If the SMID check is successful, the segment address check and TrustZone secure/nonsecure checks are considered.
- If the number of segments is 0, no address checking is done.
- If the number of segments is greater than 0, then the transaction address is compared to all implemented address segment registers. If the transaction address (or the start address, in the case of a burst) is within the segment address range (that is, transaction address >= base address and transaction address < (base address + size)), then the address segment is selected. Address segments are not allowed to overlap so at most one address segment will be selected.
Then MID permissions for the selected segment is also checked, that is, the manager ID matched by the SMID check is compared to the MID register to ensure the manager is permitted to access the selected segment. The transaction NS bit (A*PROT[1]) is compared to the selected segment NS bit to check the TrustZone secure permissions.
Segment | Txn TZ S/NS bit | Block/Permit |
---|---|---|
Nonsecure | Nonsecure | Permit |
Secure | Secure | Permit |
Nonsecure | Secure | Permit |
Secure | Nonsecure | Block |
There can be three possible outcomes:
- If an address segment is selected, and both the segment MID permissions check and the TrustZone secure check is successful, then the transaction is permitted.
- If an address segment is selected, but either the segment MID permissions check or the TrustZone secure check fails, then the transaction is blocked.
- If no address segment is selected, or no address segments are configured
(NUM_SEG is 0), then the behavior is determined by the default access configuration
in the CTRL_STATUS register as follows:
- Read transaction, secure (ARPROT[1] = 0): transaction permitted if DEF_RD = 1
- Read transaction, non-secure (ARPROT[1] = 1): transaction permitted if DEF_RD = 1 and DEF_NS = 1
- Write transaction, secure (AWPROT[1] = 0): transaction permitted if DEF_WR = 1
- Write transaction, non-secure (AWPROT[1] = 1): transaction permitted if DEF_WR = 1 and DEF_NS = 1