Re: [PATCH 1/7] dt-bindings: soc: st: document the RISAB firewall peripheral

[Gatien CHEVALLIER]

Hello Krzysztof,

On 2/18/26 21:03, Krzysztof Kozlowski wrote:
> On 18/02/2026 11:38, Gatien CHEVALLIER wrote:
> > On 2/17/26 21:06, Krzysztof Kozlowski wrote:
> > > On 17/02/2026 14:12, Gatien CHEVALLIER wrote:
> > > > On 2/13/26 16:06, Krzysztof Kozlowski wrote:
> > > > > On 10/02/2026 10:55, Gatien CHEVALLIER wrote:
> > > > > > > > +  memory-region:
> > > > > > > > +    minItems: 1
> > > > > > > > +    maxItems: 32
> > > > > > > > +    description:
> > > > > > > > +      Phandle to nodes describing memory regions to be configured in the RISAB
> > > > > > > > +      by the trusted domain of at least a RISAB page size.
> > > > > > > > +      These regions cannot overlap. A zone must be within st,mem-map range and
> > > > > > > > +      can be represented by one or more pages.
> > > > > > > > +
> > > > > > > > +  st,mem-map:
> > > > > > > > +    $ref: /schemas/types.yaml#/definitions/uint32-array
> > > > > > > > +    description: Memory address range covered by the RISAB.
> > > > > > > > +    items:
> > > > > > > > +      - description: Memory range base address
> > > > > > > > +      - description: Memory range size
> > > > > > >
> > > > > > > Why do you need this property if you have memory-region already? This
> > > > > > > also should be part of <reg>, although this mixing with memory-region is
> > > > > > > anyway confusing.
> > > > > >
> > > > > > The RISAB is a memory firewall peripheral covering internal RAMs. It is
> > > > > > possible to configure multiple memory regions within these RAMs (done by
> > > > > > the Trusted Domain) with security, privilege and compartment isolation.
> > > > > > This peripheral allow 4kBytes page granularity. Each page can hold
> > > > > > different access rights, with 32 pages at most (hence the maxItems: 32).
> > > > > > That is some information that can be added to the documentation.
> > > > > >
> > > > > > Moreover, when a region is delegated to a non-secure privileged
> > > > > > component, this component can configure the privilege level necessary to
> > > > > > access the region.
> > > > > >
> > > > > > This property gives me the opportunity to get the memory range covered
> > > > > > by the RISAB. "reg" here is used to access the actual RISAB registers
> > > > > > holding the configuration.
> > > > >
> > > > > Looks awfully like memory regions still :/
> > > >
> > > > IIUC the memory-region property references memory regions within
> > > > a reserved memory. Which is not really what I want to describe
> > > > here as I want to get the boundaries of the whole range. The
> > > > memory-region property would be used by the Trusted Domain / kernel
> > > > to get each regions (or only one that represents the whole range) of the
> > > > internal RAM to apply desired access rights to them / use them.
> > > >
> > > > Describing the memory range using a reserved memory would make the
> > > > kernel exclude this memory range from the normal usage, no?
> > >
> > > In general yes, but also depends on the use case/drivers/purpose. I do
> > > not understand why would you mark some memory for generic use by kernel
> > > (so not reserved for specific purpose) and still configure it somehow
> > > for trusted firmware to allow secure read/write access.
> > >
> > > If you mark some part of memory as a meaning for TF for secure access,
> > > you already claim it is not a generic memory. Otherwise TF just writes
> > > all over malloced() pages?
> >
> > While the Trusted Domain applies the configuration, it is entirely
> > possible for the Trusted domain to give himself access to, let's say,
> > the first RISAB page to store whatever data, and give the rest to the
> > kernel. Actually, this is what we do to store OTP data mirrors
>
> And what happens with the rest of that memory? Why the first page cannot
> be the reserved region?

First page should be a reserved memory. As the rest should be. Maybe we
have misunderstood each other here.

