Initial implementation of the Arm TZ-ASC driver
Adds the `Tzc` struct, which uses `safe_mmio` to manipulate the
registers of the Arm TZ-ASC component. The structure directly exposes
general purposes registers, and other wrappers for failure and region
registers.
Signed-off-by: Ludovic Mermod <ludovic.mermod@arm.com>
Change-Id: Ife2757e62634c634da0d4efabe3171a29245f386
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ea8c4bf
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/target
diff --git a/Cargo.lock b/Cargo.lock
new file mode 100644
index 0000000..960aed0
--- /dev/null
+++ b/Cargo.lock
@@ -0,0 +1,82 @@
+# This file is automatically @generated by Cargo.
+# It is not intended for manual editing.
+version = 4
+
+[[package]]
+name = "arm-tzc"
+version = "0.1.0"
+dependencies = [
+ "bitflags",
+ "safe-mmio",
+ "zerocopy",
+]
+
+[[package]]
+name = "bitflags"
+version = "2.9.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6a65b545ab31d687cff52899d4890855fec459eb6afe0da6417b8a18da87aa29"
+
+[[package]]
+name = "proc-macro2"
+version = "1.0.101"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89ae43fd86e4158d6db51ad8e2b80f313af9cc74f5c0e03ccb87de09998732de"
+dependencies = [
+ "unicode-ident",
+]
+
+[[package]]
+name = "quote"
+version = "1.0.40"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+dependencies = [
+ "proc-macro2",
+]
+
+[[package]]
+name = "safe-mmio"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "db02a82ad13df46afeba34a4e54065fa912308b9101b060e4422898eac0e06f6"
+dependencies = [
+ "zerocopy",
+]
+
+[[package]]
+name = "syn"
+version = "2.0.106"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ede7c438028d4436d71104916910f5bb611972c5cfd7f89b8300a8186e6fada6"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "unicode-ident",
+]
+
+[[package]]
+name = "unicode-ident"
+version = "1.0.18"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
+
+[[package]]
+name = "zerocopy"
+version = "0.8.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1039dd0d3c310cf05de012d8a39ff557cb0d23087fd44cad61df08fc31907a2f"
+dependencies = [
+ "zerocopy-derive",
+]
+
+[[package]]
+name = "zerocopy-derive"
+version = "0.8.26"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9ecf5b4cc5364572d7f4c329661bcc82724222973f2cab6f050a4e5c22f75181"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000..7ff6731
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: Copyright The arm-tzc Contributors.
+# SPDX-License-Identifier: MIT OR Apache-2.0
+
+[package]
+description = "Arm TrustZone Address Space Controller"
+name = "arm-tzc"
+version = "0.1.0"
+edition = "2024"
+authors = ["Ludovic Mermod <ludovic.mermod@arm.com>"]
+license = "MIT OR Apache-2.0"
+repository = "https://git.trustedfirmware.org/arm-firmware-crates/arm-tzc.git"
+keywords = ["arm", "trustzone", "memory", "security", "driver"]
+categories = ["hardware-support", "embedded", "no-std", "no-std::no-alloc"]
+readme = "README.md"
+rust-version = "1.89"
+
+
+[dependencies]
+bitflags = "2.9.2"
+safe-mmio = "0.2.5"
+zerocopy = { version = "0.8.26", features = ["derive"] }
diff --git a/LICENSE-Apache-2.0 b/LICENSE-Apache-2.0
new file mode 100644
index 0000000..1b5ec8b
--- /dev/null
+++ b/LICENSE-Apache-2.0
@@ -0,0 +1,176 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
diff --git a/LICENSE-MIT b/LICENSE-MIT
new file mode 100644
index 0000000..31aa793
--- /dev/null
+++ b/LICENSE-MIT
@@ -0,0 +1,23 @@
+Permission is hereby granted, free of charge, to any
+person obtaining a copy of this software and associated
+documentation files (the "Software"), to deal in the
+Software without restriction, including without
+limitation the rights to use, copy, modify, merge,
+publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software
+is furnished to do so, subject to the following
+conditions:
+
+The above copyright notice and this permission notice
+shall be included in all copies or substantial portions
+of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
+TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
+IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+DEALINGS IN THE SOFTWARE.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..774ffc8
--- /dev/null
+++ b/README.md
@@ -0,0 +1,61 @@
+# Arm TrustZone Address Space Controller driver
+
+Driver implementation for the [TZC-400 TrustZone Address Space Controller](https://developer.arm.com/documentation/ddi0504/latest).
+
+The driver is designed to function regardless of whether a Memory Management Unit (MMU) is present.
+The primary role of the `OwnedMmioPointer` is to manage the lifetime of the peripheral, ensuring
+proper resource handling. In a system that includes an MMU, the peripheral's lifetime is dynamic
+because it is mapped into memory rather than having a fixed address. In a system without an MMU, the
+`OwnedMmioPointer` can be instantiated directly from the physical address of the register block,
+providing access to the peripheral without requiring memory mapping.
+
+## Implemented features
+
+- Reading the TZC configuration and status
+- Managing regions and setting up secure and/or non-secure access rights
+- Non-blocking read/write functions
+- Reading, masking and clearing interrupts
+- 100% unit test coverage
+
+## Future plans
+
+- Use the `AID_WIDTH` configuration value to manipulate the `FailIDRegister`.
+
+## License
+
+The project is MIT and Apache-2.0 dual licensed, see `LICENSE-Apache-2.0` and `LICENSE-MIT`.
+
+## Maintainers
+
+arm-tzc is a trustedfirmware.org maintained project. All contributions are ultimately merged by the maintainers
+listed below.
+
+- Bálint Dobszay <balint.dobszay@arm.com>
+ [balint-dobszay-arm](https://github.com/balint-dobszay-arm)
+- Imre Kis <imre.kis@arm.com>
+ [imre-kis-arm](https://github.com/imre-kis-arm)
+- Sandrine Afsa <sandrine.afsa@arm.com>
+ [sandrine-bailleux-arm](https://github.com/sandrine-bailleux-arm)
+
+## Contributing
+
+Please follow the directions of the [Trusted Firmware Processes](https://trusted-firmware-docs.readthedocs.io/en/latest/generic_processes/index.html)
+
+Contributions are handled through [review.trustedfirmware.org](https://review.trustedfirmware.org/q/project:arm-firmware-crates/arm-tzc).
+
+## Arm trademark notice
+
+Arm is a registered trademark of Arm Limited (or its subsidiaries or affiliates).
+
+This project uses some of the Arm product, service or technology trademarks, as listed in the
+[Trademark List][1], in accordance with the [Arm Trademark Use Guidelines][2].
+
+Subsequent uses of these trademarks throughout this repository do not need to be prefixed with the
+Arm word trademark.
+
+[1]: https://www.arm.com/company/policies/trademarks/arm-trademark-list
+[2]: https://www.arm.com/company/policies/trademarks/guidelines-trademarks
+
+--------------
+
+*Copyright The arm-tzc Contributors.*
diff --git a/dco.txt b/dco.txt
new file mode 100644
index 0000000..d950df0
--- /dev/null
+++ b/dco.txt
@@ -0,0 +1,34 @@
+Developer Certificate of Origin
+Version 1.1
+
+Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+
+Developer's Certificate of Origin 1.1
+
+By making a contribution to this project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+ have the right to submit it under the open source license
+ indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the best
+ of my knowledge, is covered under an appropriate open source
+ license and I have the right under that license to submit that
+ work with modifications, whether created in whole or in part
+ by me, under the same open source license (unless I am
+ permitted to submit under a different license), as indicated
+ in the file; or
+
+(c) The contribution was provided directly to me by some other
+ person who certified (a), (b) or (c) and I have not modified
+ it.
+
+(d) I understand and agree that this project and the contribution
+ are public and that a record of the contribution (including all
+ personal information I submit with it, including my sign-off) is
+ maintained indefinitely and may be redistributed consistent with
+ this project or the open source license(s) involved.
\ No newline at end of file
diff --git a/src/fail.rs b/src/fail.rs
new file mode 100644
index 0000000..3aafdd9
--- /dev/null
+++ b/src/fail.rs
@@ -0,0 +1,258 @@
+// SPDX-FileCopyrightText: Copyright The arm-tzc Contributors.
+// SPDX-License-Identifier: MIT OR Apache-2.0
+use safe_mmio::{SharedMmioPointer, field_shared, fields::ReadPure};
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout};
+
+use crate::utils::{concatenate_address_parts, extract_bits, get_bit};
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Each filter unit has a fail control register which contains the control status information of
+/// the first access that failed a region permission check in the associated filter unit. This
+/// occurs even if the [`ActionRegister`][crate::ActionRegister] is set to not drive the interrupt
+/// signal.
+///
+/// The first failing access is defined as the first permission failure in the associated filter
+/// unit after one of the following occurs:
+///
+/// - Reset.
+/// - The last clearance of an interrupt using the
+/// [`InterruptClearRegister`][crate::InterruptClearRegister].
+#[repr(transparent)]
+pub struct FailControlRegister(u32);
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+/// See [`FailControlRegister::direction`].
