 Hello and welcome to this presentation of the Global TrustZone Controller which is included in all products of the STM32L5 microcontroller family. In addition to the ARMv8M TrustZone security extension in Cortex M33, the STM32L5 microcontroller series comes with complementary security features that reinforce in a flexible way the isolation between the secure and the non-secure worlds. It also provides a second level of security for the Cortex M33 after the SAU and IDAU TrustZone protection. This GTCC training module is composed of three subunits corresponding to each component inside GTCC. The TrustZone security controller or TZSC, the block based memory protection controller or MPCBB, the TrustZone illegal access controller or TZIC. In addition to assigning a secure attribute, the GTCC also controls the privilege attribute that can be used even when TrustZone is disabled. The setting of the secure attribute can be performed at any time by the secure boot firmware unless the configuration is locked. Two types of peripherals are implemented in the STM32L5. Securable peripherals, which are protected by an AHBAPB firewall gate controlled by GTCC. TrustZone aware peripherals, which implement a specific TrustZone behavior such as a subset or register being secure. TrustZone aware AHB masters always drive the AHB5H non-sec signal according to their security mode. Cortex M33 core and DMA are masters. Securable peripherals drive their optional AHB5H non-sec signal according to the security mode set in GTCC. Like with TrustZone, a peripheral can be made privileged only with GTCC. In this case, if this peripheral is master on the interconnect, it automatically issues privileged transactions. GTCC provides the capability to manage the security for all secureable external memories, the security of blocks of secureable embedded memories. This figure highlights the various security mechanisms present in the STM32L5 that are controlled by the GTCC. MPCBB1 and 2 set the secure attribute of SRAM1 and SRAM2 blocks. MPCWM1, 2 and 3 define the secure address ranges in the external memories accessible from OctoSPI1 and FSMC. PPC assigns secure and privileged attributes to AHBAPB secureable peripherals and also checks the access permissions. SecPrivGate assigns secure and privileged attributes to APB secureable peripherals and also checks the permissions. The security master wrapper assigns the security attribute to the SDMMC1 master. As DMA is TrustZone aware IP, it does not require any external wrapper. The TZIC reports illegal accesses to the Cortex M33 core through a secure interrupt request. This figure details the operation of the three GTCC subunits. The TZSC is in charge of assigning the secure and privileged attributes of secureable peripherals and masters. The MPCBB is in charge of assigning the secure attribute of internal SRAM blocks. The TZIC signals illegal accesses to the Cortex M33 core. Illegal accesses can occur internally or externally to the GTCC when a non-secure access to a secure memory mapped to registers is attempted. The GTCC supports three independent AHB interfaces for configuring the TZSC, the MPCBB and the TZIC. The GTCC is a TrustZone aware peripheral. The MPCBB and TZIC are accessible only with secure transactions, but the TZSC can be used for non-secure firmware to set the privileged attribute of non-secure peripherals. Any attempt to access a secure resource while running in non-secure state can cause an illegal access interrupt generation. The TZSC is in charge of setting the secure and privileged attributes to secureable peripherals, secureable masters that are not TrustZone aware. The TZSC is in charge of setting the secure attribute to external memories. The MPCBB is in charge of setting the secure attribute to internal SRAM blocks. The TZSC provides the configuration of secure and privileged attributes for all secureable peripherals. It's itself a TrustZone aware peripheral because it contains a mix of secure and non-secure registers. The watermark start and length register pairs define non-secure regions per protected external memory defined secure by default. These registers are only accessible in secure state. In STM32L5, five non-secure areas can be defined this way. Two in OctoSPI address range, two in FSMCNOR address range, one in FSMCNAND address range. The SEC CFGR registers set the secure attribute of peripherals. These registers are only accessible in secure state. They can be restricted to privileged state according to the PRIV CFGR register setting. The PRIV CFGR registers set the privileged attribute of peripherals. These registers are only accessible in privileged state. They can be restricted to secure state according to the SEC CFGR register setting. The power on and reset state of the TZSC clears all the bits of the SEC CFGRX and the PRIV CFGRX registers to zero, which respectively means non-secure, unprivileged or non-privileged. The MPC block base configures the secure attribute of internal SRAM 256 byte blocks. Each of them has a corresponding control bit. The MPCBB is only accessible in secure state. MPCBBCR is a control register. The secure read-write illegal access disabled bit determines whether secure data accesses are permitted to non-secure SRAM blocks. The MPCBB vector registers are bitmaps, each bit corresponding to an internal SRAM chunk of 256 bytes. Each bit in MPCBB log vector registers logs the secure mode of corresponding 8 kilobytes superblock until the next reset. A superblock contains 32 blocks of 256 bytes. This figure details the various sources of illegal accesses and their signaling to the Cortex-M33 core through a secure interrupt request. The TZSC assigns secure and privileged attributes to secureable parapherals. Whenever a non-secure access to a secure parapheral is attempted, an illegal access is reported to the TZIC concentrator. The MPC watermark controller determines which areas of external memories are non-secure. Whenever a non-secure access to a secure area is attempted, an illegal access is reported to the TZIC concentrator. The MPC block-based controller assigns the secure attribute to internal SRAM blocks. Whenever a non-secure access to a secure block is attempted, an illegal access is reported to the TZIC concentrator. Finally, trust owner where parapherals report an illegal access when a non-secure access attempts to access a secure resource. The TZIC concentrator receives all these illegal access reports and signals the error to the Cortex-M33 core through a secure interrupt request. The TZIC gathers all illegal access events and generates a maskable global secure interrupt towards the NVIC. Only secure accesses are allowed to TZIC registers. It supports three types of registers, illegal access event mask, illegal access event status, illegal access even clear. By default, all illegal access events are masked. Any non-privileged transaction trying to access a privileged resource is considered as illegal. There is no illegal access event generated for this type of illegal access. The addressed resource follows a silent fail behavior, returning all zero data for read and ignoring any write. No best error is generated. The GTZC has relationships with the following modules, nested vectored interrupt controller or NVIC, trust zone or TRZ.