diff --git a/plat/rockchip/px30/drivers/secure/secure.c b/plat/rockchip/px30/drivers/secure/secure.c
index 94a6d4295c18cc86e59b1b4b8f6714967980d69b..bb2b02ab73989dc0d3572a05c501a1194528f2a2 100644
--- a/plat/rockchip/px30/drivers/secure/secure.c
+++ b/plat/rockchip/px30/drivers/secure/secure.c
@@ -4,10 +4,49 @@
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
+#include <assert.h>
 #include <ddr_parameter.h>
+#include <plat_private.h>
 #include <secure.h>
 #include <px30_def.h>
 
+/**
+ * There are 8 regions for DDR security control
+ * @rgn - the DDR regions 0 ~ 7 which are can be configured.
+ * @st - start address to set as secure
+ * @sz - length of area to set as secure
+ * The internal unit is megabytes, so memory areas need to be aligned
+ * to megabyte borders.
+ */
+static void secure_ddr_region(uint32_t rgn,
+			      uintptr_t st, size_t sz)
+{
+	uintptr_t ed = st + sz;
+	uintptr_t st_mb, ed_mb;
+	uint32_t val;
+
+	assert(rgn <= 7);
+	assert(st < ed);
+
+	/* check aligned 1MB */
+	assert(st % SIZE_M(1) == 0);
+	assert(ed % SIZE_M(1) == 0);
+
+	st_mb = st / SIZE_M(1);
+	ed_mb = ed / SIZE_M(1);
+
+	/* map top and base */
+	mmio_write_32(FIREWALL_DDR_BASE +
+		      FIREWALL_DDR_FW_DDR_RGN(rgn),
+		      RG_MAP_SECURE(ed_mb, st_mb));
+
+	/* enable secure */
+	val = mmio_read_32(FIREWALL_DDR_BASE + FIREWALL_DDR_FW_DDR_CON_REG);
+	val |= BIT(rgn);
+	mmio_write_32(FIREWALL_DDR_BASE +
+		      FIREWALL_DDR_FW_DDR_CON_REG, val);
+}
+
 void secure_timer_init(void)
 {
 	mmio_write_32(STIMER_CHN_BASE(1) + TIMER_CONTROL_REG,
@@ -23,27 +62,21 @@ void secure_timer_init(void)
 
 void sgrf_init(void)
 {
-	uint32_t i, val;
+	uint32_t i;
 	struct param_ddr_usage usg;
 
 	/* general secure regions */
 	usg = ddr_region_usage_parse(DDR_PARAM_BASE,
 				     PLAT_MAX_DDR_CAPACITY_MB);
-	for (i = 0; i < usg.s_nr; i++) {
-		/* enable secure */
-		val = mmio_read_32(FIREWALL_DDR_BASE +
-			      FIREWALL_DDR_FW_DDR_CON_REG);
-		val |= BIT(7 - i);
-		mmio_write_32(FIREWALL_DDR_BASE +
-			      FIREWALL_DDR_FW_DDR_CON_REG, val);
-		/* map top and base */
-		mmio_write_32(FIREWALL_DDR_BASE +
-			      FIREWALL_DDR_FW_DDR_RGN(7 - i),
-			      RG_MAP_SECURE(usg.s_top[i], usg.s_base[i]));
-	}
-
-	/* set ddr rgn0_top and rga0_top as 0 */
-	mmio_write_32(FIREWALL_DDR_BASE + FIREWALL_DDR_FW_DDR_RGN(0), 0x0);
+
+	/* region-0 for TF-A, region-1 for optional OP-TEE */
+	assert(usg.s_nr < 7);
+
+	for (i = 0; i < usg.s_nr; i++)
+		secure_ddr_region(7 - i, usg.s_top[i], usg.s_base[i]);
+
+	/* secure the trustzone ram */
+	secure_ddr_region(0, TZRAM_BASE, TZRAM_SIZE);
 
 	/* set all slave ip into no-secure, except stimer */
 	mmio_write_32(SGRF_BASE + SGRF_SOC_CON(4), SGRF_SLV_S_ALL_NS);
diff --git a/plat/rockchip/px30/px30_def.h b/plat/rockchip/px30/px30_def.h
index 283b6064124802db3f8dcfb3ce4e7335d495cb95..efe789e1ec35b81fa80b06b043c4143934c82dc6 100644
--- a/plat/rockchip/px30/px30_def.h
+++ b/plat/rockchip/px30/px30_def.h
@@ -11,6 +11,7 @@
 #define MINOR_VERSION		(0)
 
 #define SIZE_K(n)		((n) * 1024)
+#define SIZE_M(n)		((n) * 1024 * 1024)
 
 #define WITH_16BITS_WMSK(bits)	(0xffff0000 | (bits))