diff --git a/plat/rockchip/rk3399/drivers/dram/dram.c b/plat/rockchip/rk3399/drivers/dram/dram.c
index 5f6f0fc..1dfb3e5 100644
--- a/plat/rockchip/rk3399/drivers/dram/dram.c
+++ b/plat/rockchip/rk3399/drivers/dram/dram.c
@@ -30,6 +30,7 @@
 
 #include <dram.h>
 #include <plat_private.h>
+#include <secure.h>
 #include <soc.h>
 #include <rk3399_def.h>
 
diff --git a/plat/rockchip/rk3399/drivers/dram/suspend.c b/plat/rockchip/rk3399/drivers/dram/suspend.c
index 02768fd..ce4d6f9 100644
--- a/plat/rockchip/rk3399/drivers/dram/suspend.c
+++ b/plat/rockchip/rk3399/drivers/dram/suspend.c
@@ -34,6 +34,7 @@
 #include <dram.h>
 #include <pmu_regs.h>
 #include <rk3399_def.h>
+#include <secure.h>
 #include <soc.h>
 #include <suspend.h>
 
diff --git a/plat/rockchip/rk3399/drivers/pmu/m0_ctl.c b/plat/rockchip/rk3399/drivers/pmu/m0_ctl.c
index 47bd3e3..6bdd04b 100644
--- a/plat/rockchip/rk3399/drivers/pmu/m0_ctl.c
+++ b/plat/rockchip/rk3399/drivers/pmu/m0_ctl.c
@@ -36,13 +36,14 @@
 #include <m0_ctl.h>
 #include <plat_private.h>
 #include <rk3399_def.h>
+#include <secure.h>
 #include <soc.h>
 
 void m0_init(void)
 {
 	/* secure config for M0 */
 	mmio_write_32(SGRF_BASE + SGRF_PMU_CON(0), WMSK_BIT(7));
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON6, WMSK_BIT(12));
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(6), WMSK_BIT(12));
 
 	/* set the execute address for M0 */
 	mmio_write_32(SGRF_BASE + SGRF_PMU_CON(3),
diff --git a/plat/rockchip/rk3399/drivers/pmu/pmu.c b/plat/rockchip/rk3399/drivers/pmu/pmu.c
index cd3987e..e04d474 100644
--- a/plat/rockchip/rk3399/drivers/pmu/pmu.c
+++ b/plat/rockchip/rk3399/drivers/pmu/pmu.c
@@ -44,6 +44,7 @@
 #include <plat_private.h>
 #include <rk3399_def.h>
 #include <pmu_sram.h>
+#include <secure.h>
 #include <soc.h>
 #include <pmu.h>
 #include <pmu_com.h>
@@ -1098,7 +1099,7 @@
 
 	pmu_sgrf_rst_hld();
 
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON0_1(1),
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(1),
 		      (PMUSRAM_BASE >> CPU_BOOT_ADDR_ALIGN) |
 		      CPU_BOOT_ADDR_WMASK);
 
@@ -1150,7 +1151,7 @@
 	udelay(300);
 	enable_dvfs_plls();
 
-	secure_watchdog_restore();
+	secure_watchdog_enable();
 
 	/* restore clk_ddrc_bpll_src_en gate */
 	mmio_write_32(CRU_BASE + CRU_CLKGATE_CON(3),
@@ -1166,7 +1167,7 @@
 	mmio_write_32(PMU_BASE + PMU_WAKEUP_STATUS, 0xffffffff);
 	mmio_write_32(PMU_BASE + PMU_WKUP_CFG4, 0x00);
 
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON0_1(1),
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(1),
 		      (cpu_warm_boot_addr >> CPU_BOOT_ADDR_ALIGN) |
 		      CPU_BOOT_ADDR_WMASK);
 
@@ -1306,7 +1307,7 @@
 	psram_sleep_cfg->boot_mpidr = read_mpidr_el1() & 0xffff;
 