+pub enum FailAccessDirection {
+ /// Attempted access was a read.
+ Read,
+ /// Attempted access was a write.
+ Write,
+}
+
+impl FailControlRegister {
+ /// If a region permission check fails or a region overlap occurs, this field indicates whether
+ /// the failed access was a read or write access attempt.
+ ///
+ /// You must clear the associated interrupt status before this field can return the direction of
+ /// accesses of subsequent permission checks or region overlap failures.
+ ///
+ /// If the status flag for the filter unit in the
+ /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region
+ /// permission check failures in the same filter unit do not update the associated fail status
+ /// group of registers.
+ pub const fn direction(&self) -> FailAccessDirection {
+ if get_bit(self.0, 24) {
+ FailAccessDirection::Write
+ } else {
+ FailAccessDirection::Read
+ }
+ }
+
+ /// If a region permission check fails or a region overlap occurs, this field indicates whether
+ /// it was a Secure (`false`) or Non-secure (`true`) access attempt.
+ ///
+ /// You must clear the associated interrupt status before this field can return the direction of
+ /// accesses of subsequent permission checks or region overlap failures.
+ ///
+ /// If the status flag for the filter unit in the
+ /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region
+ /// permission check failures in the same filter unit do not update the associated fail status
+ /// group of registers.
+ pub const fn non_secure(&self) -> bool {
+ get_bit(self.0, 21)
+ }
+
+ /// If a region permission check fails or a region overlap occurs, this field indicates whether
+ /// it was a privileged (`true`) or unprivileged (`false`) access attempt.
+ ///
+ /// You must clear the associated interrupt status before this field can return the direction of
+ /// accesses of subsequent permission checks or region overlap failures.
+ ///
+ /// If the status flag for the filter unit in the
+ /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region
+ /// permission check failures in the same filter unit do not update the associated fail status
+ /// group of registers.
+ pub const fn privileged(&self) -> bool {
+ get_bit(self.0, 20)
+ }
+}
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Each filter unit has a fail id register which contains the master ACE-Lite ARID or AWID of the
+/// first access that failed a region permission check in the associated filter unit. This occurs
+/// even if the [`ActionRegister`][crate::ActionRegister] is set to not drive the interrupt signal.
+///
+/// The first failing access is defined as the first permission failure in the associated filter
+/// unit after one of the following occurs:
+///
+/// - Reset.
+/// - The last clearance of an interrupt using the
+/// [`InterruptClearRegister`][crate::InterruptClearRegister].
+#[repr(transparent)]
+pub struct FailIDRegister(u32);
+
+impl FailIDRegister {
+ /// If a region permission check fails or a region overlap occurs, this field returns the VN
+ /// number of the first failed access, from either ARVNET<x> or AWVNET<x> as
+ /// appropriate. If the status flag for the filter unit in the
+ /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] already set, new region
+ /// permission check failures in the same filter unit do not update the associated fail status
+ /// group of registers.
+ pub const fn vnet(&self) -> u32 {
+ extract_bits(self.0, 27, 24)
+ }
+
+ /// If a region permission check fails or a region overlap occurs, this field returns the
+ /// ACE-Lite ID values of the first failed access.
+ ///
+ /// If the status flag for the filter unit in the
+ /// [`InterruptStatusRegister`][crate::InterruptStatusRegister] is already set, new region
+ /// permission check failures in the same filter unit do not update the associated fail status
+ /// group of registers.
+ pub const fn id(&self) -> u32 {
+ // TODO: use AID_WIDTH - 1 as upper bound.
+ extract_bits(self.0, 23, 0)
+ }
+}
+
+#[derive(Debug, Clone, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+#[repr(C, align(4))]
+pub(crate) struct FailRegisters {
+ /// 0x020 + (0x10 * x): Fail address low register.
+ fail_address_low: ReadPure<u32>,
+ /// 0x024 + (0x10 * x): Fail address high register.
+ fail_address_high: ReadPure<u32>,
+ /// 0x028 + (0x10 * x): Fail control register.
+ fail_control: ReadPure<FailControlRegister>,
+ /// 0x02C + (0x10 * x): Fail ID register.
+ fail_id: ReadPure<FailIDRegister>, /* TODO: size depends on configuration: https://developer.arm.com/documentation/ddi0504/c/programmers-model/register-summary?lang=en, footnote d. */
+}
+/// Wrapper structure to allow reading registers detailing the last failure of a filter unit. See
+/// also [`Tzc::fail`][crate::Tzc::filter_failure].
+pub struct TzcFail<'regs> {
+ pub(crate) regs: SharedMmioPointer<'regs, FailRegisters>,
+}
+
+impl<'a> TzcFail<'a> {
+ /// Returns the address of the first access that failed a region permission check in the
+ /// associated filter unit. This occurs even if the [`ActionRegister`][crate::ActionRegister] is
+ /// set to not drive the interrupt signal. See Action register.
+ ///
+ /// The first failing access is defined as the first permission failure in the associated filter
+ /// unit after one of the following occurs:
+ /// - Reset.
+ /// - The last clearance of an interrupt using the
+ /// [`InterruptClearRegister`][crate::InterruptClearRegister].
+ pub fn fail_address(&self) -> u64 {
+ concatenate_address_parts(
+ field_shared!(self.regs, fail_address_low).read(),
+ field_shared!(self.regs, fail_address_high).read(),
+ )
+ }
+
+ /// Returns the [`FailControlRegister`] of this filter.
+ pub fn fail_control(&self) -> FailControlRegister {
+ field_shared!(self.regs, fail_control).read()
+ }
+
+ /// Returns the [`FailIDRegister`] of this filter.
+ pub fn fail_id(&self) -> FailIDRegister {
+ field_shared!(self.regs, fail_id).read()
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use crate::{tests::FakeTZCRegisters, *};
+
+ #[test]
+ fn fail_oob() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x008, 0b0000_0000_0000_0010_0000_0000_0000_0000);
+ let tzc = regs.tzc_for_test();
+
+ assert!(tzc.filter_failure(2).is_none());
+ assert!(tzc.filter_failure(3).is_none());
+ assert!(tzc.filter_failure(4).is_none());
+ assert!(tzc.filter_failure(18).is_none());
+ }
+
+ #[test]
+ pub fn fail_address() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000);
+ for i in 0..4 {
+ regs.reg_write(0x020 + i * 0x10, 0xabcd_0000);
+ regs.reg_write(0x024 + i * 0x10, 0xfc00 | i as u32);
+ }
+
+ let tzc = regs.tzc_for_test();
+
+ for i in 0..4 {
+ assert_eq!(
+ tzc.filter_failure(i).unwrap().fail_address(),
+ 0xfc00_abcd_0000 | ((i as u64) << 32),
+ );
+ }
+ }
+
+ #[test]
+ fn fail_control() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000);
+ regs.reg_write(0x028, 0b0000_0001_0010_0000_0000_0000_0000_0000);
+ regs.reg_write(0x038, 0b0000_0000_0011_0000_0000_0000_0000_0000);
+ regs.reg_write(0x048, 0b0000_0001_0000_0000_0000_0000_0000_0000);
+ regs.reg_write(0x058, 0b0000_0000_0001_0000_0000_0000_0000_0000);
+ let tzc = regs.tzc_for_test();
+
+ let fc0 = tzc.filter_failure(0).unwrap().fail_control();
+ let fc1 = tzc.filter_failure(1).unwrap().fail_control();
+ let fc2 = tzc.filter_failure(2).unwrap().fail_control();
+ let fc3 = tzc.filter_failure(3).unwrap().fail_control();
+
+ assert_eq!(fc0.direction(), FailAccessDirection::Write);
+ assert!(!fc0.privileged());
+ assert!(fc0.non_secure());
+
+ assert_eq!(fc1.direction(), FailAccessDirection::Read);
+ assert!(fc1.privileged());
+ assert!(fc1.non_secure());
+
+ assert_eq!(fc2.direction(), FailAccessDirection::Write);
+ assert!(!fc2.privileged());
+ assert!(!fc2.non_secure());
+
+ assert_eq!(fc3.direction(), FailAccessDirection::Read);
+ assert!(fc3.privileged());
+ assert!(!fc3.non_secure());
+ }
+
+ #[test]
+ fn fail_id() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_1111_0000_1000);
+ regs.reg_write(0x02C, 0x05_00_be_ef);
+ regs.reg_write(0x03C, 0x02_de_ad_00);
+ regs.reg_write(0x04C, 0x08_ab_cd_ef);
+ regs.reg_write(0x05C, 0x0f_fe_d0_af);
+ let tzc = regs.tzc_for_test();
+
+ let fid0 = tzc.filter_failure(0).unwrap().fail_id();
+ let fid1 = tzc.filter_failure(1).unwrap().fail_id();
+ let fid2 = tzc.filter_failure(2).unwrap().fail_id();
+ let fid3 = tzc.filter_failure(3).unwrap().fail_id();
+
+ assert_eq!(fid0.vnet(), 5);
+ assert_eq!(fid0.id(), 0xbeef);
+
+ assert_eq!(fid1.vnet(), 2);
+ assert_eq!(fid1.id(), 0xdead00);
+
+ assert_eq!(fid2.vnet(), 8);
+ assert_eq!(fid2.id(), 0xabcdef);
+
+ assert_eq!(fid3.vnet(), 15);
+ assert_eq!(fid3.id(), 0xfed0af);
+ }
+}
diff --git a/src/lib.rs b/src/lib.rs
new file mode 100644
index 0000000..551dea9
--- /dev/null
+++ b/src/lib.rs
@@ -0,0 +1,850 @@
+// SPDX-FileCopyrightText: Copyright The arm-tzc Contributors.
