28.5.4.2.3 Core Platform Impact
Platform core caches (Flash
and LMEM caches)
If any segment is marked as execute-only, then the caches are hidden from the user. The tag
is read-only and cannot be written, and the data caches cannot be read or written. Writes to
the tag and data arrays are ignored, and reads of the data array return 0's. This will impact
debug breakpoints. See the debug section for details.
Debug
The debugger is a non-processor bus master and cannot step, trace or break in execute-only
regions. In supervisor-only mode, the debugger is restricted from changing modes. Debug
accesses to any segment of flash space marked as execute-only also terminate with a bus
error.
PC-relative addressing
The PC-relative addressing issue is still being understood and this section will be updated in
the future.
PC relative re-entry to execute-only segments will be allowed.........
Restrictions will be placed on software for PC relative addressing, because hardware cannot
determine if PC relative data references are crossing segment boundaries.
• If ifetch is executing in a protected segment, then data references will be allowed.
• Hardware cannot track speculative ifetches across boundaries.
Interrupts
If function calls are used to move into an execute-only segment, then this can be tracked by
hardware when typical software controls are used (i.e., saving registers and states before
executing new code).
Reset Vector
In the ARM core, the reset vector fetch is supervisor data, which poses issues if the reset
vector is located in a segment marked execute-only. Additional logic has been implemented
to allow supervisor data fetches to execute-only spaces, after reset until the first valid
instruction fetch. After the first valid instruction fetch, the FAC logic follows normal checks.
28.5.4.2.4 Software Impact
As implementation, verification and validation continue, there will be more details on
software impact that will need to be communicated to tool and library vendors. The
hardware cannot see all states of the ARM core and cannot track the software flow, and
may require software restrictions to work with the hardware for a robust solution.
• Any segment marked as execute-only can see all code in the system. This means
that one execute-only segment can read the execute-only code in another segment.
Therefore, if we at the factory are sending pre-loaded code to another vendor, then
that vendor will have access to our factory code. NDAs and legal agreements might
help deal with this issue.
• For single pre-loads (for example, if we at the factory are pre-loading for a general
purpose (GP) market or if a vendor with a blank part is pre-loading their proprietary
code), then both levels of access control must be programmed, to protect the pre-
loaded code.
• If any portion of a protected segment is not used by pre-loaded code, then it (the
portion of a protected segment that is not used by pre-loaded code) should be
programmed with NOPs, to prevent additional code from being programmed in that
segment by hackers.
Chapter 28 Flash Memory Controller (FMC)
K22F Sub-Family Reference Manual, Rev. 4, 08/2016
NXP Semiconductors 625
To Next Page
Loading...