 	/* config cpu's warm boot address */
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON0_1(1),
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(1),
 		      (cpu_warm_boot_addr >> CPU_BOOT_ADDR_ALIGN) |
 		      CPU_BOOT_ADDR_WMASK);
 	mmio_write_32(PMU_BASE + PMU_NOC_AUTO_ENA, NOC_AUTO_ENABLE);
diff --git a/plat/rockchip/rk3399/drivers/secure/secure.c b/plat/rockchip/rk3399/drivers/secure/secure.c
new file mode 100644
index 0000000..f2e9ab0
--- /dev/null
+++ b/plat/rockchip/rk3399/drivers/secure/secure.c
@@ -0,0 +1,173 @@
+/*
+ * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <arch_helpers.h>
+#include <assert.h>
+#include <debug.h>
+#include <delay_timer.h>
+#include <plat_private.h>
+#include <secure.h>
+#include <soc.h>
+
+static void sgrf_ddr_rgn_global_bypass(uint32_t bypass)
+{
+	if (bypass)
+		/* set bypass (non-secure regions) for whole ddr regions */
+		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
+			      SGRF_DDR_RGN_BYPS);
+	else
+		/* cancel bypass for whole ddr regions */
+		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
+			      SGRF_DDR_RGN_NO_BYPS);
+}
+
+/**
+ * There are 8 + 1 regions for DDR secure control:
+ * DDR_RGN_0 ~ DDR_RGN_7: Per DDR_RGNs grain size is 1MB
+ * DDR_RGN_X - the memories of exclude DDR_RGN_0 ~ DDR_RGN_7
+ *
+ * DDR_RGN_0 - start address of the RGN0
+ * DDR_RGN_8 - end address of the RGN0
+ * DDR_RGN_1 - start address of the RGN1
+ * DDR_RGN_9 - end address of the RGN1
+ * ...
+ * DDR_RGN_7 - start address of the RGN7
+ * DDR_RGN_15 - end address of the RGN7
+ * DDR_RGN_16 - bit 0 ~ 7 is bitmap for RGN0~7 secure,0: disable, 1: enable
+ *              bit 8 is setting for RGNx, the rest of the memory and region
+ *                which excludes RGN0~7, 0: disable, 1: enable
+ *              bit 9, the global secure configuration via bypass, 0: disable
+ *                bypass, 1: enable bypass
+ *
+ * @rgn - the DDR regions 0 ~ 7 which are can be configured.
+ * The @st_mb and @ed_mb indicate the start and end addresses for which to set
+ * the security, and the unit is megabyte. When the st_mb == 0, ed_mb == 0, the
+ * address range 0x0 ~ 0xfffff is secure.
+ *
+ * For example, if we would like to set the range [0, 32MB) is security via
+ * DDR_RGN0, then rgn == 0, st_mb == 0, ed_mb == 31.
+ */
+static void sgrf_ddr_rgn_config(uint32_t rgn,
+				uintptr_t st, uintptr_t ed)
+{
+	uintptr_t st_mb, ed_mb;
+
+	assert(rgn <= 7);
+	assert(st < ed);
+
+	/* check aligned 1MB */
+	assert(st % SIZE_M(1) == 0);
+	assert(ed % SIZE_M(1) == 0);
+
+	st_mb = st / SIZE_M(1);
+	ed_mb = ed / SIZE_M(1);
+
+	/* set ddr region addr start */
+	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(rgn),
+		      BITS_WITH_WMASK(st_mb, SGRF_DDR_RGN_0_16_WMSK, 0));
+
+	/* set ddr region addr end */
+	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(rgn + 8),
+		      BITS_WITH_WMASK((ed_mb - 1), SGRF_DDR_RGN_0_16_WMSK, 0));
+
+	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
+		      BIT_WITH_WMSK(rgn));
+}
+
+void secure_watchdog_disable(void)
+{
+	/**
+	 * Disable CA53 and CM0 wdt pclk
+	 * BIT[8]: ca53 wdt pclk, 0: enable 1: disable
+	 * BIT[10]: cm0 wdt pclk, 0: enable 1: disable
+	 */
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(3),
+		      BIT_WITH_WMSK(PCLK_WDT_CA53_GATE_SHIFT) |
+		      BIT_WITH_WMSK(PCLK_WDT_CM0_GATE_SHIFT));
+}
+
+void secure_watchdog_enable(void)
+{
+	/**
+	 * Enable CA53 and CM0 wdt pclk
+	 * BIT[8]: ca53 wdt pclk, 0: enable 1: disable
+	 * BIT[10]: cm0 wdt pclk, 0: enable 1: disable
+	 */
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(3),
+		      WMSK_BIT(PCLK_WDT_CA53_GATE_SHIFT) |
+		      WMSK_BIT(PCLK_WDT_CM0_GATE_SHIFT));
+}
+
+void secure_timer_init(void)
+{
+	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_END_COUNT0, 0xffffffff);
+	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_END_COUNT1, 0xffffffff);
+
+	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_INIT_COUNT0, 0x0);
+	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_INIT_COUNT0, 0x0);
+
+	/* auto reload & enable the timer */
+	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_CONTROL_REG,
+		      TIMER_EN | TIMER_FMODE);
+}
+
+void secure_sgrf_init(void)
+{
+	/* security config for master */
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(5),
+		      REG_SOC_WMSK | SGRF_SOC_ALLMST_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(6),
+		      REG_SOC_WMSK | SGRF_SOC_ALLMST_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(7),
+		      REG_SOC_WMSK | SGRF_SOC_ALLMST_NS);
+
+	/* security config for slave */
+	mmio_write_32(SGRF_BASE + SGRF_PMU_SLV_CON0_1(0),
