Re: [PATCH 1/7] dt-bindings: soc: st: document the RISAB firewall peripheral

[Gatien CHEVALLIER]

On 2/17/26 21:06, Krzysztof Kozlowski wrote:
> On 17/02/2026 14:12, Gatien CHEVALLIER wrote:
> > On 2/13/26 16:06, Krzysztof Kozlowski wrote:
> > > On 10/02/2026 10:55, Gatien CHEVALLIER wrote:
> > > > > > +  memory-region:
> > > > > > +    minItems: 1
> > > > > > +    maxItems: 32
> > > > > > +    description:
> > > > > > +      Phandle to nodes describing memory regions to be configured in the RISAB
> > > > > > +      by the trusted domain of at least a RISAB page size.
> > > > > > +      These regions cannot overlap. A zone must be within st,mem-map range and
> > > > > > +      can be represented by one or more pages.
> > > > > > +
> > > > > > +  st,mem-map:
> > > > > > +    $ref: /schemas/types.yaml#/definitions/uint32-array
> > > > > > +    description: Memory address range covered by the RISAB.
> > > > > > +    items:
> > > > > > +      - description: Memory range base address
> > > > > > +      - description: Memory range size
> > > > >
> > > > > Why do you need this property if you have memory-region already? This
> > > > > also should be part of <reg>, although this mixing with memory-region is
> > > > > anyway confusing.
> > > >
> > > > The RISAB is a memory firewall peripheral covering internal RAMs. It is
> > > > possible to configure multiple memory regions within these RAMs (done by
> > > > the Trusted Domain) with security, privilege and compartment isolation.
> > > > This peripheral allow 4kBytes page granularity. Each page can hold
> > > > different access rights, with 32 pages at most (hence the maxItems: 32).
> > > > That is some information that can be added to the documentation.
> > > >
> > > > Moreover, when a region is delegated to a non-secure privileged
> > > > component, this component can configure the privilege level necessary to
> > > > access the region.
> > > >
> > > > This property gives me the opportunity to get the memory range covered
> > > > by the RISAB. "reg" here is used to access the actual RISAB registers
> > > > holding the configuration.
> > >
> > > Looks awfully like memory regions still :/
> >
> > IIUC the memory-region property references memory regions within
> > a reserved memory. Which is not really what I want to describe
> > here as I want to get the boundaries of the whole range. The
> > memory-region property would be used by the Trusted Domain / kernel
> > to get each regions (or only one that represents the whole range) of the
> > internal RAM to apply desired access rights to them / use them.
> >
> > Describing the memory range using a reserved memory would make the
> > kernel exclude this memory range from the normal usage, no?
>
> In general yes, but also depends on the use case/drivers/purpose. I do
> not understand why would you mark some memory for generic use by kernel
> (so not reserved for specific purpose) and still configure it somehow
> for trusted firmware to allow secure read/write access.
>
> If you mark some part of memory as a meaning for TF for secure access,
> you already claim it is not a generic memory. Otherwise TF just writes
> all over malloced() pages?

While the Trusted Domain applies the configuration, it is entirely
possible for the Trusted domain to give himself access to, let's say,
the first RISAB page to store whatever data, and give the rest to the
kernel. Actually, this is what we do to store OTP data mirrors
or DDR context and give the rest to the kernel or the co-processor.

Now, using internal RAM for generic use by the kernel is unlikely but
I have in mind the last firewall controller of the stm32mp2x platforms,
which is the RISAF. It has the same purpose as the RISAB but for
external memories. One protects the DDR so I do want DDR regions as
accessible for general use (memory node).

This property allows me to describe the boundaries of what is protected
without having to imply anything from frameworks about the regions as I
have no way of knowing what is accessible and what is not.

> > I think declaring a "boundaries" memory region with no usage for the
> > kernel wouldn't make sense. The kernel may not be able to access the
> > whole memory range.
>
> I don't understand that. reserved-memory is for cases with "no usage for
> the kernel", so it would perfectly make sense.

> Look what your description said:
>
> "used to protect internal RAMs by applying access"

Yes, access rights are applied by the Trusted Domain. These firewalls
are very flexible because access rights on secure and privilege levels
along with Compartment ID (SoC is divided into multiple compartments
holding a compartment ID) can be configured. Some bits of the
firewall configuration can also be delegated. e.g: When a memory
region is configured for privileged, non-secure access for the
cortex running Linux; then the kernel could reconfigure the
privilege level (unlikely but feasible).

It would be quite complex to explain the whole mechanism without
pointing to some documentation [1].

Anyway, access rights are applied, but access may very well be given to
the privileged non-secure compartment running the kernel. Meaning that
only the kernel can access such memory. Not the Trusted Domain, not the
user-space, not the co-processor.

So you could give some bits of internal RAM to the kernel for whatever
purpose you'd like (Storing particular data you want to keep in some
low-power mode, etc...).


[1]: https://wiki.st.com/stm32mpu/wiki/Resource_Isolation_Framework_overview

> and
>
> " a trusted domain, or the domain to whom the page configuration has
> been delegated,"
>
> so how it is not a dedicated, special memory delegated to specific
> devices and/or TF?

The memory is delegated to some contexts. These can be the processor
running Linux, a co-processor, some initiator ports of peripherals
having DMAs, etc...

> Best regards,
> Krzysztof