+// SPDX-License-Identifier: MIT OR Apache-2.0
+#![no_std]
+#![doc = include_str!("../README.md")]
+#![deny(clippy::undocumented_unsafe_blocks)]
+#![deny(unsafe_op_in_unsafe_fn)]
+
+mod fail;
+mod region;
+mod utils;
+
+use bitflags::bitflags;
+use safe_mmio::{
+ SharedMmioPointer, UniqueMmioPointer, field, field_shared,
+ fields::{ReadOnly, ReadPure, ReadPureWrite, WriteOnly},
+};
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout};
+
+pub use crate::fail::{FailAccessDirection, FailControlRegister, FailIDRegister, TzcFail};
+pub use crate::region::{RegionAttributes, RegionIDAccess, TzcRegion, TzcRegionMut};
+use crate::{
+ fail::FailRegisters,
+ region::RegionRegisters,
+ utils::{extract_bits, get_bit, set_bit},
+};
+
+macro_rules! for_in_slice {
+ ($var:ident in $slice:expr, $($body:stmt)*) => {
+ let mut i = 0;
+ while i < $slice.len() {
+ let $var = &$slice[i];
+ $($body)*
+ i += 1;
+ }
+ };
+}
+pub(crate) use for_in_slice;
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Provides information about the configuration of the TZC-400.
+#[repr(transparent)]
+pub struct BuildConfigRegister(u32);
+
+impl BuildConfigRegister {
+ // Bit values for number of filters.
+ const NF_1: u32 = 0b00;
+ const NF_2: u32 = 0b01;
+ const NF_4: u32 = 0b11;
+
+ /// Returns the number of filter units in the design implementation.
+ pub const fn number_of_filters(&self) -> usize {
+ match extract_bits(self.0, 25, 24) {
+ Self::NF_1 => 1,
+ Self::NF_2 => 2,
+ Self::NF_4 => 4,
+ _ => panic!("Use of reserved value for number of filters"),
+ }
+ }
+
+ // Bit values for address width.
+ const AW_32: u32 = 0b011111;
+ const AW_36: u32 = 0b100011;
+ const AW_40: u32 = 0b100111;
+ const AW_48: u32 = 0b101111;
+ const AW_64: u32 = 0b111111;
+
+ /// Returns the width of the ACE-Lite address bus.
+ pub const fn address_width(&self) -> usize {
+ match extract_bits(self.0, 13, 8) {
+ Self::AW_32 => 32,
+ Self::AW_36 => 36,
+ Self::AW_40 => 40,
+ Self::AW_48 => 48,
+ Self::AW_64 => 64,
+ _ => panic!("Use of reserved value for address width"),
+ }
+ }
+
+ // Bit values for number of regions.
+ const NR_9: u32 = 0b01000;
+
+ /// Returns the number of regions that the TZC-400 provides.
+ pub fn number_of_regions(&self) -> usize {
+ match extract_bits(self.0, 4, 0) {
+ Self::NR_9 => 9,
+ _ => panic!("Use of reserved value for number of regions"),
+ }
+ }
+}
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Controls the interrupt and bus response signaling behavior of the TZC-400 when region permission
+/// failures occur.
+#[repr(transparent)]
+pub struct ActionRegister(u32);
+
+impl ActionRegister {
+ /// Sets TZCINT LOW and issues an OKAY response.
+ pub const TZCINTLOW_OKAY: ActionRegister = ActionRegister(0b00);
+ /// Sets TZCINT LOW and issues a DECERR response.
+ pub const TZCINTLOW_DECERR: ActionRegister = ActionRegister(0b01);
+ /// Sets TZCINT HIGH and issues an OKAY response.
+ pub const TZCINTHIGH_OKAY: ActionRegister = ActionRegister(0b10);
+ /// Sets TZCINT HIGH and issues a DECERR response.
+ pub const TZCINTHIGH_DECERR: ActionRegister = ActionRegister(0b11);
+}
+
+#[derive(Clone, Copy, Debug, Eq, PartialEq)]
+#[repr(u32)]
+/// See [`GateKeeper::status`].
+pub enum GateKeeperStatus {
+ /// Access to the associated filter is not permitted.
+ Closed = 0,
+ /// Access to the associated filter is permitted.
+ Opened = 1,
+}
+
+#[derive(Debug)]
+/// Provides control and status for the gate keeper in each filter unit implemented.
+///
+/// ## Usage constraints Closing the gate can cause accesses on the command channels to stall and can inadvertently cause a bus deadlock. Use this with caution.
+pub struct GateKeeper<'reg> {
+ reg: SharedMmioPointer<'reg, ReadPureWrite<u32>>,
+ index: usize,
+}
+
+impl<'reg> GateKeeper<'reg> {
+ /// The current state of the gate keeper in the filter unit at `index`. `index` must be the
+ /// index of a valid filter in the TZ-ASC configuration.
+ pub fn status(&self) -> GateKeeperStatus {
+ if get_bit(self.reg.read(), self.index + 16) {
+ GateKeeperStatus::Opened
+ } else {
+ GateKeeperStatus::Closed
+ }
+ }
+}
+
+#[derive(Debug)]
+/// Provides control and status for the gate keeper in each filter unit implemented.
+///
+/// ## Usage constraints
+///
+/// Closing the gate can cause accesses on the command channels to stall and can inadvertently cause
+/// a bus deadlock. Use this with caution.
+pub struct GateKeeperMut<'reg> {
+ reg: UniqueMmioPointer<'reg, ReadPureWrite<u32>>,
+ index: usize,
+}
+
+impl<'reg> GateKeeperMut<'reg> {
+ /// See [GateKeeper::status].
+ pub fn status(&self) -> GateKeeperStatus {
+ GateKeeper {
+ reg: *self.reg,
+ index: self.index,
+ }
+ .status()
+ }
+
+ /// Request the gate at `index` to be set to `status`. The request will take effect once all
+ /// outstanding accesses through the filter unit are complete.
+ pub fn request(&mut self, status: GateKeeperStatus) {
+ let mut value = self.reg.read();
+
+ set_bit(
+ &mut value,
+ self.index,
+ matches!(status, GateKeeperStatus::Opened),
+ );
+ self.reg.write(value);
+
+ while self.status() != status {}
+ }
+}
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Controls the read access speculation and write access speculation.
+#[repr(transparent)]
+pub struct SpeculationControlRegister(u32);
+
+bitflags! {
+ impl SpeculationControlRegister: u32 {
+ /// Disables read access speculation.
+ ///
+ /// Note: This bit is ignored and assumed to be zero at a filter unit if the corresponding
+ /// QVNENABLE signal is HIGH.
+ const READ_SPEC_DISABLE = 1 << 0;
+
+ /// Disables write access speculation.
+ ///
+ /// Note: This bit is ignored and assumed to be zero at a filter unit if the corresponding
+ /// QVNENABLE signal is HIGH.
+ const WRITE_SPEC_DISABLE = 1 << 1;
+ }
+}
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Contains the status of the interrupt signal, *TZCINT*, that reports access security violations
+/// or region overlap errors.
+#[repr(transparent)]
+pub struct InterruptStatusRegister(u32);
+
+impl InterruptStatusRegister {
+ /// When a bit is set to 1 it indicates a violation of the overlap region configuration rules
+ /// for the associated filter unit. This occurs when an access matches with two enabled regions
+ /// at the same time unless the overlap is only with Region 0.
+ ///
+ /// This bit is set even if the [`ActionRegister`] is set to not drive the interrupt.
+ ///
+ /// When this bit is true, the interrupt status bit is also set to true.
+ ///
+ /// Clear the interrupt status of the associated bit in the [`InterruptClearRegister`] to also
+ /// clear this field.
+ pub const fn overlap(&self, index: usize) -> bool {
+ assert!(index < 4);
+ get_bit(self.0, index + 16)
+ }
+
+ /// When a bit is set to `true`, it indicates the occurrence of two or more region permission or
+ /// region overlapping failures at the associated filter unit after the interrupt was cleared by
+ /// the associated bit in the [`InterruptClearRegister`].
+ ///
+ /// This bit is set even if the [`ActionRegister`] is set to not drive the interrupt.
+ ///
+ /// Clear the interrupt status of the associated bit in the [`InterruptClearRegister`] to also
+ /// clear this field.