+		      SGRF_PMU_SLV_S_CFGED |
+		      SGRF_PMU_SLV_CRYPTO1_NS);
+	mmio_write_32(SGRF_BASE + SGRF_PMU_SLV_CON0_1(1),
+		      SGRF_SLV_S_WMSK | SGRF_PMUSRAM_S);
+	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(0),
+		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(1),
+		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(2),
+		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(3),
+		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
+	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(4),
+		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
+}
+
+void secure_sgrf_ddr_rgn_init(void)
+{
+	sgrf_ddr_rgn_config(0, TZRAM_BASE, TZRAM_SIZE);
+	sgrf_ddr_rgn_global_bypass(0);
+}
diff --git a/plat/rockchip/rk3399/drivers/secure/secure.h b/plat/rockchip/rk3399/drivers/secure/secure.h
new file mode 100644
index 0000000..6eb2237
--- /dev/null
+++ b/plat/rockchip/rk3399/drivers/secure/secure.h
@@ -0,0 +1,126 @@
+/*
+ * Copyright (c) 2016, ARM Limited and Contributors. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of ARM nor the names of its contributors may be used
+ * to endorse or promote products derived from this software without specific
+ * prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __PLAT_ROCKCHIP_RK3399_DRIVER_SECURE_H__
+#define __PLAT_ROCKCHIP_RK3399_DRIVER_SECURE_H__
+
+/**************************************************
+ * sgrf reg, offset
+ **************************************************/
+#define SGRF_SOC_CON0_1(n)		(0xc000 + (n) * 4)
+#define SGRF_SOC_CON3_7(n)		(0xe00c + ((n) - 3) * 4)
+#define SGRF_SOC_CON8_15(n)		(0x8020 + ((n) - 8) * 4)
+#define SGRF_SOC_CON(n) 		(n < 3 ? SGRF_SOC_CON0_1(n) :\
+						(n < 8 ? SGRF_SOC_CON3_7(n) :\
+							 SGRF_SOC_CON8_15(n)))
+
+#define SGRF_PMU_SLV_CON0_1(n)		(0xc240 + ((n) - 0) * 4)
+#define SGRF_SLV_SECURE_CON0_4(n)	(0xe3c0 + ((n) - 0) * 4)
+#define SGRF_DDRRGN_CON0_16(n)		((n) * 4)
+#define SGRF_DDRRGN_CON20_34(n)		(0x50 + ((n) - 20) * 4)
+
+/* All of master in ns */
+#define SGRF_SOC_ALLMST_NS		0xffff
+
+/* security config for slave */
+#define SGRF_SLV_S_WMSK			0xffff0000
+#define SGRF_SLV_S_ALL_NS		0x0
+
+/* security config pmu slave ip */
+/* All of slaves  is ns */
+#define SGRF_PMU_SLV_S_NS		BIT_WITH_WMSK(0)
+/* slaves secure attr is configed */
+#define SGRF_PMU_SLV_S_CFGED		WMSK_BIT(0)
+#define SGRF_PMU_SLV_CRYPTO1_NS		WMSK_BIT(1)
+
+#define SGRF_PMUSRAM_S			BIT(8)
+
+/* ddr region */
+#define SGRF_DDR_RGN_0_16_WMSK		0x0fff  /* DDR RGN 0~16 size mask */
+
+#define SGRF_DDR_RGN_DPLL_CLK		BIT_WITH_WMSK(15) /* DDR PLL output clock */
+#define SGRF_DDR_RGN_RTC_CLK		BIT_WITH_WMSK(14) /* 32K clock for DDR PLL */
+
+/* All security of the DDR RGNs are bypass */
+#define SGRF_DDR_RGN_BYPS		BIT_WITH_WMSK(9)
+/* All security of the DDR RGNs are not bypass */
+#define SGRF_DDR_RGN_NO_BYPS		WMSK_BIT(9)
+
+/* The MST access the ddr rgn n with secure attribution */
+#define SGRF_L_MST_S_DDR_RGN(n)		BIT_WITH_WMSK((n))
+/* bits[16:8]*/
+#define SGRF_H_MST_S_DDR_RGN(n)		BIT_WITH_WMSK((n) + 8)
+
+#define SGRF_PMU_CON0			0x0c100
+#define SGRF_PMU_CON(n)   		(SGRF_PMU_CON0 + (n) * 4)
+
+/**************************************************
+ * secure timer
+ **************************************************/
+/* chanal0~5 */
+#define STIMER0_CHN_BASE(n)		(STIME_BASE + 0x20 * (n))
+/* chanal6~11 */
+#define STIMER1_CHN_BASE(n)		(STIME_BASE + 0x8000 + 0x20 * (n))
+
+ /* low 32 bits */
+#define TIMER_END_COUNT0		0x00
+ /* high 32 bits */
+#define TIMER_END_COUNT1		0x04
+
+#define TIMER_CURRENT_VALUE0		0x08
+#define TIMER_CURRENT_VALUE1		0x0C
+
+ /* low 32 bits */
+#define TIMER_INIT_COUNT0		0x10
+ /* high 32 bits */
+#define TIMER_INIT_COUNT1		0x14
+
+#define TIMER_INTSTATUS			0x18
+#define TIMER_CONTROL_REG		0x1c
+
+#define TIMER_EN			0x1
+
+#define TIMER_FMODE			(0x0 << 1)
+#define TIMER_RMODE			(0x1 << 1)
+
+/**************************************************
+ * secure WDT
+ **************************************************/
+#define PCLK_WDT_CA53_GATE_SHIFT	8
+#define PCLK_WDT_CM0_GATE_SHIFT		10
+
+/* export secure operating APIs */
+void secure_watchdog_disable(void);
+void secure_watchdog_enable(void);
+void secure_timer_init(void);
+void secure_sgrf_init(void);
+void secure_sgrf_ddr_rgn_init(void);
+
+#endif /* __PLAT_ROCKCHIP_RK3399_DRIVER_SECURE_H__ */
diff --git a/plat/rockchip/rk3399/drivers/soc/soc.c b/plat/rockchip/rk3399/drivers/soc/soc.c
index 623665c..ec5470e 100644
--- a/plat/rockchip/rk3399/drivers/soc/soc.c
+++ b/plat/rockchip/rk3399/drivers/soc/soc.c
@@ -39,6 +39,7 @@
 #include <platform_def.h>
 #include <plat_private.h>
 #include <rk3399_def.h>
+#include <secure.h>
 #include <soc.h>
 
