PSoC 4000 Family: PSoC 4 Architecture TRM, Document No. 001-89309 Rev. *D 79
14. Device Security
PSoC
®
4 offers a number of options for protecting user designs from unauthorized access or copying. Disabling debug fea-
tures and enabling flash protection provide a high level of security.
The debug circuits are enabled by default and can only be disabled in firmware. If disabled, the only way to re-enable them is
to erase the entire device, clear flash protection, and reprogram the device with new firmware that enables debugging. Addi-
tionally, all device interfaces can be permanently disabled for applications concerned about phishing attacks due to a mali-
ciously reprogrammed device or attempts to defeat security by starting and interrupting flash programming sequences.
Permanently disabling interfaces is not recommended for most applications because the designer cannot access the device.
For more information, as well as a discussion on flash row and chip protection, see the CY8C4000 Programming Specifica-
tions.
Note Because all programming, debug, and test interfaces are disabled when maximum device security is enabled, PSoC 4
devices with full device security enabled may not be returned for failure analysis.
14.1 Features
The PSoC 4 device security system has the following features:
■ User-selectable levels of protection.
■ In the most secure case provided, the chip can be “locked” such that it cannot be acquired for test/debug and it cannot
enter erase cycles. Interrupting erase cycles is a known way for hackers to leave chips in an undefined state and open to
observation.
■ CPU execution in a privileged mode by use of the non-maskable interrupt (NMI). When in privileged mode, NMI remains
asserted to prevent any inadvertent return from interrupt instructions causing a security leak.
In addition to these, the device offers protection for individual flash row data.
14.2 How It Works
14.2.1 Device Security
The CPU operates in normal user mode or in privileged mode, and the device operates in one of four protection modes:
BOOT, OPEN, PROTECTED, and KILL. Each mode provides specific capabilities for the CPU software and debug. You can
change the mode by writing to the CPUSS_PROTECTION register.
■ BOOT mode: The device comes out of reset in BOOT mode. It stays there until its protection state is copied from supervi-
sor flash to the protection control register (CPUSS_PROTECTION). The debug-access port is stalled until this has hap-
pened. BOOT is a transitory mode required to set the part to its configured protection state. During BOOT mode, the CPU
always operates in privileged mode.
■ OPEN mode: This is the factory default. The CPU can operate in user mode or privileged mode. In user mode, flash can
be programmed and debugger features are supported. In privileged mode, access restrictions are enforced.
■ PROTECTED mode: The user may change the mode from OPEN to PROTECTED. This mode disables all debug access
to user code or memory. Access to most registers is still available; debug access to registers to reprogram flash is not
available. The mode can be set back to OPEN but only after completely erasing the flash.
■ KILL mode: The user may change the mode from OPEN to KILL. This mode removes all debug access to user code or
memory, and the flash cannot be erased. Access to most registers is still available; debug access to registers to repro-
To Next Page
Loading...