+ pub const fn overrun(&self, index: usize) -> bool {
+ assert!(index < 4);
+ get_bit(self.0, index + 8)
+ }
+
+ /// This field indicates the status of the interrupt from the corresponding filter unit as
+ /// follows:
+ /// - `false`: Interrupt is not asserted.
+ /// - `true`: Interrupt is asserted and waiting to be cleared.
+ ///
+ /// This bit is set even if the [`ActionRegister`] is set to not drive the interrupt output
+ /// TZCINT HIGH.
+ ///
+ /// Therefore, the status acts as an indicator that a region permission check failure or an
+ /// overlap error has occurred at a particular filter unit.
+ pub const fn status(&self, index: usize) -> bool {
+ assert!(index < 4);
+ get_bit(self.0, index)
+ }
+}
+
+#[derive(
+ Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq, Default,
+)]
+/// Clears the interrupt.
+#[repr(transparent)]
+pub struct InterruptClearRegister(u32);
+
+impl InterruptClearRegister {
+ /// Creates an instance of [`InterruptClearRegister`] requesting to clear all the interrupts
+ /// present in `interrupts`.
+ pub const fn new(interrupts: &[usize]) -> Self {
+ let mut s = Self(0);
+
+ for_in_slice!(int in interrupts, s.0 |= 1 << *int);
+
+ s
+ }
+}
+/// View over the TZC memory.
+#[derive(Debug, Clone, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+#[repr(C, align(4))]
+pub struct TzcRegisters {
+ /// 0x000: Build configuration register.
+ build_config: ReadPure<BuildConfigRegister>,
+ /// 0x004: Action register.
+ action: ReadPureWrite<ActionRegister>,
+ /// 0x008: Gate keeper register.
+ gate_keeper: ReadPureWrite<u32>,
+ /// 0x00C: Speculation register.
+ speculation_ctrl: ReadPureWrite<SpeculationControlRegister>,
+ /// 0x010: Interrupt status register.
+ int_status: ReadOnly<InterruptStatusRegister>,
+ /// 0x014: Interrupt clear register.
+ int_clear: WriteOnly<InterruptClearRegister>,
+ /// 0x018-0x020: reserved.
+ reserved_18: [u32; 2],
+
+ /// 0x020-0x060: The fail status registers provide information about an access that fails
+ /// because of insufficient permissions or an overlap condition. A separate set of fail status
+ /// registers is provided for each filter unit.
+ fail_registers: [FailRegisters; 4],
+ /// 0x060-0x100: reserved.
+ reserved_60: [u32; 40],
+
+ /// 0x100-0x218: Registers for region 0 to 8 (included).
+ ///
+ /// The region control registers control the address space that each region controls and the
+ /// security attributes to use for that region.
+ region_registers: [RegionRegisters; 9],
+
+ /// 0x220-0xf00: reserved.
+ ///
+ /// Although the specification states that this reserved range should start at 0x218, the 8
+ /// first reserved bytes are actually at the end of the `RegionRegister` entry for Region 9.
+ reserved_220: [u32; 823],
+ padding_f00: [u32; 53],
+
+ /// 0xFD0: Peripheral ID 4 register.
+ pid4: ReadPure<u32>,
+ /// 0xFD4: Peripheral ID 5 register.
+ pid5: ReadPure<u32>,
+ /// 0xFD8: Peripheral ID 6 register.
+ pid6: ReadPure<u32>,
+ /// 0xFDC: Peripheral ID 7 register.
+ pid7: ReadPure<u32>,
+ /// 0xFE0: Peripheral ID 0 register.
+ pid0: ReadPure<u32>,
+ /// 0xFE4: Peripheral ID 1 register.
+ pid1: ReadPure<u32>,
+ /// 0xFE8: Peripheral ID 2 register.
+ pid2: ReadPure<u32>,
+ /// 0xFEC: Peripheral ID 3 register.
+ pid3: ReadPure<u32>,
+
+ /// 0xFF0: Component ID 0 register.
+ cid0: ReadPure<u32>,
+ /// 0xFF4: Component ID 1 register.
+ cid1: ReadPure<u32>,
+ /// 0xFF8: Component ID 2 register.
+ cid2: ReadPure<u32>,
+ /// 0xFFC: Component ID 3 register.
+ cid3: ReadPure<u32>,
+}
+
+/// Interface to manipulate the [TZC-400 TrustZone Address Space Controller](https://developer.arm.com/documentation/ddi0504/latest).
+pub struct Tzc<'a> {
+ regs: UniqueMmioPointer<'a, TzcRegisters>,
+}
+
+impl<'a> Tzc<'a> {
+ /// Creates new TZC instance from a [`UniqueMmioPointer`] that points to the memory region of
+ /// the Controller.
+ pub const fn new(regs: UniqueMmioPointer<'a, TzcRegisters>) -> Self {
+ Self { regs }
+ }
+
+ /// Returns the [`BuildConfigRegister`] for this TZC-400 instance.
+ pub fn build_configuration(&self) -> BuildConfigRegister {
+ field_shared!(self.regs, build_config).read()
+ }
+
+ /// Returns the current [`ActionRegister`] configuration.
+ pub fn action(&self) -> ActionRegister {
+ field_shared!(self.regs, action).read()
+ }
+ /// Sets the [`ActionRegister`] configuration.
+ pub fn set_action(&mut self, value: ActionRegister) {
+ field!((self.regs), action).write(value);
+ }
+
+ /// Returns a [`GateKeeper`] wrapper to read from the Gate Keeper Register.
+ pub fn gate_keeper<'reg>(&'reg self, index: usize) -> Option<GateKeeper<'reg>> {
+ if index < self.build_configuration().number_of_filters() {
+ Some(GateKeeper {
+ reg: field_shared!(self.regs, gate_keeper),
+ index,
+ })
+ } else {
+ None
+ }
+ }
+
+ /// Returns a [`GateKeeperMut`] wrapper to read from/write to the Gate Keeper Register.
+ pub fn gate_keeper_mut<'reg>(&'reg mut self, index: usize) -> Option<GateKeeperMut<'reg>> {
+ if index < self.build_configuration().number_of_filters() {
+ Some(GateKeeperMut {
+ reg: field!(self.regs, gate_keeper),
+ index,
+ })
+ } else {
+ None
+ }
+ }
+
+ /// Returns the current [`SpeculationControlRegister`] configuration.
+ pub fn speculation_control(&self) -> SpeculationControlRegister {
+ field_shared!(self.regs, speculation_ctrl).read()
+ }
+ /// Sets the [`SpeculationControlRegister`] configuration.
+ pub fn set_speculation_control(&mut self, value: SpeculationControlRegister) {
+ field!(self.regs, speculation_ctrl).write(value);
+ }
+
+ /// Returns the current [`InterruptStatusRegister`].
+ pub fn interrupt_status(&mut self) -> InterruptStatusRegister {
+ field!(self.regs, int_status).read()
+ }
+
+ /// Sets the [`InterruptClearRegister`].
+ pub fn clear_interrupts(&mut self, value: InterruptClearRegister) {
+ field!(self.regs, int_clear).write(value);
+ }
+
+ /// Returns a [`TzcFail`] structure to read from the failure register of the filter at `index`,
+ /// or `None` if `index` is out of bounds.
+ pub fn filter_failure<'regs>(&'regs self, idx: usize) -> Option<TzcFail<'regs>> {
+ if idx < self.build_configuration().number_of_filters() {
+ let fails = field_shared!(self.regs, fail_registers);
+ fails.get(idx).map(|regs| TzcFail { regs })
+ } else {
+ None
+ }
+ }
+
+ /// Returns a [`TzcRegion`] structure to read from the region registers at `index`, or `None` if
+ /// `index` is out of bounds.
+ pub fn region<'regs>(&'regs self, idx: usize) -> Option<TzcRegion<'regs>> {
+ let config = self.build_configuration();
+
+ if idx < config.number_of_regions() {
+ let regions = field_shared!(self.regs, region_registers);
+ regions.get(idx).map(|regs| TzcRegion {
+ regs,
+ address_width_mask: ((1 << config.address_width()) - 1),
+ })
+ } else {
+ None
+ }
+ }
+
+ /// Returns a [`TzcRegionMut`] structure to read and write from the region registers at `index`,
+ /// or `None` if `index` is out of bounds.
+ pub fn region_mut<'regs>(&'regs mut self, idx: usize) -> Option<TzcRegionMut<'regs>> {
+ let config = self.build_configuration();
+
+ if idx < config.number_of_regions() {
+ let regions = field!(self.regs, region_registers);
+ regions.take(idx).map(|regs| TzcRegionMut {
+ regs,
+ addresses_writable: idx != 0,
+ address_width_mask: ((1 << config.address_width()) - 1),
+ })
+ } else {
+ None
+ }
+ }
+
+ /// Returns the peripheral ID, which is `0x4002BB460`.
