Safety Manual for MPC5777M, Rev. 1.1
Functional safety requirements for application software
NXP Semiconductors56
Assumption: [SM_FMEDA_108] The application software shall configure the CMPU (at least of the
Safety Core) to define the location, size, access permissions and memory attributes for each memory
region that needs to be protected. [end]
Recommendation: [SM_FMEDA_109] For ASIL D applications, the CMPU should be used to ensure
that only authorized software tasks can configure modules and can access only their allocated resources
according to their access rights. [end]
3.4.2 System Memory Protection Unit (SMPU)
The System MPU (SMPU) provides memory protection at the crossbar (XBAR). The SMPU splits the
physical memory into 16 different regions. Each XBAR master (Core, DMA, FlexRay, SIPI) can be
assigned different access rights to each region.
Assumption: [SM_FMEDA_110] The SMPU will be used to prevent non-safety masters (all except the
Safety Core) from accessing restricted memory regions unless those regions are similarly protected by
mechanisms shown in Section 3.4.3, AIPS protection mechanism or Section 3.4.4, Register protection
(REG_PROT). [end]
Assumption: [SM_FMEDA_111] The SMPU shall only be programmed by the Safety Core. This
software shall prevent write accesses to the SMPU’s registers from all other masters. [end]
NOTE
See “System Memory Protection Unit (SMPU)” chapter in the MPC5777M
Reference Manual for details.
3.4.3 AIPS protection mechanism
The peripheral bridges (PBRIDGEn) translate accesses on the switched AMBA bus (XBAR) to
point-to-point accesses to the majority of peripherals on the MPC5777M. The peripherals connected to the
PBRIDGEs are PBRIDGE slaves.
The PBRIDGEs implement an additional protection mechanism to support the requirement that non-safety
relevant masters and safety relevant masters do not interfere with one another. The protection mechanism
allows for protection of each slave from master accesses (for example, read/write or supervisor/user
access).
Assumption: [SM_FMEDA_112] The application software will configure the PBRIDGEs to define the
access permissions for each slave module that requires access protection, unless protected by the
mechanisms in sections Section 3.4.2, System Memory Protection Unit (SMPU)
or Section 3.4.4, Register
protection (REG_PROT). [end]
Assumption: [SCG18.052]After safety software takes control of the MPU it will check: [end]
• Assumption: [SCG18.053]That the HSM did assign itself only the expected access rights at the
SMPU in the expected regions. [end]
• Assumption: [SCG18.054]That the configuration of SMPU/AIPS has been changed in such a way
that the HSM no longer has writing access to the SMPU. [end]
To Next Page
Loading...