 /* Table of regions to map using the MMU.  */
@@ -63,225 +64,8 @@
 	PLATFORM_CLUSTER1_CORE_COUNT
 };
 
-void secure_timer_init(void)
-{
-	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_END_COUNT0, 0xffffffff);
-	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_END_COUNT1, 0xffffffff);
-
-	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_INIT_COUNT0, 0x0);
-	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_INIT_COUNT0, 0x0);
-
-	/* auto reload & enable the timer */
-	mmio_write_32(STIMER1_CHN_BASE(5) + TIMER_CONTROL_REG,
-		      TIMER_EN | TIMER_FMODE);
-}
-
-void sgrf_init(void)
-{
-	/* security config for master */
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(5),
-		      SGRF_SOC_CON_WMSK | SGRF_SOC_ALLMST_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(6),
-		      SGRF_SOC_CON_WMSK | SGRF_SOC_ALLMST_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(7),
-		      SGRF_SOC_CON_WMSK | SGRF_SOC_ALLMST_NS);
-
-	/* security config for slave */
-	mmio_write_32(SGRF_BASE + SGRF_PMU_SLV_CON0_1(0),
-		      SGRF_PMU_SLV_S_CFGED |
-		      SGRF_PMU_SLV_CRYPTO1_NS);
-	mmio_write_32(SGRF_BASE + SGRF_PMU_SLV_CON0_1(1),
-		      SGRF_PMU_SLV_CON1_CFG);
-	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(0),
-		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(1),
-		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(2),
-		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(3),
-		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
-	mmio_write_32(SGRF_BASE + SGRF_SLV_SECURE_CON0_4(4),
-		      SGRF_SLV_S_WMSK | SGRF_SLV_S_ALL_NS);
-}
-
-static void dma_secure_cfg(uint32_t secure)
-{
-	if (secure) {
-		/* rgn0 secure for dmac0 and dmac1 */
-		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON20_34(22),
-			      SGRF_L_MST_S_DDR_RGN(0) | /* dmac0 */
-			      SGRF_H_MST_S_DDR_RGN(0) /* dmac1 */
-			      );
-
-		/* set dmac0 boot, under secure state */
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(8),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(9),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(10),
-			      SGRF_DMAC_CFG_S);
-
-		/* dmac0 soft reset */
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC0_RST);
-		udelay(5);
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC0_RST_RLS);
-
-		/* set dmac1 boot, under secure state */
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(11),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(12),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(13),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(14),
-			      SGRF_DMAC_CFG_S);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(15),
-			      SGRF_DMAC_CFG_S);
-
-		/* dmac1 soft reset */
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC1_RST);
-		udelay(5);
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC1_RST_RLS);
-	} else {
-		/* rgn non-secure for dmac0 and dmac1 */
-		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON20_34(22),
-			      DMAC1_RGN_NS | DMAC0_RGN_NS);
-
-		/* set dmac0 boot, under non-secure state */
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(8),
-			      DMAC0_BOOT_CFG_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(9),
-			      DMAC0_BOOT_PERIPH_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(10),
-			      DMAC0_BOOT_ADDR_NS);
-
-		/* dmac0 soft reset */
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC0_RST);
-		udelay(5);
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC0_RST_RLS);
-
-		/* set dmac1 boot, under non-secure state */
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(11),
-			      DMAC1_BOOT_CFG_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(12),
