 Firewall. Firewall is an hardware IP which allows to create a security enclave flash RAM with a unique entry point. This protection is dynamically managed at one time. That means you have to configure and activate it in your code. Firewall Monitor Access to Trusted Areas refers to a segment. We've got three segments. A code segment, located in flash, instruction fetch and data read access can only occur when the firewall is open. Non-volatile data segment, also in flash, usually contains sensitive constants like cryptographic keys. And then a volatile data segment, located in SWAM1. It contains potentially variable data used by the protected error. Data can only be accessed during the protected execution state. For this last segment, there is additional properties like executes. That means we can put some code to execute in this volatile data segment. But I will give you details later. Any illegal access based on the segment properties and the current firewall state will cause a reset. This is the main principle of the firewall. The configuration. The code segment and non-volatile data segment, which are located in flash, have a 256-byte granularity. For the volatile data segment, it's 64-byte granularity. An additional attribute for this one could be shared, not shared, executable, not executable. I will also give you details later in this presentation about this additional attribute. The firewall architectures. The firewall is an hardware peripheral monitoring the connected memory flash on SWAM1. That means it covers any access thanks to bus matrix. Any illegal access will generate a reset. Firewall runtime protection. When we boot, the firewall is in idle state and may not configured. So the first step will be to configure the firewall, define the different segment, then activate it. Once activated, the firewall first is closed. That means you can't access the different segment protected. When you want to execute the code that is behind the firewall, you need to call the get entry. And this get entry is just at the beginning of the code segment, but I will give you details later also. So once we call the call gates, then we have the firewall is open. We can execute the code and access all the data that are protected. When the protected code execution is finished, then we will clear all the intermediate variables, the CPU registers, and when then we can call the call gate exit, and the firewall is closed again. So the trusted execution is done when the firewall is open. As you can see the schematic, I'm talking about prearm and set prearm and clear prearm. Let's check what is this. The firewall prearm. If it's set to zero, any code executed outside the protected segment when the firewall is open will generate a reset. And if it's set to one, any code executed outside the protected segment will close the firewall. That means if the firewall is open, if you go outside the protected segment, if this bit is to zero, you have reset. And if this bit is to one, you will just close the firewall, but have no reset. So the difference state again. First, you are an idle reset. You will configure and enable the firewall. Remark, it's not reconfigurable at runtime. That means you can configure only once, and after you have to wait until the next reset to reconfigure it. So the first state, the firewall will become closed. So it protected the different segments. Then we enter in the call gate following a proper sequence for entering, and then the firewall is open. We finish the execution, we leave the protected area following the proper seconds for exiting. If the firewall is closed, and we try to access one of the protected segments, we've got a reset, and we come back to the idle state. If we are open, and if we try to instruction fetch outside the protected segment, we've got the reset immediately. Again, that's depending on the pre-arm bit, because if the pre-arm bit have been set, then first it will be closed. And a reset could be generated depending where you are jumping just after. But I will give you details with the example of interrupt on the next slide. Firewall interrupt. When the firewall is open, no interrupts take place during the execution of the protected code. Here, we've got two keys. The firewall is open. So that means we are in the execution of some secure stuff. And we've got the FPA bit that is set to zero. So, user code execution, go in the trusted area, thank the call gate function. We've got some protection code execution, and suddenly an interrupt happens. We try to jump outside the protected segment, and as the FPA bit equal to zero, then we will reset. Second case, the firewall is open, and FPA equal one. In this case, user code execution, jump to the call gate, start execution, suddenly there is an interrupt routine. As the FPA equal one, we will jump, and we don't have a reset immediately. But it closes the firewall. That means we can't access any more the trusted area. So, when the interrupt subroutine is finished, you will try to go back to the protected code, and then it will reset at this step. So, keep in mind, when you are using the firewall, before entering in the firewall, you must disable all interrupts. Access properties. So, we got first the code segment in Flash. So, firewall closed. You can't access at all. Only the call gate is accessible. You can't access and read, write, and execute. When the firewall is open, that means you have called the call gates, then you can read or execute this portion of Flash. But the write is illegal. For the non-volatile data segment, also located in Flash, when it's closed, you can't access at all, I will say. And when it's open, you can read or write. Execution is illegal. Now, volatile data segment in SRAM 1, here we've got additional properties. Share, not share, executable, not executable. So, first, if it's configured in not share, not executable, I will say it nearly like non-volatile data segment, but located in SRAM. When it's closed, no access at all. When it's open, read, write, and load. When it's not shared, but executable, this time, close, you can have the call gate access. And you've got a read, write, execute. So, I would say it's more or like a code segment plus the write access. Then when it's shared, that means it's shared between the protected data, the protected code and the not protected code, then the executable properties are not taken into account. So, when it's shared, it could be accessed, even if the firewall is open or closed. Whatever is that, I would say. Some firewall tips. The code protected by the firewall must not be interruptable. It's up to the user code to disable any interrupt source before executing the code protected by the firewall. To open the firewall, the code currently executed must jump to the second word of the call gate and execute the code from this point. After this presentation, there is a hands-on which should clarify all those points. Availability of the firewall across our family. It's available only on the STM32L0 and the STM32L4. And the last point, I will advise to have a look in this application note about firewall through the 4730. And you've got many details and really interesting information. Thanks for your attention.