+ pub fn peripheral_id(&self) -> u64 {
+ let values = [
+ field_shared!(self.regs, pid0).read(),
+ field_shared!(self.regs, pid1).read(),
+ field_shared!(self.regs, pid2).read(),
+ field_shared!(self.regs, pid3).read(),
+ field_shared!(self.regs, pid4).read(),
+ field_shared!(self.regs, pid5).read(),
+ field_shared!(self.regs, pid6).read(),
+ field_shared!(self.regs, pid7).read(),
+ ];
+
+ values
+ .into_iter()
+ .map(|v| v as u64)
+ .enumerate()
+ .fold(0, |acc, (idx, value)| (value << (8 * idx as u64)) | acc)
+ }
+
+ /// Holds a 32 bit component ID value. Used for automatic BIOS configuration. The result is
+ /// `0xB105F00D`.
+ pub fn component_id(&self) -> u64 {
+ let values = [
+ field_shared!(self.regs, cid0).read(),
+ field_shared!(self.regs, cid1).read(),
+ field_shared!(self.regs, cid2).read(),
+ field_shared!(self.regs, cid3).read(),
+ ];
+
+ values
+ .into_iter()
+ .map(|v| v as u64)
+ .enumerate()
+ .fold(0, |acc, (idx, value)| (value << (8 * idx as u64)) | acc)
+ }
+}
+
+#[cfg(test)]
+pub(crate) mod tests {
+ use safe_mmio::UniqueMmioPointer;
+ use zerocopy::transmute_mut;
+
+ use crate::*;
+
+ const DEFAULT_BUILD_CONFIG: u32 = 0b0000_0001_0000_0000_0010_1111_0000_1000;
+
+ pub(crate) struct FakeTZCRegisters {
+ regs: [u32; 1024],
+ }
+
+ impl FakeTZCRegisters {
+ pub fn new() -> Self {
+ let mut s = Self { regs: [0u32; 1024] };
+ s.reg_write(0x000, DEFAULT_BUILD_CONFIG);
+ s
+ }
+
+ pub fn reg_write(&mut self, offset: usize, value: u32) {
+ self.regs[offset / 4] = value;
+ }
+
+ pub fn reg_read(&self, offset: usize) -> u32 {
+ self.regs[offset / 4]
+ }
+
+ fn get(&mut self) -> UniqueMmioPointer<'_, TzcRegisters> {
+ UniqueMmioPointer::from(transmute_mut!(&mut self.regs))
+ }
+
+ pub fn tzc_for_test(&mut self) -> Tzc<'_> {
+ Tzc::new(self.get())
+ }
+ }
+
+ #[test]
+ fn size() {
+ assert_eq!(size_of::<TzcRegisters>(), 4096);
+ }
+
+ #[test]
+ fn build_config() {
+ let mut regs = FakeTZCRegisters::new();
+
+ let config = regs.tzc_for_test().build_configuration();
+ assert_eq!(config.number_of_filters(), 2);
+ assert_eq!(config.address_width(), 48);
+ assert_eq!(config.number_of_regions(), 9);
+
+ regs.reg_write(0x000, 0b0000_0000_0000_0000_0011_1111_0000_1000);
+ let config = regs.tzc_for_test().build_configuration();
+ assert_eq!(config.number_of_filters(), 1);
+ assert_eq!(config.address_width(), 64);
+ assert_eq!(config.number_of_regions(), 9);
+
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_0111_0000_1000);
+ let config = regs.tzc_for_test().build_configuration();
+ assert_eq!(config.number_of_filters(), 4);
+ assert_eq!(config.address_width(), 40);
+ assert_eq!(config.number_of_regions(), 9);
+
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0010_0011_0000_1000);
+ let config = regs.tzc_for_test().build_configuration();
+ assert_eq!(config.number_of_filters(), 4);
+ assert_eq!(config.address_width(), 36);
+ assert_eq!(config.number_of_regions(), 9);
+
+ regs.reg_write(0x000, 0b0000_0011_0000_0000_0001_1111_0000_1000);
+ let config = regs.tzc_for_test().build_configuration();
+ assert_eq!(config.number_of_filters(), 4);
+ assert_eq!(config.address_width(), 32);
+ assert_eq!(config.number_of_regions(), 9);
+ }
+
+ #[test]
+ #[should_panic]
+ fn build_config_reserved_filters() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x000, 0b0000_0010_0000_0000_0010_1111_0000_1000);
+ let config = regs.tzc_for_test().build_configuration();
+
+ config.number_of_filters();
+ }
+
+ #[test]
+ #[should_panic]
+ fn build_config_reserved_address_width() {
+ fn run(address_width: u32, regs: &mut FakeTZCRegisters) {
+ regs.reg_write(
+ 0x000,
+ 0b0000_0001_0000_0000_0000_0000_0000_1000 | address_width << 8,
+ );
+ regs.tzc_for_test().build_configuration().address_width();
+ }
+
+ let mut regs = FakeTZCRegisters::new();
+
+ run(0b11_0011, &mut regs);
+ run(0b11_1101, &mut regs);
+ run(0b00_0000, &mut regs);
+ }
+
+ #[test]
+ #[should_panic]
+ fn build_config_reserved_regions() {
+ fn run(region_count: u32, regs: &mut FakeTZCRegisters) {
+ regs.reg_write(
+ 0x000,
+ 0b0000_0001_0000_0000_0011_1111_0000_0000 | region_count,
+ );
+ regs.tzc_for_test()
+ .build_configuration()
+ .number_of_regions();
+ }
+
+ let mut regs = FakeTZCRegisters::new();
+
+ run(0b1_1111, &mut regs);
+ run(0b0_0000, &mut regs);
+ run(0b0_1100, &mut regs);
+ }
+
+ #[test]
+ fn get_action() {
+ let mut regs = FakeTZCRegisters::new();
+
+ regs.reg_write(0x004, 0b0000_0000_0000_0000_0000_0000_0000_0000);
+ assert_eq!(regs.tzc_for_test().action(), ActionRegister::TZCINTLOW_OKAY);
+
+ regs.reg_write(0x004, 0b0000_0000_0000_0000_0000_0000_0000_0001);
+ assert_eq!(
+ regs.tzc_for_test().action(),
+ ActionRegister::TZCINTLOW_DECERR
+ );
+
+ regs.reg_write(0x004, 0b0000_0000_0000_0000_0000_0000_0000_0010);
+ assert_eq!(
+ regs.tzc_for_test().action(),
+ ActionRegister::TZCINTHIGH_OKAY
+ );
+
+ regs.reg_write(0x004, 0b0000_0000_0000_0000_0000_0000_0000_0011);
+ assert_eq!(
+ regs.tzc_for_test().action(),
+ ActionRegister::TZCINTHIGH_DECERR
+ );
+ }
+
+ #[test]
+ fn set_action() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+
+ tzc.set_action(ActionRegister::TZCINTLOW_OKAY);
+ assert_eq!(tzc.action(), ActionRegister::TZCINTLOW_OKAY);
+
+ tzc.set_action(ActionRegister::TZCINTLOW_DECERR);
+ assert_eq!(tzc.action(), ActionRegister::TZCINTLOW_DECERR);
+
+ tzc.set_action(ActionRegister::TZCINTHIGH_OKAY);
+ assert_eq!(tzc.action(), ActionRegister::TZCINTHIGH_OKAY);
+
+ tzc.set_action(ActionRegister::TZCINTHIGH_DECERR);
+ assert_eq!(tzc.action(), ActionRegister::TZCINTHIGH_DECERR);
+ }
+
+ #[test]
+ fn gate_keeper_oob() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x008, 0b0000_0000_0000_0010_0000_0000_0000_0000);
+ let mut tzc = regs.tzc_for_test();
+
+ assert!(tzc.gate_keeper(2).is_none());
+ assert!(tzc.gate_keeper(3).is_none());
+ assert!(tzc.gate_keeper(4).is_none());
+ assert!(tzc.gate_keeper(18).is_none());
+
+ assert!(tzc.gate_keeper_mut(2).is_none());
+ assert!(tzc.gate_keeper_mut(3).is_none());
+ assert!(tzc.gate_keeper_mut(4).is_none());
+ assert!(tzc.gate_keeper_mut(18).is_none());
+ }
+
+ #[test]
+ fn gate_keeper_status() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x008, 0b0000_0000_0000_0010_0000_0000_0000_0000);
+ let tzc = regs.tzc_for_test();
+
+ assert_eq!(
+ tzc.gate_keeper(0).unwrap().status(),
+ GateKeeperStatus::Closed
+ );
+ assert_eq!(
+ tzc.gate_keeper(1).unwrap().status(),
+ GateKeeperStatus::Opened
+ );
+ }
+
+ #[test]
+ fn gate_keeper_request() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x008, 0b0000_0000_0000_0010_0000_0000_0000_0001);
+ let mut tzc = regs.tzc_for_test();
+
+ tzc.gate_keeper_mut(0)
+ .unwrap()
+ .request(GateKeeperStatus::Closed);
+ tzc.gate_keeper_mut(1)
+ .unwrap()
+ .request(GateKeeperStatus::Opened);
+
+ assert_eq!(
+ regs.reg_read(0x008),
+ 0b0000_0000_0000_0010_0000_0000_0000_0010,
+ )
+ }
+
+ #[test]
+ fn get_speculation_control() {
+ fn run(flags: u32, regs: &mut FakeTZCRegisters, value: SpeculationControlRegister) {
+ regs.reg_write(0x00C, flags);
+ let spec = regs.tzc_for_test().speculation_control();
+ assert_eq!(spec, value);
+ }
+
+ let mut regs = FakeTZCRegisters::new();
+
+ run(0b00, &mut regs, SpeculationControlRegister::empty());
