The SSU can be configured to operate in one of three modes: SSUMODE1, SSUMODE2, and SSUMODE3. These operating modes are intended to facilitate the development process as the user implements safety and security features into a system design. The SSU can be reconfigured to change from any operating mode to any other operating mode, as long as the user has the necessary permissions to update the SECCFG sector.

Units shipped from Texas Instruments start out in SSUMODE1. In this mode, the entire memory map range is mapped to LINK2 (the security root LINK), and all LINKs have full read and write access to all AP-configurable memory regions. Hard-coded protections remain active even in SSUMODE1; however, since all code runs as LINK2, there are effectively no restrictions on user code.

In SSUMODE2, AP region protections are enforced, but debug and Flash update protections remain disabled. For best results, fully validate application functionality in SSUMODE1 first, then implement SSU settings and test them in SSUMODE2. Once validation of run-time safety and security settings is completed, debug passwords can be configured, and the device can be placed in SSUMODE3. In this mode, debug ports are closed by default, authentication is enforced, and Flash update protections are active.