-			      DMAC1_BOOT_PERIPH_L_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(13),
-			      DMAC1_BOOT_ADDR_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(14),
-			      DMAC1_BOOT_PERIPH_H_NS);
-		mmio_write_32(SGRF_BASE + SGRF_SOC_CON8_15(15),
-			      DMAC1_BOOT_IRQ_NS);
-
-		/* dmac1 soft reset */
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC1_RST);
-		udelay(5);
-		mmio_write_32(CRU_BASE + CRU_SOFTRST_CON(10),
-			      CRU_DMAC1_RST_RLS);
-	}
-}
-
-/* pll suspend */
-struct deepsleep_data_s slp_data;
-
-void secure_watchdog_disable(void)
-{
-	slp_data.sgrf_con[3] = mmio_read_32(SGRF_BASE + SGRF_SOC_CON3_7(3));
-
-	/* disable CA53 wdt pclk */
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(3),
-		      BITS_WITH_WMASK(WDT_CA53_DIS, WDT_CA53_1BIT_MASK,
-				      PCLK_WDT_CA53_GATE_SHIFT));
-	/* disable CM0 wdt pclk */
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(3),
-		      BITS_WITH_WMASK(WDT_CM0_DIS, WDT_CM0_1BIT_MASK,
-				      PCLK_WDT_CM0_GATE_SHIFT));
-}
-
-void secure_watchdog_restore(void)
-{
-	mmio_write_32(SGRF_BASE + SGRF_SOC_CON3_7(3),
-		      slp_data.sgrf_con[3] |
-		      WMSK_BIT(PCLK_WDT_CA53_GATE_SHIFT) |
-		      WMSK_BIT(PCLK_WDT_CM0_GATE_SHIFT));
-}
-
-static void sgrf_ddr_rgn_global_bypass(uint32_t bypass)
-{
-	if (bypass)
-		/* set bypass (non-secure regions) for whole ddr regions */
-		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
-			      SGRF_DDR_RGN_BYPS);
-	else
-		/* cancel bypass for whole ddr regions */
-		mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
-			      SGRF_DDR_RGN_NO_BYPS);
-}
-
-/**
- * There are 8 + 1 regions for DDR secure control:
- * DDR_RGN_0 ~ DDR_RGN_7: Per DDR_RGNs grain size is 1MB
- * DDR_RGN_X - the memories of exclude DDR_RGN_0 ~ DDR_RGN_7
- *
- * DDR_RGN_0 - start address of the RGN0
- * DDR_RGN_8 - end address of the RGN0
- * DDR_RGN_1 - start address of the RGN1
- * DDR_RGN_9 - end address of the RGN1
- * ...
- * DDR_RGN_7 - start address of the RGN7
- * DDR_RGN_15 - end address of the RGN7
- * DDR_RGN_16 - bit 0 ~ 7 is bitmap for RGN0~7 secure,0: disable, 1: enable
- *              bit 8 is setting for RGNx, the rest of the memory and region
- *                which excludes RGN0~7, 0: disable, 1: enable
- *              bit 9, the global secure configuration via bypass, 0: disable
- *                bypass, 1: enable bypass
- *
- * @rgn - the DDR regions 0 ~ 7 which are can be configured.
- * The @st_mb and @ed_mb indicate the start and end addresses for which to set
- * the security, and the unit is megabyte. When the st_mb == 0, ed_mb == 0, the
- * address range 0x0 ~ 0xfffff is secure.
- *
- * For example, if we would like to set the range [0, 32MB) is security via
- * DDR_RGN0, then rgn == 0, st_mb == 0, ed_mb == 31.
- */
-static void sgrf_ddr_rgn_config(uint32_t rgn,
-				uintptr_t st, uintptr_t ed)
-{
-	uintptr_t st_mb, ed_mb;
-
-	assert(rgn <= 7);
-	assert(st < ed);
-
-	/* check aligned 1MB */
-	assert(st % SIZE_M(1) == 0);
-	assert(ed % SIZE_M(1) == 0);
-
-	st_mb = st / SIZE_M(1);
-	ed_mb = ed / SIZE_M(1);
-
-	/* set ddr region addr start */
-	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(rgn),
-		      BITS_WITH_WMASK(st_mb, SGRF_DDR_RGN_0_16_WMSK, 0));
-
-	/* set ddr region addr end */
-	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(rgn + 8),
-		      BITS_WITH_WMASK((ed_mb - 1), SGRF_DDR_RGN_0_16_WMSK, 0));
-
-	mmio_write_32(SGRF_BASE + SGRF_DDRRGN_CON0_16(16),
-		      BIT_WITH_WMSK(rgn));
-}
-
-static void secure_sgrf_ddr_rgn_init(void)
-{
-	sgrf_ddr_rgn_config(0, TZRAM_BASE, TZRAM_SIZE);
-	sgrf_ddr_rgn_global_bypass(0);
-}
+/* sleep data for pll suspend */
+static struct deepsleep_data_s slp_data;
 