+ run(
+ 0b01,
+ &mut regs,
+ SpeculationControlRegister::READ_SPEC_DISABLE,
+ );
+ run(
+ 0b10,
+ &mut regs,
+ SpeculationControlRegister::WRITE_SPEC_DISABLE,
+ );
+ run(
+ 0b11,
+ &mut regs,
+ SpeculationControlRegister::READ_SPEC_DISABLE
+ | SpeculationControlRegister::WRITE_SPEC_DISABLE,
+ );
+ }
+
+ #[test]
+ fn set_speculation_control() {
+ fn run(flags: u32, regs: &mut FakeTZCRegisters, value: SpeculationControlRegister) {
+ regs.tzc_for_test().set_speculation_control(value);
+ assert_eq!(regs.reg_read(0x00C), flags);
+ }
+
+ let mut regs = FakeTZCRegisters::new();
+
+ run(0b00, &mut regs, SpeculationControlRegister::empty());
+ run(
+ 0b01,
+ &mut regs,
+ SpeculationControlRegister::READ_SPEC_DISABLE,
+ );
+ run(
+ 0b10,
+ &mut regs,
+ SpeculationControlRegister::WRITE_SPEC_DISABLE,
+ );
+ run(
+ 0b11,
+ &mut regs,
+ SpeculationControlRegister::READ_SPEC_DISABLE
+ | SpeculationControlRegister::WRITE_SPEC_DISABLE,
+ );
+ }
+
+ #[test]
+ pub fn interrupt_status() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x010, 0b0000_0000_0000_0010_0000_0001_0000_0010);
+ let mut tzc = regs.tzc_for_test();
+
+ let status = tzc.interrupt_status();
+
+ assert!(!status.overlap(0));
+ assert!(status.overlap(1));
+
+ assert!(status.overrun(0));
+ assert!(!status.overrun(1));
+
+ assert!(!status.status(0));
+ assert!(status.status(1));
+ }
+
+ #[test]
+ pub fn interrupt_clear() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+
+ let clear = InterruptClearRegister::new(&[0, 3]);
+ tzc.clear_interrupts(clear);
+
+ assert_eq!(
+ regs.reg_read(0x014),
+ 0b0000_0000_0000_0000_0000_0000_0000_1001
+ );
+ }
+
+ #[test]
+ fn peripheral_id() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0xFD0, 0x04);
+ regs.reg_write(0xFD4, 0x00);
+ regs.reg_write(0xFD8, 0x00);
+ regs.reg_write(0xFDC, 0x00);
+ regs.reg_write(0xFE0, 0x60);
+ regs.reg_write(0xFE4, 0xB4);
+ regs.reg_write(0xFE8, 0x2B);
+ regs.reg_write(0xFEC, 0x00);
+
+ let tzc = regs.tzc_for_test();
+ assert_eq!(tzc.peripheral_id(), 0x0000_0004_002B_B460);
+ }
+
+ #[test]
+ fn component_id() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0xFF0, 0x0D);
+ regs.reg_write(0xFF4, 0xF0);
+ regs.reg_write(0xFF8, 0x05);
+ regs.reg_write(0xFFC, 0xB1);
+
+ let tzc = regs.tzc_for_test();
+ assert_eq!(tzc.component_id(), 0xB105F00D);
+ }
+
+ #[test]
+ fn fail_oob() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ assert!(tzc.filter_failure(4).is_none());
+ assert!(tzc.filter_failure(8).is_none());
+ assert!(tzc.filter_failure(123124).is_none());
+ }
+
+ #[test]
+ fn region_oob() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ assert!(tzc.region(9).is_none());
+ assert!(tzc.region(32).is_none());
+ assert!(tzc.region(123124).is_none());
+ }
+
+ #[test]
+ fn region_mut_oob() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+
+ assert!(tzc.region_mut(9).is_none());
+ assert!(tzc.region_mut(32).is_none());
+ assert!(tzc.region_mut(123124).is_none());
+ }
+}
diff --git a/src/region.rs b/src/region.rs
new file mode 100644
index 0000000..b79de3e
--- /dev/null
+++ b/src/region.rs
@@ -0,0 +1,588 @@
+// SPDX-FileCopyrightText: Copyright The arm-tzc Contributors.
+// SPDX-License-Identifier: MIT OR Apache-2.0
+use safe_mmio::{SharedMmioPointer, UniqueMmioPointer, field, field_shared, fields::ReadPureWrite};
+use zerocopy::{FromBytes, Immutable, IntoBytes, KnownLayout};
+
+use crate::{
+ for_in_slice,
+ utils::{concatenate_address_parts, get_bit, set_bit, split_address},
+};
+
+const REGION_ALIGNMENT_MASK: u64 = 0xfff;
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Each region has a region attributes register which controls the permissions for Region 0 and,
+/// for all other regions, the permissions and target filter region enables.
+#[repr(transparent)]
+pub struct RegionAttributes(u32);
+
+impl RegionAttributes {
+ /// Creates a fresh value for a `RegionAttributes`.
+ ///
+ /// - `write`: whether the region should allow write access from the Secure World.
+ /// - `read`: whether the region should allow red access from the Secure World.
+ /// - `filters`: the id of the filters to enable for this region.
+ pub const fn new(write: bool, read: bool, filters: &[usize]) -> Self {
+ let mut s = Self(0);
+ s.set_write_enabled(write);
+ s.set_read_enabled(read);
+
+ for_in_slice! {
+ f in filters,
+ s.set_filter_status(*f, true)
+ }
+
+ s
+ }
+
+ /// Whether Secure writes are permitted in this region.
+ pub const fn is_write_enabled(&self) -> bool {
+ get_bit(self.0, 31)
+ }
+
+ /// Secure global write enable. This control bit defines the permissions for the Secure writes
+ /// in the region.
+ pub const fn set_write_enabled(&mut self, enabled: bool) {
+ set_bit(&mut self.0, 31, enabled);
+ }
+
+ /// Whether Secure reads are permitted in this region.
+ pub const fn is_read_enabled(&self) -> bool {
+ get_bit(self.0, 30)
+ }
+
+ /// Secure global read enable. This control bit defines the permissions for the Secure reads in
+ /// the region.
+ pub const fn set_read_enabled(&mut self, enabled: bool) {
+ set_bit(&mut self.0, 30, enabled);
+ }
+
+ /// Whether the filter `index` is enabled for this region.
+ pub const fn is_filter_enabled(&self, index: usize) -> bool {
+ assert!(index < 4);
+ get_bit(self.0, index)
+ }
+
+ /// Independently disables/enables the filter `index` for this region.
+ ///
+ /// When set HIGH, it enables the use of the current region programming for the associated
+ /// filter. For Region 0 all bits are set HIGH and cannot be modified.
+ pub const fn set_filter_status(&mut self, index: usize, enabled: bool) {
+ assert!(index < 4);
+ set_bit(&mut self.0, index, enabled);
+ }
+}
+
+#[derive(Debug, Clone, Copy, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+/// Each region has a region id access register which controls the Non-secure access based on the
+/// NSAID inputs.
+#[repr(transparent)]
+pub struct RegionIDAccess(u32);
+
+impl RegionIDAccess {
+ /// Creates a new instance of `RegionIDAccess`.
+ ///
+ /// - `writes`: all the NSA indexes that should be allowed to write into this region.
+ /// - `reads`: all the NSA indexes that should be allowed to read into this region.
+ pub const fn new(writes: &[usize], reads: &[usize]) -> Self {
+ let mut s = Self(0);
+
+ for_in_slice! {
+ w in writes,
+ s.set_write_enabled(*w, true)
+ }
+
+ for_in_slice! {
+ r in reads,
+ s.set_read_enabled(*r, true)
+ }
+
+ s
+ }
+
+ /// Whether Non-secure write access with an the associated `NSAIDW<index>` are allowed to
+ /// progress.
+ pub const fn is_write_enabled(&self, index: usize) -> bool {
+ assert!(index < 16);
+ get_bit(self.0, index + 16)
+ }
+
+ /// Permits Non-secure write access to any access with the associated `NSAIDW<index>` value.
+ pub const fn set_write_enabled(&mut self, index: usize, enabled: bool) {
+ assert!(index < 16);
+ set_bit(&mut self.0, index + 16, enabled);
+ }
+
+ /// Whether Non-secure read access with an the associated `NSAIDW<index>` are allowed to
+ /// progress.
+ pub const fn is_read_enabled(&self, index: usize) -> bool {
+ assert!(index < 16);
+ get_bit(self.0, index)
+ }
+
+ /// Permits Non-secure read access to any access with the associated `NSAIDW<index>` value.
