UG-1262
Rev. B | Page 191 of 312
In this special purpose debugging mode, the following occurs:
All ICode reads return bus errors. Code is not executed from the flash memory without passing the integrity check.
All DCode reads to user space return bus errors.
All DCode reads to information space, except the top 128 bytes, are permitted. Reads of the top 128 bytes return bus errors.
All write commands are denied. Write attempts set the appropriate error bits in the flash cache controller STAT register.
User space protections can be bypassed only by satisfying the security requirements.
The status of the signature check after reset is read from the STAT, Bit 13. The status of ECC during the signature check is available in
the STAT, Bits[16:15]. These values are read through a normal JTAG read if the JTAG interface is enabled.
User Space Protection
Two layers of user space protections are provided. Access protection protects user space from all read or write operations. This
protection mechanism can be manually triggered but is typically automatically asserted in the event of system failure or the serial wire
debug interface being enabled.
Write protection is a user feature that enables blocks of user space pages to be protected against all write or erase commands. Write
protection can be set by the user at run time, or by an Analog Devices bootloader. If protection is set by the user, the user stores the
desired value in flash for the bootloader to consume during start-up.
Access Protection
Access protection prevents third parties from reading or tampering with user data and program code through the JTAG or serial wire.
Access protection applies to the entirety of user space. Access protection is enabled either when the serial wire debug is enabled or when
flash initialization (information space sign check) fails. Enabling of serial wire debug and flash initialization are automatic features, and
the user does not need to perform any actions for these mechanisms to enable access protection.
When access protection is enabled, all user space reads return bus errors, writes are denied, and erases are subject to WRPROT, Bits[31:0].
Access protection can be bypassed by executing a MASSERASE or BLANKCHECK command. The MASSERASE command is not
allowed in the event that the WRPROT register has been modified from its reset value. The BLANKCHECK command is always
permitted to execute, but only passes if all user space is already in an erased state.
Write Protection
User definable regions of user space can be configured in such a way that the flash controller refuses any attempts to modify them,
affecting both write and erase commands. Write protection can be configured at run time or can be stored in user space metadata to be
loaded by the Analog Devices bootloader during device start-up.
Run-Time Configuration
Write protection is configured by modifying the WRPROT memory mapped register. The word bit in the WRPROT register is a 32-bit
wide bit field representing the write protection state for 32 similarly sized blocks of user space pages. The flash memory is divided into
128 pages of user space storage. For write protection, these pages are logically divided into 32 blocks of four pages each. Write protection
is independently controlled for each of these 32 blocks, and each bit of WRPROT controls the protection mechanism for a unique block
of four pages of user space. The least significant bits of WRPROT correspond to the least significant pages of user space.
The bits in the WRPROT register are active low. 0 represents active write protection and 1 represents no protection for the corresponding block
of pages. The WRPROT register is sticky at 0. After protection is enabled, it cannot be disabled without resetting the device. User code
can assert write protection for any block of pages by clearing the appropriate bit in WRPROT, Bits[31:0] at any time. Assert write
protection as early as possible in user code, write protect block zero (flash Page 0 to Page 3), and place user boot and integrity checking
code in this block. By taking these actions, the user can fully control the write protection without relying on the Analog Devices
bootloader to set up the WRPROT register.
Metadata Configuration
The most significant page of user space contains a single 32-bit field representing a set of 1-bit write protect flags for each of the 32
logical blocks, matching the functionality of the WRPROT register. See the User Space Metadata section for details.
The write protection bits are read from the flash by the Analog Devices bootloader and stored in the WRPROT register after a reset
operation. The default (erased) state of flash memory is all 1s. As such, the default WRPROT register value disables protection for all
pages in user space. Each bit of WRPROT, Bits[31:0] corresponds to the protection state for one block of the four user space pages.
User code can clear bits in the WRPROT register metadata word at run time, or this word can be included in the initial upload of user
data and program code. Writing the WRPROT register metadata word at run time does not immediately affect the write protection state.