Overview
========
This module describes the Dual Code Security Module (DCSM) on C2000 family of
real-time microcontrollers and then gives an overview of Functional Safety.
Dual Code Security Module (DCSM)
================================
The purpose of code security is to prevent unauthorized access to on-chip
secure memories such as Flash, RAM, OTP and ROM. Earlier generation C2000
MCUs feature the “Code Security Module (CSM)”. In CSM, there is no
configurability. Security was either enabled or disabled for all secure
resources. The passwords were stored in the main flash array itself. In
DCSM, there are two independent secure zones (hence the word “dual”) to
which securable resources can be assigned. The assignment is done by
programming select OTP locations in the Zone Select Block (ZSB). Also,
the passwords are stored in the OTP as part of the ZSB.
* DCSM offers protection for two zones - Zone 1 & Zone 2 (Note: For F2837xD
each CPU has a DCSM. For the F2838xD both security zones are shared by
each CPU subsystem).
* Security configurations for each zone is stored in its own dedicated
secure OTP. These configurations are stored in "Zone Select Blocks (ZSB)".
Each block is 16 x 16-bits. There are 30 such identical blocks in the OTP.
Anytime the security configuration is changed (allocation of flash
sectors / RAM blocks to a zone or password change), you need to move to
the next ZSB.
* Following are the on-chip resources that can be secured using the DCSM:
* Flash memory (Individual sectors can be assigned either zone. It is
possible to not assign a sector to either zone. i.e. a sector can
remain unsecure).
* RAM (Not every RAM block is securable. Refer to memory map in the
data sheet for details. It is possible to not assign a securable
RAM block to either zone. i.e. a securable RAM block can remain
unsecure).
* One-time Programmable Memory (OTP). The OTP contains the security
configuration for the individual zone.
* Secure ROM.
* Data reads from (and writes to) secured memory are only allowed
for code which itself is running from secured memory.
* All other data reads and writes are blocked. For example: CCS
reads through the JTAG debug probe, ROM bootloader, code running
in external memory or unsecured internal memory.
Zone Selection
==============
Each securable on-chip memory resource can be allocated to either
Zone 1 (Z1), Zone 2 (Z2), or allowed to remain as unsecure.
DCSM Register | Zone Allocation
----------------------------------|---------------------------------------------------------------
DcsmZ1Regs.Z1_GRABSECTRX register | Allocates individual Flash sectors to Zone 1 or left unsecured
DcsmZ2Regs.Z2_GRABSECTRX register | Allocates individual Flash sectors to zone 2 or left unsecured
DcsmZ1Regs.Z1_GRABRAMRX register | Allocates RAM blocks to Zone 1 or left unsecured
DcsmZ2Regs.Z2_GRABRAMRX register | Allocates RAM blocks to Zone 2 or left unsecured
CSM Passwords
--------------
Devices featuring the Code Security Module (CSM) store the password in fixed
locations in flash. Devices featuring the Dual Code Security Module (DCSM)
store the password in OTP. Since OTP locations can only be programmed once, the
password locations need to be changed every time the password needs to be
changed. The current password location is tracked by a zone-specific link
pointer.
* Each zone is secured by its own 128-bit (four 32-bit words) user defined
password. The four passwords are referred to by Zx_CSMPSWD0, Zx_CSMPSWD1,
Zx_CSMPSWD2, and Zx_CSMPSWD3.
* Passwords for each zone are stored in their dedicated OTP location. The
current location is pointed to by the zone-specific link pointer.
* 128-bit CSMKEY registers are used to unsecure and secure device.
* Password locations for each zone can be locked and secured by programming
PSWDLOCK fields in the OTP with any value other than “1111b (0xF)”.
Zone Select
-----------
[[b! Note:
and are specific to the F2837xD device. Refer to your device's
Technical Reference Manual (TRM) for other devices.]]
Procedure to unsecure and secure the device
-------------------------------------------
The device is always secure after reset. In order to unsecure the device:
* Perform a dummy read of each password in the OTP. This would be
CSMPSWD(0,1,2,3).
