Hi Ken, Hi Jonatan,

 

Here is how I see it:

 

• PPC, MPC control system wide the access rights; DMA and other bus masters cannot bypass
• SAU controls the access rights on the Processing Element
• MPU controls the access rights within a execution domain (secure, non-secure)

 

The setup for TF-M should be:

• Isolation Level 1: static SAU, PPC, MPC setup
• Isolation Level 2: adds static MPU setup (for privilege, non-privilege separation – could be reflected in PPC, MPC when it is supported by the device)
• Isolation Level 3: dynamic MPU setup (depending on the service executed)

 

Changing PPC, MPC setup dynamically does not make sense, as in most devices DMA could bypass TF-M.

 

If this schema is acceptable, TF-M could always assume correct setup of Isolation level 1.  A static #define could reflect that.

 

If you think it should be different, please explain why a different schema would add further security to the overall system.

Reinhard