Firewall (FW) RM0367
132/1043 RM0367 Rev 7
Write protection
In order to offer a maximum security level, the following points need to be respected:
• It is mandatory to keep a write protection on the part of the code enabling the Firewall.
This activation code should be located outside the segments protected by the Firewall.
• The write protection is also mandatory on the code segment protected by the Firewall.
• The page including the reset vector must be write-protected.
Interrupts management
The code protected by the Firewall must not be interruptible. It is up to the user code to
disable any interrupt source before executing the code protected by the Firewall. If this
constraint is not respected, if an interrupt comes while the protected code is executed
(Firewall opened), the Firewall will be closed as soon as the interrupt subroutine is
executed. When the code returns back to the protected code area, a Firewall alarm will raise
since the “call gate” sequence will not be applied and a reset will be generated.
Concerning the interrupt vectors and the first user page in the Flash program memory:
• If the first user page (including the reset vector) is protected by the Firewall, the NVIC
vector should be reprogrammed outside the protected segment.
• If the first user page is not protected by the Firewall, the interrupt vectors may be kept
at this location.
There is no interrupt generated by the Firewall.
5.3.3 Firewall segments
The Firewall has been designed to protect three different segment areas:
Code segment
This segment is located into the Flash program memory. It should contain the code to
execute which requires the Firewall protection. The segment must be reached using the
“call gate” entry sequence to open the Firewall. A system reset is generated if the “call gate”
entry sequence is not respected (refer to Opening the Firewall) and if the Firewall is enabled
using the FWDIS bit in the system configuration register. The length of the segment and the
segment base address must be configured before enabling the Firewall (refer to
Section 5.3.5: Firewall initialization).
Non-volatile data segment
This segment contains non-volatile data used by the protected code which must be
protected by the Firewall. The access to this segment is defined into Section 5.3.4: Segment
accesses and properties. The Firewall must be opened before accessing the data in this
area. The Non-Volatile data segment should be located into the Flash program or 2-Kbyte
Data EEPROM memory. The segment length and the base address of the segment must be
configured before enabling the Firewall (refer to Section 5.3.5: Firewall initialization).
To Next Page
Loading...
Need help?
General