+ pub const fn set_read_enabled(&mut self, index: usize, enabled: bool) {
+ assert!(index < 16);
+ set_bit(&mut self.0, index, enabled);
+ }
+}
+
+#[derive(Debug, Clone, Eq, FromBytes, Immutable, IntoBytes, KnownLayout, PartialEq)]
+#[repr(C, align(4))]
+pub(crate) struct RegionRegisters {
+ /// 0x100 + (0x20 * n): Region base address low register.
+ region_base_low: ReadPureWrite<u32>,
+ /// 0x104 + (0x20 * n): Region base address high register.
+ region_base_high: ReadPureWrite<u32>,
+ /// 0x108 + (0x20 * n): Region top address low register.
+ region_top_low: ReadPureWrite<u32>,
+ /// 0x10C + (0x20 * n): Region top address high register.
+ region_top_high: ReadPureWrite<u32>,
+ /// 0x110 + (0x20 * n): Region attributes register.
+ region_attributes: ReadPureWrite<RegionAttributes>,
+ /// 0x114 + (0x20 * n): Region ID access register.
+ region_id_access: ReadPureWrite<RegionIDAccess>,
+ /// 0x118 + (0x20 * n) - 0x120 + (0x20 * n): reserved.
+ reserved: [u32; 2],
+}
+
+/// Wrapper structure to allow reading registers for a region. See also
+/// [`Tzc::region`][crate::Tzc::region].
+pub struct TzcRegion<'regs> {
+ pub(crate) regs: SharedMmioPointer<'regs, RegionRegisters>,
+ pub(crate) address_width_mask: u64,
+}
+
+impl<'a> TzcRegion<'a> {
+ /// Returns the base address for this region.
+ ///
+ /// The address' bit-width will be contained within the width specified by the TZC in the
+ /// [`build_configuration`][crate::Tzc::build_configuration] register and the 12 LSBs are be 0
+ /// as the regions size are 4KB-aligned and this address must point to their first byte.
+ pub fn region_base_address(&self) -> u64 {
+ concatenate_address_parts(
+ field_shared!(self.regs, region_base_low).read(),
+ field_shared!(self.regs, region_base_high).read(),
+ ) & self.address_width_mask // The mask is applied since the [63:N] first bits (N is address width) may be non-zero.
+ }
+
+ /// Returns the top address for this region.
+ ///
+ /// The address' bit-width will be contained within the width specified by the TZC in the
+ /// [`build_configuration`][crate::Tzc::build_configuration] register and the 12 LSBs are be 1
+ /// as the regions size are 4KB-aligned and this address must point to their last byte.
+ pub fn region_top_address(&self) -> u64 {
+ concatenate_address_parts(
+ field_shared!(self.regs, region_top_low).read(),
+ field_shared!(self.regs, region_top_high).read(),
+ ) & self.address_width_mask // The mask is applied since the [63:N] first bits (N is address width) may be non-zero.
+ }
+
+ /// Return the [`RegionAttributes`] for this region.
+ pub fn region_attributes(&self) -> RegionAttributes {
+ field_shared!(self.regs, region_attributes).read()
+ }
+
+ /// Return the [`RegionIDAccess`] for this region.
+ pub fn region_id_access(&self) -> RegionIDAccess {
+ field_shared!(self.regs, region_id_access).read()
+ }
+}
+
+macro_rules! redeclare_fn {
+ ($name:ident, $ret:ty) => {
+ #[doc=concat!("See [TzcRegion::", stringify!($name), "].")]
+ pub fn $name(&self) -> $ret {
+ self.as_shared().$name()
+ }
+ };
+}
+
+/// Wrapper structure to allow reading and writing registers for a region. See also
+/// [`Tzc::region_mut`][crate::Tzc::region_mut].
+pub struct TzcRegionMut<'regs> {
+ pub(crate) regs: UniqueMmioPointer<'regs, RegionRegisters>,
+ pub(crate) addresses_writable: bool,
+ pub(crate) address_width_mask: u64,
+}
+
+impl<'a> TzcRegionMut<'a> {
+ #[inline(always)]
+ fn as_shared(&self) -> TzcRegion<'a> {
+ TzcRegion {
+ regs: *self.regs,
+ address_width_mask: self.address_width_mask,
+ }
+ }
+
+ redeclare_fn!(region_base_address, u64);
+ redeclare_fn!(region_top_address, u64);
+ redeclare_fn!(region_attributes, RegionAttributes);
+ redeclare_fn!(region_id_access, RegionIDAccess);
+
+ /// Sets the base address for this region.
+ ///
+ /// The address' bit-width must be contained within the width specified by the TZC in the
+ /// [`build_configuration`][crate::Tzc::build_configuration] register and the 12 LSBs must be 0
+ /// as the regions size are 4KB-aligned and this address must point to their first byte.
+ ///
+ /// This value cannot be written for Region 0, any call of this function with `index == 0` will
+ /// result in an error.
+ pub fn set_region_base_address(&mut self, address: u64) {
+ assert_eq!(address & self.address_width_mask, address);
+ assert_eq!(address & REGION_ALIGNMENT_MASK, 0);
+ assert!(self.addresses_writable);
+
+ let (low, high) = split_address(address);
+ field!(self.regs, region_base_low).write(low);
+ field!(self.regs, region_base_high).write(high);
+ }
+
+ /// Sets the top address for this region.
+ ///
+ /// The address' bit-width must be contained within the width specified by the TZC in the
+ /// [`build_configuration`][crate::Tzc::build_configuration] register and the 12 LSBs must be 1
+ /// as the regions size are 4KB-aligned and this address must point to their last byte.
+ ///
+ /// This value cannot be written for Region 0 and attempting it will return an error.
+ pub fn set_region_top_address(&mut self, address: u64) {
+ assert_eq!(address & self.address_width_mask, address);
+ assert_eq!(address & REGION_ALIGNMENT_MASK, REGION_ALIGNMENT_MASK);
+ assert!(self.addresses_writable);
+
+ let (low, high) = split_address(address);
+ field!(self.regs, region_top_low).write(low);
+ field!(self.regs, region_top_high).write(high);
+ }
+
+ /// Sets the [`RegionAttributes`] for the region `index`.
+ pub fn set_region_attributes(&mut self, value: RegionAttributes) {
+ field!(self.regs, region_attributes).write(value);
+ }
+
+ /// Sets the [`RegionIDAccess`] for the region `index`.
+ pub fn set_region_id_access(&mut self, value: RegionIDAccess) {
+ field!(self.regs, region_id_access).write(value);
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use crate::{region::REGION_ALIGNMENT_MASK, tests::FakeTZCRegisters, *};
+
+ #[test]
+ fn region_0_address() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x100, 0xbeef_0000);
+ regs.reg_write(0x104, 0xdead);
+ regs.reg_write(0x108, 0xdaed_0000);
+ regs.reg_write(0x10c, 0xfeeb);
+
+ let tzc = regs.tzc_for_test();
+ assert_eq!(
+ tzc.region(0).unwrap().region_base_address(),
+ 0xdead_beef_0000
+ );
+ assert_eq!(
+ tzc.region(0).unwrap().region_top_address(),
+ 0xfeeb_daed_0000
+ );
+ }
+
+ #[test]
+ fn region_n_address() {
+ let mut regs = FakeTZCRegisters::new();
+ for i in 1..=8 {
+ regs.reg_write(0x100 + i * 0x20, 0xabcd_0000);
+ regs.reg_write(0x104 + i * 0x20, i as u32);
+ regs.reg_write(0x108 + i * 0x20, 0xeffe_0000);
+ regs.reg_write(0x10c + i * 0x20, i as u32 + 8);
+ }
+
+ let tzc = regs.tzc_for_test();
+ for i in 1..=8 {
+ assert_eq!(
+ tzc.region(i).unwrap().region_base_address(),
+ (i as u64) << 32 | 0xabcd_0000
+ );
+ assert_eq!(
+ tzc.region(i).unwrap().region_top_address(),
+ (i as u64 + 8) << 32 | 0xeffe_0000
+ );
+ }
+ }
+
+ #[test]
+ fn region_n_address_mask() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x120, 0xffff_f000);
+ regs.reg_write(0x124, u32::MAX);
+ regs.reg_write(0x128, u32::MAX);
+ regs.reg_write(0x12c, u32::MAX);
+ let tzc = regs.tzc_for_test();
+
+ assert_eq!(
+ tzc.region(1).unwrap().region_base_address(),
+ 0x0000_ffff_ffff_f000
+ );
+ assert_eq!(
+ tzc.region(1).unwrap().region_top_address(),
+ 0x0000_ffff_ffff_ffff
+ );
+ }
+
+ #[test]
+ fn region_n_write_address() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+ for i in 1..=8 {
+ let mut reg = tzc.region_mut(i).unwrap();
+
+ reg.set_region_base_address((i << 32 | (i << 16)) as u64);
+
+ reg.set_region_top_address((i << 36 | (i << 24)) as u64 | REGION_ALIGNMENT_MASK);
+ }
+