 static void set_pll_slow_mode(uint32_t pll_id)
 {
@@ -502,7 +286,7 @@
 			CRU_PMU_WDTRST_MSK | CRU_PMU_FIRST_SFTRST_MSK);
 }
 
-void  __dead2 soc_global_soft_reset(void)
+void __dead2 soc_global_soft_reset(void)
 {
 	set_pll_slow_mode(VPLL_ID);
 	set_pll_slow_mode(NPLL_ID);
@@ -527,8 +311,7 @@
 void plat_rockchip_soc_init(void)
 {
 	secure_timer_init();
-	dma_secure_cfg(0);
-	sgrf_init();
+	secure_sgrf_init();
 	secure_sgrf_ddr_rgn_init();
 	soc_global_soft_reset_init();
 	plat_rockchip_gpio_init();
diff --git a/plat/rockchip/rk3399/drivers/soc/soc.h b/plat/rockchip/rk3399/drivers/soc/soc.h
index 03da025..da16adb 100644
--- a/plat/rockchip/rk3399/drivers/soc/soc.h
+++ b/plat/rockchip/rk3399/drivers/soc/soc.h
@@ -75,7 +75,6 @@
 #define REG_SOC_WMSK			0xffff0000
 #define CLK_GATE_MASK			0x01
 
-#define SGRF_SOC_COUNT		0x17
 #define PMUCRU_GATE_COUNT	0x03
 #define CRU_GATE_COUNT		0x23
 #define PMUCRU_GATE_CON(n)	(0x100 + (n) * 4)
@@ -120,11 +119,8 @@
 
 struct deepsleep_data_s {
 	uint32_t plls_con[END_PLL_ID][PLL_CON_COUNT];
-	uint32_t pmucru_clksel_con[PMUCRU_CLKSEL_CONUT];
-	uint32_t cru_clksel_con[CRU_CLKSEL_COUNT];
 	uint32_t cru_gate_con[CRU_GATE_COUNT];
 	uint32_t pmucru_gate_con[PMUCRU_GATE_COUNT];
-	uint32_t sgrf_con[SGRF_SOC_COUNT];
 };
 
