Re: [PATCH 1/7] dt-bindings: soc: st: document the RISAB firewall peripheral

[Krzysztof Kozlowski]

On 18/02/2026 11:38, Gatien CHEVALLIER wrote:
> 
> 
> On 2/17/26 21:06, Krzysztof Kozlowski wrote:
>> On 17/02/2026 14:12, Gatien CHEVALLIER wrote:
>>>
>>>
>>> On 2/13/26 16:06, Krzysztof Kozlowski wrote:
>>>> On 10/02/2026 10:55, Gatien CHEVALLIER wrote:
>>>>>>> +  memory-region:
>>>>>>> +    minItems: 1
>>>>>>> +    maxItems: 32
>>>>>>> +    description:
>>>>>>> +      Phandle to nodes describing memory regions to be configured in the RISAB
>>>>>>> +      by the trusted domain of at least a RISAB page size.
>>>>>>> +      These regions cannot overlap. A zone must be within st,mem-map range and
>>>>>>> +      can be represented by one or more pages.
>>>>>>> +
>>>>>>> +  st,mem-map:
>>>>>>> +    $ref: /schemas/types.yaml#/definitions/uint32-array
>>>>>>> +    description: Memory address range covered by the RISAB.
>>>>>>> +    items:
>>>>>>> +      - description: Memory range base address
>>>>>>> +      - description: Memory range size
>>>>>>
>>>>>> Why do you need this property if you have memory-region already? This
>>>>>> also should be part of <reg>, although this mixing with memory-region is
>>>>>> anyway confusing.
>>>>>>
>>>>>
>>>>> The RISAB is a memory firewall peripheral covering internal RAMs. It is
>>>>> possible to configure multiple memory regions within these RAMs (done by
>>>>> the Trusted Domain) with security, privilege and compartment isolation.
>>>>> This peripheral allow 4kBytes page granularity. Each page can hold
>>>>> different access rights, with 32 pages at most (hence the maxItems: 32).
>>>>> That is some information that can be added to the documentation.
>>>>>
>>>>> Moreover, when a region is delegated to a non-secure privileged
>>>>> component, this component can configure the privilege level necessary to
>>>>> access the region.
>>>>>
>>>>> This property gives me the opportunity to get the memory range covered
>>>>> by the RISAB. "reg" here is used to access the actual RISAB registers
>>>>> holding the configuration.
>>>>
>>>> Looks awfully like memory regions still :/
>>>>
>>>
>>> IIUC the memory-region property references memory regions within
>>> a reserved memory. Which is not really what I want to describe
>>> here as I want to get the boundaries of the whole range. The
>>> memory-region property would be used by the Trusted Domain / kernel
>>> to get each regions (or only one that represents the whole range) of the
>>> internal RAM to apply desired access rights to them / use them.
>>>
>>> Describing the memory range using a reserved memory would make the
>>> kernel exclude this memory range from the normal usage, no?
>>
>> In general yes, but also depends on the use case/drivers/purpose. I do
>> not understand why would you mark some memory for generic use by kernel
>> (so not reserved for specific purpose) and still configure it somehow
>> for trusted firmware to allow secure read/write access.
>>
>> If you mark some part of memory as a meaning for TF for secure access,
>> you already claim it is not a generic memory. Otherwise TF just writes
>> all over malloced() pages?
>>
> 
> While the Trusted Domain applies the configuration, it is entirely
> possible for the Trusted domain to give himself access to, let's say,
> the first RISAB page to store whatever data, and give the rest to the
> kernel. Actually, this is what we do to store OTP data mirrors

And what happens with the rest of that memory? Why the first page cannot
be the reserved region?

> or DDR context and give the rest to the kernel or the co-processor.
> 
> Now, using internal RAM for generic use by the kernel is unlikely but
> I have in mind the last firewall controller of the stm32mp2x platforms,
> which is the RISAF. It has the same purpose as the RISAB but for
> external memories. One protects the DDR so I do want DDR regions as
> accessible for general use (memory node).
> 
> This property allows me to describe the boundaries of what is protected
> without having to imply anything from frameworks about the regions as I
> have no way of knowing what is accessible and what is not.

Frameworks do not matter here - we don't even talk about them yet.

You want to describe boundaries of some dedicated memory region and you
should not have a custom property for that.

> 
>>>
>>> I think declaring a "boundaries" memory region with no usage for the
>>> kernel wouldn't make sense. The kernel may not be able to access the
>>> whole memory range.
>>
>> I don't understand that. reserved-memory is for cases with "no usage for
>> the kernel", so it would perfectly make sense.
> 
>>
>> Look what your description said:
>>
>> "used to protect internal RAMs by applying access"
> 
> Yes, access rights are applied by the Trusted Domain. These firewalls
> are very flexible because access rights on secure and privilege levels
> along with Compartment ID (SoC is divided into multiple compartments
> holding a compartment ID) can be configured. Some bits of the
> firewall configuration can also be delegated. e.g: When a memory
> region is configured for privileged, non-secure access for the
> cortex running Linux; then the kernel could reconfigure the
> privilege level (unlikely but feasible).
> 
> It would be quite complex to explain the whole mechanism without
> pointing to some documentation [1].
> 
> Anyway, access rights are applied, but access may very well be given to
> the privileged non-secure compartment running the kernel. Meaning that
> only the kernel can access such memory. Not the Trusted Domain, not the
> user-space, not the co-processor.

This implies that if you do not reserve such memory that way, then
Trusted Domain or user-space could just poke and use it...

If kernel explicitly has to tell TD to do something with specific region
of memory, this is somehow a reserved memory. It is distinctive,
special, selected, chosen.
> 
> So you could give some bits of internal RAM to the kernel for whatever
> purpose you'd like (Storing particular data you want to keep in some
> low-power mode, etc...).

All RAM is for that purpose...

> 
> 
> [1]: https://wiki.st.com/stm32mpu/wiki/Resource_Isolation_Framework_overview
> 
>>
>> and
>>
>> " a trusted domain, or the domain to whom the page configuration has
>> been delegated,"
>>
>> so how it is not a dedicated, special memory delegated to specific
>> devices and/or TF?
>>
> 
> The memory is delegated to some contexts. These can be the processor
> running Linux, a co-processor, some initiator ports of peripherals
> having DMAs, etc...
> 

So pretty close to what the purpose of reserved-memory is...

Well, we keep discussing and I am really not convinced. You can try to
catch @Rob tomorrow on IRC and maybe get his approval, but for me this
is clearly some sort of reserved memory thus you cannot go with own
bindings. Another way would be to prove me wrong by using the reserved
memory binding and showing how it could not possible work, ever (such
counter examples sometimes help to look at the problem from a new angle).

Best regards,
Krzysztof