> > or DDR context and give the rest to the kernel or the co-processor.
> >
> > Now, using internal RAM for generic use by the kernel is unlikely but
> > I have in mind the last firewall controller of the stm32mp2x platforms,
> > which is the RISAF. It has the same purpose as the RISAB but for
> > external memories. One protects the DDR so I do want DDR regions as
> > accessible for general use (memory node).
> >
> > This property allows me to describe the boundaries of what is protected
> > without having to imply anything from frameworks about the regions as I
> > have no way of knowing what is accessible and what is not.
>
> Frameworks do not matter here - we don't even talk about them yet.
>
> You want to describe boundaries of some dedicated memory region and you
> should not have a custom property for that.
>
> > > > I think declaring a "boundaries" memory region with no usage for the
> > > > kernel wouldn't make sense. The kernel may not be able to access the
> > > > whole memory range.
> > >
> > > I don't understand that. reserved-memory is for cases with "no usage for
> > > the kernel", so it would perfectly make sense.
> >
> > > Look what your description said:
> > >
> > > "used to protect internal RAMs by applying access"
> >
> > Yes, access rights are applied by the Trusted Domain. These firewalls
> > are very flexible because access rights on secure and privilege levels
> > along with Compartment ID (SoC is divided into multiple compartments
> > holding a compartment ID) can be configured. Some bits of the
> > firewall configuration can also be delegated. e.g: When a memory
> > region is configured for privileged, non-secure access for the
> > cortex running Linux; then the kernel could reconfigure the
> > privilege level (unlikely but feasible).
> >
> > It would be quite complex to explain the whole mechanism without
> > pointing to some documentation [1].
> >
> > Anyway, access rights are applied, but access may very well be given to
> > the privileged non-secure compartment running the kernel. Meaning that
> > only the kernel can access such memory. Not the Trusted Domain, not the
> > user-space, not the co-processor.
>
> This implies that if you do not reserve such memory that way, then
> Trusted Domain or user-space could just poke and use it...
>
> If kernel explicitly has to tell TD to do something with specific region
> of memory, this is somehow a reserved memory. It is distinctive,
> special, selected, chosen.
> > So you could give some bits of internal RAM to the kernel for whatever
> > purpose you'd like (Storing particular data you want to keep in some
> > low-power mode, etc...).
>
> All RAM is for that purpose...

Not really, some RAMs can be powered off during some low-power modes.

> > [1]: https://wiki.st.com/stm32mpu/wiki/Resource_Isolation_Framework_overview
> >
> > > and
> > >
> > > " a trusted domain, or the domain to whom the page configuration has
> > > been delegated,"
> > >
> > > so how it is not a dedicated, special memory delegated to specific
> > > devices and/or TF?
> >
> > The memory is delegated to some contexts. These can be the processor
> > running Linux, a co-processor, some initiator ports of peripherals
> > having DMAs, etc...
>
> So pretty close to what the purpose of reserved-memory is...
>
> Well, we keep discussing and I am really not convinced. You can try to
> catch @Rob tomorrow on IRC and maybe get his approval, but for me this
> is clearly some sort of reserved memory thus you cannot go with own
> bindings. Another way would be to prove me wrong by using the reserved
> memory binding and showing how it could not possible work, ever (such
> counter examples sometimes help to look at the problem from a new angle).

Sure, good suggestion, let me state why I think a dedicated property is
preferred for those peripherals. For this part, I will take into account
the RISABs and also the RISAF mentioned previously. The RISAF kind of
works the same but protects external memories such as the DDR.

Just a small reintroduction of the issue:
We need to provide three sets of information to the drivers of RISAx:
- The registers of the RISAx device, handled through property "reg"
- The global range of memory addresses protected by the RISAx devices
(currently through the custom property "st,mem-map")
- Each individual memory range protected, handled through property
"memory-region" that points to children of "/reserved-memory". Memory
regions may not cover the whole range covered by the RISAx.

To replace the custom property, I have explored a few ways:

1) Describe the memory range covered by the memory firewall as a
reserved memory: Cannot be done because, for the memory firewall
covering the DDR, the reserved memory would overlap with the memory
node used to describe the memory available for regular kernel use.
The memory node represents part of the DDR in that case.

	memory@80000000 {
		device_type = "memory";
		reg = <0x0 0x80000000 0x1 0x0>;
	};

	reserved-memory {
		#address-cells = <2>;
		#size-cells = <2>;
		ranges;

		risaf_range: risaf-range@80000000 {
			reg = <0x0 0x80000000 0x0 0x80000000>;
			no-map;
		};
	}

Overlapping is not permitted, nor hierarchies of such regions.

2) Use, as for some Quad/Octo-spi or PCIE drivers, two regs. One for
the peripheral register and one for the memory range covered. Cannot be
done as the reg cannot be out of the SoC range. E.g, on stm32mp2
platforms, the SoC node range is 0x00000000 -> 0x80000000 and the
DDR is 0x80000000 -> 0x<Depends on DDR density>. So the peripheral
would be under the SoC node and the memory it covers (DDR) would be
out of range. It would require an artificial extension of the range
creating potential undesired effects

3) Use the ranges property: cannot be done because of the same SoC
range reason.

Therefore, I still think having a dedicated property is the best
option, but I'm ready to evaluate other suggestions.

Best regards,
Gatien


> Best regards,
> Krzysztof