* Write the correct password to each CSMKEY(0,1,2,3) register.
The Boot-ROM code will automatically unlock the device as part of the
initialization sequence if passwords have not been programmed. Refer to the
device-specific Technical Reference Manual (TRM) for more information on this
topic.
Note that there are many registers that are read-only and reflect the value
of the corresponding OTP locations. These registers get updated automatically
when the boot-ROM (or the user) performs a dummy read.
DCSM Related Collateral
====================================
**Getting Started**
- C2000 DCSM Security Tool Application Report
- C2000 Unique Device Number Application Report
- Enhancing Device Security by Using JTAGLOCK Feature Application Report
- Secure BOOT On C2000 Device Application Report - Only applicable to: F280013x, F2838x
**Expert**
- Updating Firmware on Security Enabled TMS320F2837xx or TMS320F2807x Devices Application Report - Only applicable to: F2807x, F2837xD, F2837xS
Functional Safety (FuSa)
========================
The C2000 family has many devices which are safety compliant for industrial
and automotive use-cases. The International Electrotechnical Commission (IEC)
defines functional safety as the part of overall safety that depends on a
system or equipment operating correctly in response to its inputs. Development
of functional safety-compliant systems capable of ensuring safe operation in
the event of dangerous failures has become a priority for companies and
engineers alike. These functional safety-compliant systems can detect
potentially dangerous conditions and deploy appropriate measures to take
a system to a safe state.
Functional Safety-Compliant C2000 products can help streamline and speed up
the ISO 26262, IEC 61508, and IEC 60730 certification processes with their
built-in diagnostics, documentation, software, and support. Functional
Safety-Compliant products are developed using an ISO 26262/IEC 61508-compliant
hardware development process that is independently assessed and certified to
meet ASIL D/SIL 3 systematic capability.
Hardware
--------
With over 300 safety mechanisms defined and independently assessed by TÜV SÜD
for its effectiveness, Functional Safety-Compliant C2000 MCUs provide the
required diagnostic coverage to meet a random hardware capability of up to
ASIL B or SIL 2 at a component level. Device-specific functional safety manuals
provide detailed information on the safety mechanisms, techniques for achieving non-interference between elements and avoiding dependent failures, to aid
customers in the development of compliant systems.
Software
--------
Three software diagnostic libraries are available for C2000 devices to help
provide implementations and demonstrations of several key safety mechanisms
described in the device safety manuals. They are the C2000 Software Diagnostic
Library (SDL), the CLA Self-Test Library (CLA_STL), and the C28x Self-Test
Library (C28x_STL).
The C2000 SDL is a collection of reference implementations of several safety
mechanisms. These include software-based diagnostics, software tests of
hardware diagnostics, and demonstrations of how to use hardware diagnostics.
Examples include clock integrity checks using a CPU Timer, software tests of
SRAMs, software tests of SRAM parity/ECC logic, software tests of the watchdog,
and drivers for the Hardware Built-In Self-Test (HWBIST) module. The SDL is
provided as part of C2000Ware.
The CLA_STL and C28x_STL implement specific safety mechanisms “CLA2 – Software
Test of CLA” and “CPU3 – Software Test of CPU” respectively (see your device
safety manual for more about these mechanisms). The STLs were developed using
the TÜV SÜD certified TI internal software development process and have been
independently assessed and certified. They are available upon request.
To get further details on functional safety, refer to following documents.
*
C2000™ Safety Mechanisms
* Industrial
fuctional safety for C2000™ Real-Time Microcontrollers
* Automotive
fuctional safety for C2000™ Real-Time Microcontrollers
*
Error Detection in SRAM Application Report
*
C2000™ Hardware Built-In Self-Test Application Report
*
C2000™ CPU Memory Built-In Self-Test Application Report
----------------------------------------------------------------
[[d! Feedback
Please provide any feedback you may have about the content within C2000 Academy to:
]]