Protection Operations

Versal Adaptive SoC Technical Reference Manual (AM011)
Document ID
AM011
Release Date
2023-10-05
Revision
1.6 English

An incoming read or write transaction is checked against the XMPU regions as described in this section. For the enabled regions, two checks are done first:

  • The AXI_ADDR address is within the region: START_ADDR ≤ AXI_ADDR ≤ END_ADDR
  • The incoming AXI_SMID is allowed by the SMID_xx registers: AXI_SMID & [MASK] == [SMID] & [MASK]

If these checks are true, the region configuration is checked as to:

  • The security of the transaction and is allowed
  • The read and write permissions are satisfied
Note: Disabled regions do not grant access.
Note: When a memory space is included in more than one XMPU region, the higher region number has higher priority (that is, region 0 has the lowest priority). This determines the set of permissions used for the checks described in this section.

Functional Figure

The XMPU functional block diagram is shown in the following figure.

Figure 1. XMPU Functional Figure

Memory Region Validation

Each XMPU has 16 regions, numbered from 0 to 15. Each region is defined by a start address and an end address. There are two region address alignment types. The 4 KB granularity is used for all XMPUs except the DDRMC unit.

When a memory space is included in more than one XMPU region configuration, the higher region number has higher priority (that is, region 0 has lowest priority). Each region can be independently enabled or disabled. If a region is disabled, it does not include protection checking.

SMID Validation

Each XMPU uses the inbound SMID in each AXI transaction to validate the transfer. The SMID is masked by the [MASK] bit field and then compared against the [ID] bit field of the Rxx_SMID region registers.

AMD Versal™ adaptive SoC register example: R00_SMID .

If the following equation is satisfied (along with security and read/write checks), the transaction is allowed. In this equation, these are [10-bit parameters] in the Rxx_SMID register

[ID] & [MASK] == AXI_SMID & [MASK]

Security Validation

  • If the region is configured as secure, then only the secure request can access this region.
  • If the region is configured as secure, then the read and write permissions are independently checked to determine whether or not the transactions are allowed.
  • If the transaction is non-secure and the region is configured as secure, then the check fails, and the transaction generates a system error.
  • If the region is configured as non-secure and the transaction is non-secure, then read and write permissions are independently checked to determine whether or not the transaction is allowed. If the check fails, the transaction is handled by the error handler.