Secure asset management system

What is claimed is: 1 . A data processing system with a trusted execution environment, the data processing system comprising: a host processor having a secure mode for operating in the trusted execution environment and a non-secure mode; a system bus operationally coupled with the host processor; at least one resource connected to the system bus, the at least one resource being accessible: through a first set of addresses within a secure address space used by the trusted execution environment; and a second set of addresses used within a public address space; and a secure module connected to the system bus, the secure module being configured to respond to tokens posted by the host processor in the secure mode, wherein a given token of the tokens identifies: a respective secure asset of a plurality of secure assets; respective source addresses within the secure address space; and respective destination addresses within the public address space, the secure module including: an internal memory storing the plurality of secure assets identifiable by the tokens; a memory access circuit configured to, for the given token, read data from the respective source addresses and write processed data to the respective destination addresses; and a cryptography engine configured to, for a given token, process the read data using the respective secure asset, the secure module being further configured to respond to tokens posted by the host processor in the non-secure mode, the internal memory of the secure module storing a respective rule with each secure asset of the plurality of secure assets, the respective rule defining permissions as to the public address space and the secure address space where the memory access circuit may read data and write data, and the secure module ignores tokens that do not satisfy the permissions defined in the respective rule. 2 . The data processing system of claim 1 , further comprising cross-domain rules for tokens posted by the host processor in the non-secure mode, the cross-domain rules allowing for reading data from one of the public address space and the secure address space and writing resulting data to the other of the public address space and the secure address space. 3 . The data processing system of claim 2 , wherein a cross-domain rule of the cross-domain rules allows for reading data from the public address space and writing resulting data to the secure address space in response to a decryption token. 4 . The data processing system of claim 2 , wherein a cross-domain rule of the cross-domain rules allows for reading data from the secure address space and writing resulting data to the public address space in response to an encryption token. 5 . The data processing system of claim 1 , wherein all rules for the plurality of secure assets, in the non-secure mode, constrain access to the public address space. 6 . The data processing system of claim 1 , wherein the respective rule includes a flag identifying one of the secure address space or the public address space, indicating where source data is located, and the respective rule constrains read access to the one of the secure address space or the public address space identified by the flag. 7 . The data processing system of claim 1 , wherein the at least one resource includes a plurality of resources including a system memory area and a secure peripheral.