+ for i in 1..=8 {
+ assert_eq!(regs.reg_read(0x100 + i * 0x20), (i as u32) << 16);
+ assert_eq!(regs.reg_read(0x104 + i * 0x20), i as u32);
+ assert_eq!(
+ regs.reg_read(0x108 + i * 0x20),
+ (i as u32) << 24 | (REGION_ALIGNMENT_MASK as u32)
+ );
+ assert_eq!(regs.reg_read(0x10c + i * 0x20), (i << 4) as u32);
+ }
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_0_write_base_address() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+
+ tzc.region_mut(0)
+ .unwrap()
+ .set_region_base_address(0xdead_beef_0000);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_0_write_top_address() {
+ let mut regs = FakeTZCRegisters::new();
+ let mut tzc = regs.tzc_for_test();
+
+ tzc.region_mut(0)
+ .unwrap()
+ .set_region_top_address(0xdead_beef_0000);
+ }
+
+ #[test]
+ fn region_attributes() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x110, 0b0000_0000_0000_0000_0000_0000_0000_0101);
+ regs.reg_write(0x130, 0b0100_0000_0000_0000_0000_0000_0000_0010);
+ regs.reg_write(0x150, 0b1000_0000_0000_0000_0000_0000_0000_1111);
+ regs.reg_write(0x170, 0b1100_0000_0000_0000_0000_0000_0000_0000);
+
+ let tzc = regs.tzc_for_test();
+ let att0 = tzc.region(0).unwrap().region_attributes();
+ let att1 = tzc.region(1).unwrap().region_attributes();
+ let att2 = tzc.region(2).unwrap().region_attributes();
+ let att3 = tzc.region(3).unwrap().region_attributes();
+
+ assert!(!att0.is_read_enabled());
+ assert!(!att0.is_write_enabled());
+ assert!(att0.is_filter_enabled(0));
+ assert!(!att0.is_filter_enabled(1));
+ assert!(att0.is_filter_enabled(2));
+ assert!(!att0.is_filter_enabled(3));
+
+ assert!(att1.is_read_enabled());
+ assert!(!att1.is_write_enabled());
+ assert!(!att1.is_filter_enabled(0));
+ assert!(att1.is_filter_enabled(1));
+ assert!(!att1.is_filter_enabled(2));
+ assert!(!att1.is_filter_enabled(3));
+
+ assert!(!att2.is_read_enabled());
+ assert!(att2.is_write_enabled());
+ assert!(att2.is_filter_enabled(0));
+ assert!(att2.is_filter_enabled(1));
+ assert!(att2.is_filter_enabled(2));
+ assert!(att2.is_filter_enabled(3));
+
+ assert!(att3.is_read_enabled());
+ assert!(att3.is_write_enabled());
+ assert!(!att3.is_filter_enabled(0));
+ assert!(!att3.is_filter_enabled(1));
+ assert!(!att3.is_filter_enabled(2));
+ assert!(!att3.is_filter_enabled(3));
+ }
+
+ #[test]
+ fn set_region_attributes() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x110, 0b0000_0000_0000_0000_0000_0000_0000_0101);
+ regs.reg_write(0x130, 0b0100_0000_0000_0000_0000_0000_0000_0010);
+
+ let mut tzc = regs.tzc_for_test();
+
+ let mut reg0 = tzc.region_mut(0).unwrap();
+ let mut att0 = reg0.region_attributes();
+ att0.set_write_enabled(true);
+ att0.set_filter_status(0, false);
+ reg0.set_region_attributes(att0);
+
+ let mut reg1 = tzc.region_mut(1).unwrap();
+ let mut att1 = reg1.region_attributes();
+ att1.set_read_enabled(false);
+ att1.set_filter_status(1, false);
+ reg1.set_region_attributes(att1);
+
+ let att2 = RegionAttributes::new(true, true, &[0, 1, 2, 3]);
+ tzc.region_mut(2).unwrap().set_region_attributes(att2);
+ assert_eq!(
+ regs.reg_read(0x110),
+ 0b1000_0000_0000_0000_0000_0000_0000_0100
+ );
+ assert_eq!(
+ regs.reg_read(0x130),
+ 0b0000_0000_0000_0000_0000_0000_0000_0000
+ );
+ assert_eq!(
+ regs.reg_read(0x150),
+ 0b1100_0000_0000_0000_0000_0000_0000_1111
+ );
+ }
+
+ #[test]
+ fn region_id_access() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x114, 0b1000_0000_0000_0001_0000_0000_0011_1000);
+ regs.reg_write(0x134, 0b1111_1111_1111_1111_0000_0000_0000_0000);
+
+ let tzc = regs.tzc_for_test();
+
+ let rid0 = tzc.region(0).unwrap().region_id_access();
+ let rid1 = tzc.region(1).unwrap().region_id_access();
+
+ for i in 0..16 {
+ assert_eq!(rid0.is_read_enabled(i), (3..=5).contains(&i));
+ assert_eq!(rid0.is_write_enabled(i), [0, 15].contains(&i));
+ assert!(!rid1.is_read_enabled(i));
+ assert!(rid1.is_write_enabled(i));
+ }
+ }
+
+ #[test]
+ fn set_region_id_access() {
+ let mut regs = FakeTZCRegisters::new();
+ regs.reg_write(0x134, 0b1000_0000_0000_0001_0000_0000_0011_1000);
+ let mut tzc = regs.tzc_for_test();
+
+ let mut rid0 = tzc.region(0).unwrap().region_id_access();
+ rid0.set_read_enabled(13, true);
+ rid0.set_read_enabled(14, true);
+ rid0.set_read_enabled(15, true);
+ rid0.set_write_enabled(0, true);
+ rid0.set_write_enabled(1, true);
+ tzc.region_mut(0).unwrap().set_region_id_access(rid0);
+
+ let mut rid1 = tzc.region(1).unwrap().region_id_access();
+ rid1.set_read_enabled(3, false);
+ rid1.set_read_enabled(4, false);
+ rid1.set_read_enabled(6, true);
+ rid1.set_write_enabled(0, false);
+ tzc.region_mut(1).unwrap().set_region_id_access(rid1);
+
+ let rid2 = RegionIDAccess::new(&[1, 2, 3], &[14, 15]);
+ tzc.region_mut(2).unwrap().set_region_id_access(rid2);
+
+ assert_eq!(
+ regs.reg_read(0x114),
+ 0b0000_0000_0000_0011_1110_0000_0000_0000
+ );
+
+ assert_eq!(
+ regs.reg_read(0x134),
+ 0b1000_0000_0000_0000_0000_0000_0110_0000
+ );
+
+ assert_eq!(
+ regs.reg_read(0x154),
+ 0b0000_0000_0000_1110_1100_0000_0000_0000,
+ );
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_attributes_oob_filter_read() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_attributes()
+ .is_filter_enabled(4);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_attributes_oob_filter_write() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_attributes()
+ .set_filter_status(4, true);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_id_access_oob_get_read() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_id_access()
+ .is_read_enabled(17);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_id_access_oob_set_read() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_id_access()
+ .set_read_enabled(17, false);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_id_access_oob_get_write() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_id_access()
+ .is_write_enabled(17);
+ }
+
+ #[test]
+ #[should_panic]
+ fn region_id_access_oob_set_write() {
+ let mut regs = FakeTZCRegisters::new();
+ let tzc = regs.tzc_for_test();
+
+ tzc.region(0)
+ .unwrap()
+ .region_id_access()
+ .set_write_enabled(17, false);
+ }
+}
diff --git a/src/utils.rs b/src/utils.rs
new file mode 100644
index 0000000..408c8ee
--- /dev/null
+++ b/src/utils.rs
@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: Copyright The arm-tzc Contributors.
+// SPDX-License-Identifier: MIT OR Apache-2.0
+
+#[inline(always)]
+/// Extracts from `value` the bits in the range `lsb..=end`.
+pub(crate) const fn extract_bits(value: u32, msb: u32, lsb: u32) -> u32 {
+ (value >> lsb) & ((1 << (msb - lsb + 1)) - 1)
+}
+
+#[inline(always)]
+/// Extracts the bit at the given position. Equivalent to `extract_bits(value, position, position)`.
+pub(crate) const fn get_bit(value: u32, position: usize) -> bool {
+ value >> position & 0b1 == 1
+}
+
+#[inline(always)]
+/// Sets the bit at `position` to the given state.
+pub(crate) const fn set_bit(value: &mut u32, position: usize, bit: bool) {
+ if bit {
+ *value |= 1 << position;
+ } else {
+ *value &= !(1 << position);
+ }
+}
+
+#[inline(always)]
+/// Performs a bitwise concatenation of two `u32` into a single `u64`. This is the opposite
+/// operation of [`split_address`].
+pub(crate) const fn concatenate_address_parts(low: u32, high: u32) -> u64 {
+ (high as u64) << 32 | low as u64
+}
+
+#[inline(always)]
+/// Perform a bitwise split of a `u64` into two `u32`. This is the opposite operation of
+/// [`concatenate_address_parts`].
+pub(crate) fn split_address(address: u64) -> (u32, u32) {
+ ((address & u32::MAX as u64) as u32, (address >> 32) as u32)
+}