Code Security Module (CSM)
147
SPRUHE8E – October 2012 – Revised November 2019
Copyright © 2012–2019, Texas Instruments Incorporated
System Control and Interrupts
1.10.1.2 Execute-Only Protection
To achieve a higher level of security on flash sectors which store critical user code (instruction opcodes),
an execute-only protection feature is provided on this device. When the execute-only protection is turned
on for any flash sector, data reads to that flash sector are disallowed from any code (even from secure
code). Execute-only protection for a flash sector can be turned on by programming the corresponding
EXEONLY-SECT bit to 1 in the Zx_EXEONLY location in flash memory. A dummy read of the
Zx_EXEONLY location loads the bit fields associated with that particular sector in the zones (which has
ownership of that sector) EXEONLYR register.
NOTE:
Use of the execute-only security mode with the Coretx-M3 introduces some complications.
When the Cortex-M3 C code is compiled and linked, literal data (constants, and so on) are
typically placed in the text section, between functions, by the compiler. The literal data is
accessed at run time through the use of the LDR instruction, which loads the data from
memory using a PC-relative memory address. The execution of the LDR instruction
generates a read transaction across the Cortex-M3's decode bus, which is subject to the
execute-only protection mechanism. If the accessed block is marked as execute-only, the
transaction is blocked, and the processor is prevented from loading the constant data and,
therefore, inhibits correct execution. To insure correct execution in this case, the user must
ensure that literal data is always placed into one or more read-enabled flash blocks.
1.10.1.3 JTAG Lock
The JTAG lock feature on the device can be used to disable the JTAG accesses (debugger accesses)
permanently on the device. The user can enable the JTAG lock feature by programming the
OTP_JTAGLOCK field with any value other than “1111” (0xF) at the OTPSEC location in OTP. This
feature takes effect only after the OTPSEC location in OTP is read. Though the JTAG connection is not
blocked before the OTPSEC location is read, access (all types) to all memories on the device are disabled
until security is initialized (see the steps listed in
CAUTION
If the JTAG lock feature is enabled, all future debugs of the device through
JTAG will be disabled. This will specifically impair TI’s ability to analyze devices
returned to TI for failure analysis. If this feature is enabled, TI may reject any
return analysis requests.
1.10.1.4 Password Lock
Each zone’s password locations (CSM & ECSL) can be locked by programming the zone’s PSWDLOCK
field with any value other than “1111” (0xF) at the OTPSEC location in OTP. Untill passwords of a zone
are locked, password locations will not be secure and will have full access. This means that the debugger
as well as code running from non-secure memory, can read the password locations. This feature can be
used by the user to avoid accidental locking of zones while programming the flash sectors during the
software development phase. On a fresh device, the value for password lock fields for all zones at
OTPSECLOCK locations in OTP will be “1111”, which means passwords for all zones will be unlocked.
NOTE:
The PSWDLOCK value only affects the password locations such that, when unlocked it only
makes the password locations unsecure. All other secure memories and the other locations
of the flash sectors which contain the password remain secure, as per the security settings.
But since the passwords are unsecure, anyone can read it and unsecure the zone by running
through the PMF. Hence, a user must program the PSWDLOCK location to change it from
the default value of “1111”. Along with programming the PSWDLOCK field, the user should
also enable the EXEONLY feature on flash sector A, which contains all of the security
settings, for complete security initialization.