Permission checking is performed using the AXI master ID and TZ security settings of the AXI transaction. The MasterID sets one or more of the 20 local MATCH bits that are compared against the address-selected aperture permission register, APERPERM_xxx. The XPPU also tests the AxPROT[1] and R/W signals with the APERPERM_xxx [TRUSTZONE] bit. The following equation is for read transactions.
Transaction_OK = (MATCH & PERMISSION != 0)
AND { (TRUSTZONE == 1) OR {(AxPROT[1] == 0) && (TRUSTZONE == 0) }}
•The first term means that the incoming AXI master ID, after the mask is applied, should be listed in the master ID list, and it should also be listed as an allowed master in the aperture permission list, APERPERM_xxx registers.
•The second term means that the incoming AXI TrustZone (on AxPROT [1]) should meet the aperture (slave) TrustZone setting.
The result from this equation is further qualified with the parity check on the selected register from the aperture permission list if the parity check is enabled.
If all of the these checks pass, then the transaction is allowed.