The security module restricts the CPU access to on-chip secure memory without interrupting or stalling CPU execution. When a read occurs to a protected memory location, the read returns a zero value and CPU execution continues with the next instruction. This process, in effect, blocks read and write access to various memories through the JTAG port or external peripherals. Security is defined with respect to the access of on-chip secure memories and prevents unauthorized copying of proprietary code or data.
The zone is secure when CPU access to the on-chip secure memories associated with that zone is restricted. When secure, two levels of protection are possible, depending on where the program counter is currently pointing. If code is currently running from inside secure memory, only an access through JTAG is blocked (that is, through the JTAG debug probe). This process allows secure code to access secure data. Conversely, if code is running from unsecure memory, all accesses to secure memories are blocked. User code can dynamically jump in and out of secure memory, thereby allowing secure function calls from unsecure memory. Similarly, interrupt service routines can be placed in secure memory, even if the main program loop is run from unsecure memory.
The code security mechanism present in this device offers dual-zone security for the Cortex-M3 code and single-zone security for the C28x code. In case of dual-zone security on the master subsystem, the different secure memories (RAMs and flash sectors) can be assigned to different security zones by configuring the GRABRAM and GRABSECT registers associated with each zone. Flash Sector N and Flash Sector A are dedicated to Zone1 and Zone2, respectively, and cannot be allocated to any other zone by configuration. Similarly, flash sectors get assigned to different zones based on the setting in the GRABSECT registers.
Security is provided by a CSM password of 128 bits of data (four 32-bit words) that is used to secure or unsecure the zones. Each zone has its own 128-bit CSM password. The zone can be unsecured by executing the password match flow (PMF).
The CSM password for each zone is stored in its dedicated flash sector. The password storage locations in the flash sector store the CSM password. The password is selected by the system designer. If the password locations of a zone have all 128 bits as ones, the zone is considered "unsecure". Because new flash devices have erased flash (all ones), only a read of the password locations is required to bring any zone into unsecure mode. If the password locations of a zone have all 128 bits as zeros, the zone is considered "secure", regardless of the contents of the CSMKEY registers. The user should not use all zeros as a password or reset the device during an erase of the flash. Resetting the device during an erase routine can result in either an all-zero or unknown password. If a device is reset when the password locations are all zeros, the device cannot be unlocked by the password match flow. Using a password of all zeros will seriously limit the user’s ability to debug secure code or reprogram the flash.
If a device is reset while the password locations of a zone contain all zeros or an unknown value, that zone will be permanently locked unless a method to run the flash erase routine from secure SARAM is embedded into the flash or OTP. Care must be taken when implementing this procedure to avoid introducing a security hole.