 Hello, and welcome to this presentation of the STM32MP1 Trust Zone Address Space Controller. The Trust Zone Address Space Controller, or TZC, is intended to filter DDR accesses according to security rules and non-secure master address ID. This is a simplified diagram of TZC. TZC is composed of two filter units, one per AXI port. Filters are working concurrently. The two filters are controlled by a common control register set via the APB interface. TZC is composed of two filter units working concurrently on two AXI ports. Access filtering can support up to nine regions. Region zero is always enabled and covers the whole DDR address range. Regions 1 to 8 have programmable start and end addresses with a 4 kilobyte granularity. A region can be assigned to one or both filters. Secure and non-secure access permissions are defined per region. Non-secure accesses are filtered according to the non-secure master address ID. Regions controlled by the same filter must not overlap. Controlled permission checks can be signaled either with an AXI bus error or with interrupt or both. TZC is programmed via a 32-bit APB4 interface. TZC configuration is supported by secure masters only. Read access path supports up to 256 outstanding transactions to DDR. Some gatekeeper logic is used to enable and disable each filter. TZC can support speculative accesses. Note, TZC has two cycle latency. Fast path with reduced outstanding capability is not supported in the STM32 MP1 series. TZC programming should observe the following guidelines. Region zero is the base region covering the full address range and is always enabled. Region zero can be used to catch any access outside regions 128. Regions 128 must not overlap each other when assigned to the same filter. In case of reconfiguration by semi-static programming, all accesses or gate must be blocked before reprogramming filter settings. TZC access filtering is based on independent read and write settings, read-only, write-only, read-write, no access. Secure and non-secure settings are independent, however, secure check is applicable to any master, but non-secure check is filtered per master and said selective. This slide shows a simple programming example. The DDR space supports three non-overlapping regions. Region one is defined between start one and end one addresses. Region one is read and write accessible only by secure applications. Region two is defined between start two and end two addresses. Region two is a shared region, read and write accessible by secure and non-secure applications. Region three is defined between start three and end three addresses. Region three is read and write accessible only by the non-secure MDMA engine, with end set equals five. The register settings and programming sequence are for WREN and RDEN parameters. End set are listed in the table on the next slide. Region zero is always enabled and covers the full DDR address space. It is set as a blanket to trap any access outside of these regions. Hence, no access is allowed outside of the three defined regions. Non-secure master address ID or end set is encoded on four bits, according to master as listed in this table.