 /**************************************************
@@ -157,50 +153,6 @@
 #define CYCL_32K_CNT_MS(ms)	(ms * 32)
 
 /**************************************************
- * secure timer
- **************************************************/
-
-/* chanal0~5 */
-#define STIMER0_CHN_BASE(n)	(STIME_BASE + 0x20 * (n))
-/* chanal6~11 */
-#define STIMER1_CHN_BASE(n)	(STIME_BASE + 0x8000 + 0x20 * (n))
-
- /* low 32 bits */
-#define TIMER_END_COUNT0	0x00
- /* high 32 bits */
-#define TIMER_END_COUNT1	0x04
-
-#define TIMER_CURRENT_VALUE0	0x08
-#define TIMER_CURRENT_VALUE1	0x0C
-
- /* low 32 bits */
-#define TIMER_INIT_COUNT0	0x10
- /* high 32 bits */
-#define TIMER_INIT_COUNT1	0x14
-
-#define TIMER_INTSTATUS		0x18
-#define TIMER_CONTROL_REG	0x1c
-
-#define TIMER_EN			0x1
-
-#define TIMER_FMODE		(0x0 << 1)
-#define TIMER_RMODE		(0x1 << 1)
-
-/**************************************************
- * secure WDT
- **************************************************/
-#define WDT_CM0_EN		0x0
-#define WDT_CM0_DIS		0x1
-#define WDT_CA53_EN		0x0
-#define WDT_CA53_DIS		0x1
-
-#define PCLK_WDT_CA53_GATE_SHIFT	8
-#define PCLK_WDT_CM0_GATE_SHIFT		10
-
-#define WDT_CA53_1BIT_MASK	0x1
-#define WDT_CM0_1BIT_MASK	0x1
-
-/**************************************************
  * cru reg, offset
  **************************************************/
 #define CRU_SOFTRST_CON(n)	(0x400 + (n) * 4)
@@ -241,67 +193,6 @@
 #define PCLK_GPIO0_GATE_SHIFT		3
 #define PCLK_GPIO1_GATE_SHIFT		4
 
-/**************************************************
- * sgrf reg, offset
- **************************************************/
-#define SGRF_SOC_CON0_1(n)		(0xc000 + (n) * 4)
-#define SGRF_SOC_CON3_7(n)		(0xe00c + ((n) - 3) * 4)
-#define SGRF_SOC_CON8_15(n)		(0x8020 + ((n) - 8) * 4)
-#define SGRF_PMU_SLV_CON0_1(n)		(0xc240 + ((n) - 0) * 4)
-#define SGRF_SLV_SECURE_CON0_4(n)	(0xe3c0 + ((n) - 0) * 4)
-#define SGRF_DDRRGN_CON0_16(n)		((n) * 4)
-#define SGRF_DDRRGN_CON20_34(n)		(0x50 + ((n) - 20) * 4)
-
-/* security config for master */
-#define SGRF_SOC_CON_WMSK		0xffff0000
-/* All of master in ns */
-#define SGRF_SOC_ALLMST_NS		0xffff
-
-/* security config for slave */
-#define SGRF_SLV_S_WMSK			0xffff0000
-#define SGRF_SLV_S_ALL_NS		0x0
-
-/* security config pmu slave ip */
-/* All of slaves  is ns */
-#define SGRF_PMU_SLV_S_NS		BIT_WITH_WMSK(0)
-/* slaves secure attr is configed */
-#define SGRF_PMU_SLV_S_CFGED		WMSK_BIT(0)
-#define SGRF_PMU_SLV_CRYPTO1_NS		WMSK_BIT(1)
-
-#define SGRF_PMUSRAM_S			BIT(8)
-
-#define SGRF_PMU_SLV_CON1_CFG		(SGRF_SLV_S_WMSK | \
-					SGRF_PMUSRAM_S)
-/* ddr region */
-#define SGRF_DDR_RGN_0_16_WMSK		0x0fff 	/* DDR RGN 0~16 size mask */
-
-#define SGRF_DDR_RGN_DPLL_CLK	BIT_WITH_WMSK(15) /* DDR PLL output clock */
-#define SGRF_DDR_RGN_RTC_CLK	BIT_WITH_WMSK(14) /* 32K clock for DDR PLL */
-#define SGRF_DDR_RGN_BYPS	BIT_WITH_WMSK(9) /* All of ddr rgn  is ns */
-/* All security of the DDR RGNs are not bypass  */
-#define SGRF_DDR_RGN_NO_BYPS	WMSK_BIT(9)
-
-/* The MST access the ddr rgn n with secure attribution */
-#define SGRF_L_MST_S_DDR_RGN(n)	BIT_WITH_WMSK((n))
-/* bits[16:8]*/
-#define SGRF_H_MST_S_DDR_RGN(n)	BIT_WITH_WMSK((n) + 8)
-
-/* dmac to periph s or ns*/
-#define SGRF_DMAC_CFG_S		0xffff0000
-
-#define DMAC1_RGN_NS			0xff000000
-#define DMAC0_RGN_NS			0x00ff0000
-
-#define DMAC0_BOOT_CFG_NS		0xfffffff8
-#define DMAC0_BOOT_PERIPH_NS		0xffff0fff
-#define DMAC0_BOOT_ADDR_NS		0xffff0000
-
-#define DMAC1_BOOT_CFG_NS		0xffff0008
-#define DMAC1_BOOT_PERIPH_L_NS		0xffff0fff
-#define DMAC1_BOOT_ADDR_NS		0xffff0000
-#define DMAC1_BOOT_PERIPH_H_NS		0xffffffff
-#define DMAC1_BOOT_IRQ_NS		0xffffffff
-
 #define CPU_BOOT_ADDR_WMASK	0xffff0000
 #define CPU_BOOT_ADDR_ALIGN	16
 
