SPRS797F November 2012 – September 2021 TMS320F28050 , TMS320F28051 , TMS320F28052 , TMS320F28052F , TMS320F28052M , TMS320F28053 , TMS320F28054 , TMS320F28054F , TMS320F28054M , TMS320F28055
PRODUCTION DATA
The TMS320F2805x device supports high levels of security with a dual-zone (Z1/Z2) feature to protect user's firmware from being reverse-engineered. The dual-zone feature enables the user to co-develop application software with a third-party or subcontractor by preventing visibility into each other's software IP. The security features a 128-bit password (hardcoded for 16 wait states) for each zone, which the user programs into the USER-OTP. Each zone has its own dedicated USER-OTP, which must be programmed by the user with the required security settings, including the 128-bit password. Because OTP cannot be erased, to provide the user with the flexibility of changing security-related settings and passwords multiple times, a 32-bit link pointer is stored at the beginning of each USER-OTP. Because the user can only flip a 1 in USER-OTP to 0, the most significant bit position in the link pointer, programmed as 0, defines the USER-OTP region (zone-select) for each zone in which security-related settings and passwords are stored. Table 8-3 provides the location of the zone-select block based on the link pointer. Table 8-4 shows the zone-select block organization in USER-OTP.
Zx LINK POINTER VALUE | ADDRESS OFFSET FOR ZONE-SELECT |
---|---|
32’bxx111111111111111111111111111111 | 0x10 |
32’bxx111111111111111111111111111110 | 0x20 |
32’bxx11111111111111111111111111110x | 0x30 |
32’bxx1111111111111111111111111110xx | 0x40 |
32’bxx111111111111111111111111110xxx | 0x50 |
32’bxx11111111111111111111111110xxxx | 0x60 |
32’bxx1111111111111111111111110xxxxx | 0x70 |
32’bxx111111111111111111111110xxxxxx | 0x80 |
32’bxx11111111111111111111110xxxxxxx | 0x90 |
32’bxx1111111111111111111110xxxxxxxx | 0xa0 |
32’bxx111111111111111111110xxxxxxxxx | 0xb0 |
32’bxx11111111111111111110xxxxxxxxxx | 0xc0 |
32’bxx1111111111111111110xxxxxxxxxxx | 0xd0 |
32’bxx111111111111111110xxxxxxxxxxxx | 0xe0 |
32’bxx11111111111111110xxxxxxxxxxxxx | 0xf0 |
32’bxx1111111111111110xxxxxxxxxxxxxx | 0x100 |
32’bxx111111111111110xxxxxxxxxxxxxxx | 0x110 |
32’bxx11111111111110xxxxxxxxxxxxxxxx | 0x120 |
32’bxx1111111111110xxxxxxxxxxxxxxxxx | 0x130 |
32’bxx111111111110xxxxxxxxxxxxxxxxxx | 0x140 |
32’bxx11111111110xxxxxxxxxxxxxxxxxxx | 0x150 |
32’bxx1111111110xxxxxxxxxxxxxxxxxxxx | 0x160 |
32’bxx111111110xxxxxxxxxxxxxxxxxxxxx | 0x170 |
32’bxx11111110xxxxxxxxxxxxxxxxxxxxxx | 0x180 |
32’bxx1111110xxxxxxxxxxxxxxxxxxxxxxx | 0x190 |
32’bxx111110xxxxxxxxxxxxxxxxxxxxxxxx | 0x1a0 |
32’bxx11110xxxxxxxxxxxxxxxxxxxxxxxxx | 0x1b0 |
32’bxx1110xxxxxxxxxxxxxxxxxxxxxxxxxx | 0x1c0 |
32’bxx110xxxxxxxxxxxxxxxxxxxxxxxxxxx | 0x1d0 |
32’bxx10xxxxxxxxxxxxxxxxxxxxxxxxxxxx | 0x1e0 |
32’bxx0xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | 0x1f0 |
16-BIT ADDRESS OFFSET (WITH RESPECT TO OFFSET OF ZONE-SELECT) |
CONTENT |
---|---|
0x0 | Zx-EXEONLYRAM |
0x1 | |
0x2 | Zx-EXEONLYSECT |
0x3 | |
0x4 | Zx-GRABRAM |
0x5 | |
0x6 | Zx-GRABSECT |
0x7 | |
0x8 | Zx-CSMPSWD0 |
0x9 | |
0xa | Zx-CSMPSWD1 |
0xb | |
0xc | Zx-CSMPSWD2 |
0xd | |
0xe | Zx-CSMPSWD3 |
0xf |
The Dual Code Security Module (DCSM) is used to protect the flash/OTP/Lx SARAM blocks/CLA/Secure ROM content. Individual flash sectors and SARAM blocks can be attached to any of the secure zone at start-up time. Secure ROM and the CLA are always attached to Z1. Resources attached to (owned by) one zone do not have any access to code running in the other zone when it is secured. Individual flash sectors, as well as SARAM blocks, can be further protected by enabling the EXEONLY protection. EXEONLY flash sectors or SARAM blocks do not have READ/WRITE access. Only code execution is allowed from such memory blocks.
