Hi Ken, Hi Jonatan,

Here is how I see it:

* PPC, MPC control system wide the access rights; DMA and other bus masters cannot bypass * SAU controls the access rights on the Processing Element * MPU controls the access rights within a execution domain (secure, non-secure)

The setup for TF-M should be:

* Isolation Level 1: static SAU, PPC, MPC setup * Isolation Level 2: adds static MPU setup (for privilege, non-privilege separation - could be reflected in PPC, MPC when it is supported by the device) * Isolation Level 3: dynamic MPU setup (depending on the service executed)

Changing PPC, MPC setup dynamically does not make sense, as in most devices DMA could bypass TF-M.

If this schema is acceptable, TF-M could always assume correct setup of Isolation level 1. A static #define could reflect that.

If you think it should be different, please explain why a different schema would add further security to the overall system.

Reinhard