Code Security Module (CSM)
145
SPRUHE8E – October 2012 – Revised November 2019
Copyright © 2012–2019, Texas Instruments Incorporated
System Control and Interrupts
1.10 Code Security Module (CSM)
The Code Security Module (CSM) is a security feature incorporated in this device. It prevents direct data
accesses of on-chip secure memories (and other secure resources) by unauthorized entities. Unsecure or
unlocked resources will still remain accessible by any means; for example, through a debugging tool such
as Code Composer Studio™(CCS).
DISCLAIMER: CODE SECURITY MODULE DISCLAIMER
The Code Security Module (CSM) included on this device was designed to help protect the contents
stored in the associated memory (password protection).
TI DOES NOT, HOWEVER, WARRANT OR REPRESENT THAT THE CSM CANNOT BE
COMPROMISED OR BREACHED OR THAT THE CONTENTS STORED IN THE ASSOCIATED
MEMORY CANNOT BE ACCESSED THROUGH OTHER MEANS. THE CSM HELPS TO ADDRESS
CERTAIN SECURITY THREATS TO CODE CONFIDENTIALITY, BUT THE CUSTOMER IS SOLELY
RESPONSIBLE FOR THE SECURITY OF THEIR DATA AND SYSTEMS AND NEEDS TO IMPLEMENT
SUFFICIENT SECURITY MEASURES.
1.10.1 Functional Description
The security module restricts CPU access to on-chip secure memory without interrupting or stalling CPU
execution. When a read occurs to a protected memory location, the read returns a zero value and CPU
execution continues with the next instruction. This, in effect, blocks read and write access to various
memories through the JTAG port or external peripherals. Security is defined with respect to the access of
on-chip secure memories and prevents unauthorized copying of proprietary code or data.
The memory zone is secure when CPU access to the on-chip secure memories associated with that zone
is restricted. When secure, two levels of protection are possible depending on where the program counter
is currently pointing. If code is currently running from inside secure memory, only an access through JTAG
is blocked (that is, through the debug probe). This allows secure code to access secure data. Conversely,
if code is running from unsecure memory, all accesses to secure memories are blocked. User code can
dynamically jump in and out of secure memory, thereby allowing secure function calls from unsecure
memory. Similarly, interrupt service routines can be placed in secure memory, even if the main program
loop is run from unsecure memory.
The code security mechanism present in this device offers dual zone security for the Cortex-M3 code and
single zone security for the C28x code. In case of dual zone security on the master subsystem, different
secure memories (RAMs and flash sectors) can be assigned to different security zones by configuring the
GRABRAM and GRABSECT registers assocated with each zone. Flash sector N and flash sector A are
dedicated to zone1 and zone2, respectively, and cannot be allocated to any other zone by configuration
registers.
shows the status of a RAM based on the configuration in the GRABRAM register.
Similarly, flash sectors get assigned to different zones based on the setting in the GRABSECT registers.
Table 1-27. Master Subsystem Secure RAM Zone Selection
GRAB-Cn bits in
Z1_GRABRAMR Register
GRAB-Cn bits in Z2_GRABRAMR Register
Ownership
00
XX
Cx RAM is inaccessible
XX
00
Cx RAM is inaccessible
Differential Value(01/10)
Differential Value (01/10)
Cx RAM is inaccessible
Differential Value(01/10)
11
Cx RAM belongs to zone1
11
Differential Value(01/10)
Cx RAM belongs to zone2
11
11
Cx RAM is non-secure
Security is provided by a CSM password of 128-bits (four 32-bit words) that is used to secure or unsecure
the zones. Each zone has its own 128 bit CSM password. The zone can be unsecured by executing the
password match flow (PMF).
shows the levels of security.