@@ -333,12 +224,6 @@
 #define PMUCRU_CLKGATE_CON2	0x0108
 #define PMUCRU_SOFTRST_CON0	0x0110
 #define PMUCRU_GATEDIS_CON0 0x0130
-
-#define SGRF_SOC_CON6     0x0e018
-#define SGRF_PERILP_CON0	0x08100
-#define SGRF_PERILP_CON(n)	(SGRF_PERILP_CON0 + (n) * 4)
-#define SGRF_PMU_CON0	0x0c100
-#define SGRF_PMU_CON(n)   (SGRF_PMU_CON0 + (n) * 4)
 #define PMUCRU_SOFTRST_CON(n)   (PMUCRU_SOFTRST_CON0 + (n) * 4)
 
 /*
@@ -362,10 +247,8 @@
 		      CRU_PMU_SGRF_RST_HOLD);
 }
 
-/* funciton*/
+/* export related and operating SoC APIs */
 void __dead2 soc_global_soft_reset(void);
-void secure_watchdog_disable();
-void secure_watchdog_restore();
 void disable_dvfs_plls(void);
 void disable_nodvfs_plls(void);
 void enable_dvfs_plls(void);
@@ -376,5 +259,5 @@
 void clk_gate_con_save(void);
 void clk_gate_con_disable(void);
 void clk_gate_con_restore(void);
-void sgrf_init(void);
+
 #endif /* __SOC_H__ */
diff --git a/plat/rockchip/rk3399/platform.mk b/plat/rockchip/rk3399/platform.mk
index dd23d09..c72119c 100644
--- a/plat/rockchip/rk3399/platform.mk
+++ b/plat/rockchip/rk3399/platform.mk
@@ -39,6 +39,7 @@
 				-I${RK_PLAT_SOC}/			\
 				-I${RK_PLAT_SOC}/drivers/pmu/		\
 				-I${RK_PLAT_SOC}/drivers/pwm/		\
+				-I${RK_PLAT_SOC}/drivers/secure/	\
 				-I${RK_PLAT_SOC}/drivers/soc/		\
 				-I${RK_PLAT_SOC}/drivers/dram/		\
 				-I${RK_PLAT_SOC}/include/		\
@@ -80,6 +81,7 @@
 			${RK_PLAT_SOC}/drivers/pmu/pmu_fw.c		\
 			${RK_PLAT_SOC}/drivers/pmu/m0_ctl.c		\
 			${RK_PLAT_SOC}/drivers/pwm/pwm.c		\
+			${RK_PLAT_SOC}/drivers/secure/secure.c		\
 			${RK_PLAT_SOC}/drivers/soc/soc.c		\
 			${RK_PLAT_SOC}/drivers/dram/dfs.c		\
 			${RK_PLAT_SOC}/drivers/dram/dram.c		\