On 18/02/2026 11:38, Gatien CHEVALLIER wrote:

On 2/17/26 21:06, Krzysztof Kozlowski wrote:

quoted

On 17/02/2026 14:12, Gatien CHEVALLIER wrote:

quoted

On 2/13/26 16:06, Krzysztof Kozlowski wrote:

quoted

On 10/02/2026 10:55, Gatien CHEVALLIER wrote:

quoted

quoted

quoted

+  memory-region:
+    minItems: 1
+    maxItems: 32
+    description:
+      Phandle to nodes describing memory regions to be configured in the RISAB
+      by the trusted domain of at least a RISAB page size.
+      These regions cannot overlap. A zone must be within st,mem-map range and
+      can be represented by one or more pages.
+
+  st,mem-map:
+    $ref: /schemas/types.yaml#/definitions/uint32-array
+    description: Memory address range covered by the RISAB.
+    items:
+      - description: Memory range base address
+      - description: Memory range size

Why do you need this property if you have memory-region already? This
also should be part of <reg>, although this mixing with memory-region is
anyway confusing.

The RISAB is a memory firewall peripheral covering internal RAMs. It is
possible to configure multiple memory regions within these RAMs (done by
the Trusted Domain) with security, privilege and compartment isolation.
This peripheral allow 4kBytes page granularity. Each page can hold
different access rights, with 32 pages at most (hence the maxItems: 32).
That is some information that can be added to the documentation.

Moreover, when a region is delegated to a non-secure privileged
component, this component can configure the privilege level necessary to
access the region.

This property gives me the opportunity to get the memory range covered
by the RISAB. "reg" here is used to access the actual RISAB registers
holding the configuration.

Looks awfully like memory regions still :/

IIUC the memory-region property references memory regions within
a reserved memory. Which is not really what I want to describe
here as I want to get the boundaries of the whole range. The
memory-region property would be used by the Trusted Domain / kernel
to get each regions (or only one that represents the whole range) of the
internal RAM to apply desired access rights to them / use them.

Describing the memory range using a reserved memory would make the
kernel exclude this memory range from the normal usage, no?

In general yes, but also depends on the use case/drivers/purpose. I do
not understand why would you mark some memory for generic use by kernel
(so not reserved for specific purpose) and still configure it somehow
for trusted firmware to allow secure read/write access.

If you mark some part of memory as a meaning for TF for secure access,
you already claim it is not a generic memory. Otherwise TF just writes
all over malloced() pages?

While the Trusted Domain applies the configuration, it is entirely
possible for the Trusted domain to give himself access to, let's say,
the first RISAB page to store whatever data, and give the rest to the
kernel. Actually, this is what we do to store OTP data mirrors

And what happens with the rest of that memory? Why the first page cannot
be the reserved region?

or DDR context and give the rest to the kernel or the co-processor.

Now, using internal RAM for generic use by the kernel is unlikely but
I have in mind the last firewall controller of the stm32mp2x platforms,
which is the RISAF. It has the same purpose as the RISAB but for
external memories. One protects the DDR so I do want DDR regions as
accessible for general use (memory node).

This property allows me to describe the boundaries of what is protected
without having to imply anything from frameworks about the regions as I
have no way of knowing what is accessible and what is not.

Frameworks do not matter here - we don't even talk about them yet.

You want to describe boundaries of some dedicated memory region and you
should not have a custom property for that.

quoted

quoted

I think declaring a "boundaries" memory region with no usage for the
kernel wouldn't make sense. The kernel may not be able to access the
whole memory range.

I don't understand that. reserved-memory is for cases with "no usage for
the kernel", so it would perfectly make sense.

quoted

Look what your description said:

"used to protect internal RAMs by applying access"

Yes, access rights are applied by the Trusted Domain. These firewalls
are very flexible because access rights on secure and privilege levels
along with Compartment ID (SoC is divided into multiple compartments
holding a compartment ID) can be configured. Some bits of the
firewall configuration can also be delegated. e.g: When a memory
region is configured for privileged, non-secure access for the
cortex running Linux; then the kernel could reconfigure the
privilege level (unlikely but feasible).

It would be quite complex to explain the whole mechanism without
pointing to some documentation [1].

Anyway, access rights are applied, but access may very well be given to
the privileged non-secure compartment running the kernel. Meaning that
only the kernel can access such memory. Not the Trusted Domain, not the
user-space, not the co-processor.

This implies that if you do not reserve such memory that way, then
Trusted Domain or user-space could just poke and use it...

If kernel explicitly has to tell TD to do something with specific region
of memory, this is somehow a reserved memory. It is distinctive,
special, selected, chosen.

So you could give some bits of internal RAM to the kernel for whatever
purpose you'd like (Storing particular data you want to keep in some
low-power mode, etc...).

All RAM is for that purpose...

[1]: https://wiki.st.com/stm32mpu/wiki/Resource_Isolation_Framework_overview

quoted

and

" a trusted domain, or the domain to whom the page configuration has
been delegated,"

so how it is not a dedicated, special memory delegated to specific
devices and/or TF?

The memory is delegated to some contexts. These can be the processor
running Linux, a co-processor, some initiator ports of peripherals
having DMAs, etc...

So pretty close to what the purpose of reserved-memory is...

Well, we keep discussing and I am really not convinced. You can try to
catch @Rob tomorrow on IRC and maybe get his approval, but for me this
is clearly some sort of reserved memory thus you cannot go with own
bindings. Another way would be to prove me wrong by using the reserved
memory binding and showing how it could not possible work, ever (such
counter examples sometimes help to look at the problem from a new angle).

Best regards,
Krzysztof