

     

Secure

1

RAM region n security attribute is secure

E RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

PERIPHID[n].PERM (n=0..255)

Address offset: 0x800 + (n × 0x4)

List capabilities and access permissions for the peripheral with ID n

Reset values are unique per peripheral instantation. Please refer to the peripheral instantiation table. Entries not listed in the instantiation table are undefined.

Bit number 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
ID F                                             E     D C B B A A
Reset 0x00000012 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0
ID Access Field Value ID Value Description
A R

SECUREMAPPING

   

Define configuration capabilities for TrustZone Cortex-M secure attribute

     

NonSecure

0

This peripheral is always accessible as a non-secure peripheral

     

Secure

1

This peripheral is always accessible as a secure peripheral

     

UserSelectable

2

Non-secure or secure attribute for this peripheral is defined by the PERIPHID[n].PERM register

     

Split

3

This peripheral implements the split security mechanism. Non-secure or secure attribute for this peripheral is defined by the PERIPHID[n].PERM register.

B R

DMA

   

Indicate if the peripheral has DMA capabilities and if DMA transfer can be assigned to a different security attribute than the peripheral itself

     

NoDMA

0

Peripheral has no DMA capability

     

NoSeparateAttribute

1

Peripheral has DMA and DMA transfers always have the same security attribute as assigned to the peripheral

     

SeparateAttribute

2

Peripheral has DMA and DMA transfers can have a different security attribute than the one assigned to the peripheral

C RW

SECATTR

   

Peripheral security mapping

Note: This bit has effect only if PERIPHID[n].PERM.SECUREMAPPING reads as UserSelectable or Split

     

Secure

1

Peripheral is mapped in secure peripheral address space

     

NonSecure

0

If SECUREMAPPING == UserSelectable: Peripheral is mapped in non-secure peripheral address space.

If SECUREMAPPING == Split: Peripheral is mapped in non-secure and secure peripheral address space.

D RW

DMASEC

   

Security attribution for the DMA transfer

Note: This bit has effect only if PERIPHID[n].PERM.SECATTR is set to secure

     

Secure

1

DMA transfers initiated by this peripheral have the secure attribute set

     

NonSecure

0

DMA transfers initiated by this peripheral have the non-secure attribute set

E RW

LOCK

   

     

Unlocked

0

This register can be updated

     

Locked

1

The content of this register can't be changed until the next reset

F R

PRESENT

   

Indicate if a peripheral is present with ID n

     

NotPresent

0

Peripheral is not present

     

IsPresent

1

Peripheral is present


This document was last updated on
2019-12-09.
Please send us your feedback about the documentation! For technical questions, visit the Nordic Developer Zone.