Core Overview - 1.0 English

AXI Endpoint Protection Unit LogiCORE IP Product Guide (PG418)
Document ID
PG418
Release Date
2022-10-19
Version
1.0 English

The AXI EPU IP core has an AXI subordinate interface and an AXI manager interface. Transactions on the subordinate interface are either passed unmodified to the manager interface, or are blocked.

Transactions on the subordinate interface contain a System Management ID (SMID). This is a 10-bit value sent on the AXI user signal: the SMID is encoded in AWUSER[9:0] and ARUSER[9:0]. The VersalĀ® ACAP architecture specification defines SMIDs for every hardened manager. See the Versal ACAP Technical Reference Manual (AM011) for more information.

Transactions also contain a TrustZone secure bit which specifies if the transaction is secure or non-secure. The TrustZone secure bit is encoded in AWPROT[1] and ARPROT[1], with value 0 = secure, 1 = non-secure.

The AXI EPU IP checks the SMID, TrustZone secure bit, and access type (read/write) of transactions against a configurable list of permitted SMIDs, secure, or access type, and blocks those that are not permitted.

  • The list size is configurable from one to a maximum of 20 entries.
  • The SMID is specified as a 10-bit value and a 10-bit mask, so that ranges of SMIDs can be covered by one entry.

It optionally checks the address of transactions against a configurable list of permitted address regions, and blocks those that are not permitted.

  • The number of regions is configurable from 0 to 256 entries. 0 entries means no address checking is done.
  • Each region defines a base address and size.
  • If no regions match, you can configure whether transactions are permitted or blocked.
  • Regions are not permitted to have overlapping address spaces.

When a transaction is blocked, writes are prevented and reads return a fixed data value 0xDEADB10C (replicated as required to fill the read data width).

The following actions are configurable when blocking a transaction:

  • Return DECERR or OKAY response
  • Record transaction information (can be read from registers)
  • Assert an interrupt output (with associated interrupt handling registers)

Optionally, a register map is provided with registers to read (but not set) the protection permissions, read information about blocked transactions, and handle interrupts. If the register map is available, then an additional AXI4-Lite subordinate interface is provided to access the registers and an interrupt output is provided to signal interrupts.