The security feature prevents unauthorized users from examining memory contents through the JTAG port, executing code from external memory, or trying to boot load an undesirable software that would export the secure memory contents. To enable access to the secure blocks of a particular zone, the user must write a 128-bit value in the CSMKEY registers of the zone; this value must match the values stored in the password locations in USER-OTP. If the 128 bits of the password locations in USER-OTP of a particular zone are all 1s (unprogrammed), then the security for that zone gets UNLOCKED as soon as a dummy read is done to the password locations in USER-OTP (the value in the CSMKEY register becomes "Don’t care" in this case).
In addition to the DCSM, the Emulation Code Security Logic (ECSL) has been implemented for each zone to prevent unauthorized users from stepping through secure code. A halt inside secure code will trip the ECSL and break the emulation connection. To allow emulation of secure code while maintaining DCSM protection against secure memory reads, the user must write the lower 64 bits of the USER-OTP password into the CSMKEY register of the zone to disable the ECSL. Dummy reads of all 128 bits of the password for that particular zone in USER-OTP must still be performed. If the lower 64 bits of the password locations of a particular zone are all zeros, then the ECSL for that zone gets disabled as soon as a dummy read is done to the password locations in USER-OTP (the value in the CSMKEY register becomes "Don’t care" in this case).
When power is applied to a secure device that is connected to a JTAG debug probe, the CPU will start executing and may execute an instruction that performs an access to a protected area. If this happens, the ECSL will trip and cause the JTAG circuitry to be deactivated. Under this condition, a host (such as a computer running CCS or flash programming software) would not be able to establish connection with the device. The solution is to use the Wait boot option. In this mode, the device loops around a software breakpoint to allow a JTAG debug probe to be connected without tripping security. The user can then exit this mode once the JTAG debug probe is connected by using one of the emulation boot options as described in the Boot ROM chapter of the TMS320x2805x Real-Time Microcontrollers Technical Reference Manual. The 2805x devices do not support hardware wait-in-reset mode.
If reprogramming of a secure device via JTAG may be needed in future, it is important to design the board in such a way that the device could be put in Wait boot mode upon power-up (when reprogramming is warranted). Otherwise, ECSL may deactivate the JTAG circuitry and prevent connection to the device, as mentioned earlier. If reconfiguring the device for Wait boot mode in the field is not practical, some mechanism must be implemented in the firmware to detect when a firmware update is warranted. Code could then branch to the desired bootloader in the boot ROM. It could also branch to the Wait boot mode, at which point the JTAG debug probe could be connected, device unsecured and programming accomplished through JTAG itself.
To prevent reverse-engineering of the code in secure zone, unauthorized users are prevented from looking at the CPU registers in the CCS Expressions Window. The values in the Expressions Window for all of these registers, except for PC and some status bits, display false values when code is running from a secure zone. This feature gets disabled if the zone is unlocked.
THE DUAL CODE SECURITY MODULE (DCSM) INCLUDED ON THIS DEVICE WAS DESIGNED TO PASSWORD PROTECT THE DATA STORED IN THE ASSOCIATED MEMORY (EITHER ROM OR FLASH) AND IS WARRANTED BY TEXAS INSTRUMENTS (TI), IN ACCORDANCE WITH ITS STANDARD TERMS AND CONDITIONS, TO CONFORM TO TI'S PUBLISHED SPECIFICATIONS FOR THE WARRANTY PERIOD APPLICABLE FOR THIS DEVICE.
TI DOES NOT, HOWEVER, WARRANT OR REPRESENT THAT THE DCSM CANNOT BE COMPROMISED OR BREACHED OR THAT THE DATA STORED IN THE ASSOCIATED MEMORY CANNOT BE ACCESSED THROUGH OTHER MEANS. MOREOVER, EXCEPT AS SET FORTH ABOVE, TI MAKES NO WARRANTIES OR REPRESENTATIONS CONCERNING THE DCSM OR OPERATION OF THIS DEVICE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL TI BE LIABLE FOR ANY CONSEQUENTIAL, SPECIAL, INDIRECT, INCIDENTAL, OR PUNITIVE DAMAGES, HOWEVER CAUSED, ARISING IN ANY WAY OUT OF YOUR USE OF THE DCSM OR THIS DEVICE, WHETHER OR NOT TI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. EXCLUDED DAMAGES INCLUDE, BUT ARE NOT LIMITED TO LOSS OF DATA, LOSS OF GOODWILL, LOSS OF USE OR INTERRUPTION OF BUSINESS OR OTHER ECONOMIC LOSS.