Skip to main content
A
Aiyps
Associate II
April 22, 2025
Question

STM32MP2 OP-TEE RISAF access permissions

  • April 22, 2025
  • 1 reply
  • 633 views

Hi,

I am debugging the STM32MP257F-EV1 board via a JTAG debugger . The kernel version is 6.1.82.
I have a sample application that runs on Linux and I am trying to debug it.
When I set a breakpoint in the application, I get the following message on the Kernel prompt:
---------------------------------------------------------------------
E/TC:0   stm32_iac_itr:192 IAC exceptions [159:128]: 0x200
E/TC:0   stm32_iac_itr:197 IAC exception ID: 137
E/TC:0   stm32_risaf_dump_erroneous_data:256

DUMPING DATA FOR risaf@420d0000
E/TC:0   stm32_risaf_dump_erroneous_data:257 =====================================================
E/TC:0   stm32_risaf_dump_erroneous_data:258 Status register (IAESR0): 0xb1
E/TC:0   stm32_risaf_dump_erroneous_data:266 -----------------------------------------------------
E/TC:0   stm32_risaf_dump_erroneous_data:268 Faulty address (IADDR0): 0x10b4dc8dc
E/TC:0   stm32_risaf_dump_erroneous_data:287 =====================================================
E/TC:0   Panic at /usr/src/debug/optee-os-stm32mp/4.0.0-stm32mp-r1/core/drivers/firewall/stm32_iac.c:212 <stm32_iac_itr>
E/TC:0   TEE load address @ 0x82000000
E/TC:0   Call stack:
E/TC:0    0x82007efc
E/TC:0    0x82041b80
E/TC:0    0x8202c2fc
E/TC:0    0x8203f6b4
E/TC:0    0x82013d30
E/TC:0    0x820017dc
I/TC: Halting CPU 1
---------------------------------------------------------------------

I think this is related to the firewall and RIF(Resource Isolation Framework).
The prints explain that there has been an access violation at address 0x10b4dc8dc in the RISAF (Resource Isolation Slave unit for Address space protection) device at index 137.
On searching the CPU Reference manual, it was found that #137 pertains to [RISAF4 (DDR-SDRAM)].

In the OP-TEE source code, it was found that access has been enabled in the below DTS files:
1. [~\core\arch\arm\dts\stm32mp257f-ev1-ca35tdcid-resmem.dtsi]
linuxkernel2: linuxkernel2@100000000 {
            reg = <0x1 0x00000000 0x0 0x80000000>;
            no-map;
        };
2. [~\core\arch\arm\dts\stm32mp257f-ev1-ca35tdcid-rif.dtsi]
&linuxkernel2 {
    st,protreg = <RISAFPROT(RISAF_REG_ID(15), RIF_CID0_BF|RIF_CID1_BF, RIF_CID0_BF|RIF_CID1_BF, RIF_UNUSED, RIF_NSEC, RIF_ENC_DIS, RIF_BREN_EN)>;
};

&risaf4 {
    memory-region= <&tfm_code>, <&cm33_cube_fw>, <&tfm_data>, <&cm33_cube_data>, <&ipc_shmem>, <&spare1>, <&bl31_context>, <&op_tee>, <&linuxkernel1>, <&gpu_reserved>, <&ltdc_sec_layer>, <&ltdc_sec_rotation>, <&linuxkernel2>;
};

I think if access is granted or disabled, then a breakpoint can be set.
Is it possible to disable the OP-TEE firewall monitoring for DDR-SDRAM area?

I would appreciate any help. Thank you.

1 reply

GatienC
GatienC
ST Employee
April 22, 2025

Hello,

The trace ((IAESR0): 0xb1) indicates that a secure, privileged access was made at address 0x10b4dc8dc using the CID1.

FYI, there is a debug entry in /sys/kernel/debug/stm32_firewall/risafxxxx to dump the memory regions configuration, this helps a lot seeing the current firewall configuration of the different memory regions.

Regarding your issue, the region is configured as accessible by non-secure only. It would be interesting to see the content of RIFSC_RIMC_CR register to see the DAP CID and the debug domain feature status (you can use devregs if you embed it). The firewall cannot be disabled on this region as the default configuration is Trusted Domain secure/privileged only so the kernel wouldn't be able to access it.

I hope this helps,

Gatien

Terms & ConditionsAccessibility statement