Part Number Hot Search : 
PD438 BH041 SH014 REB154 BUL129D MAX32 XHXXX BH041
Product Description
Full Text Search
 

To Download AN4246 Datasheet File
  If you can't view the Datasheet, Please click here to try to view without PDF Reader .  
 
 

  Datasheet File OCR Text:
  april 2013 docid024207 rev 1 1/11 AN4246 application note proprietary code read out protection on stm32l1 microcontrollers introduction the protection of the intellectual property of embe dded code has become a high importance issue concerning the microcontrollers. in order to prov ide this protection, stm32 microcontrollers have different means of protecting flash code against copy and reverse engineering. this application note describes the generic stm32 fam ily flash protection features. the focus is on the proprietary code read out protection (pcrop ) which is embedded in medium-density plus stm32l151xc, stm32l152xc, stm32l162xc and stm32l100xc microcontrollers. table 1 lists the microcontrollers concerned by this application note. table 1. applicable products type applicable products microcontrollers stm32l1 (stm32l151xc, st m32l152xc, stm32l162xc and stm32l100xc) www.st.com
contents AN4246 2/11 docid024207 rev 1 contents 1 flash code protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1 global read out protection (rdp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.2 write protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 1.3 proprietary code read out protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.1 secure firmware update (sfu) bootloader protection . . . . . . . . . . . . . . . 7 2.2 preloaded third-party ip code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3 conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4 reference documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5 revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
docid024207 rev 1 3/11 AN4246 flash code protection 1 flash code protection the stm32 microcontroller family is provided with the following code protection features: 1. global read-out protection (rdp) 2. write protection 3. proprietary code read out protection (pcrop) these features are meant to protect the intellectual property of the embedded firmware code, which represents an increasing interest for complex embedded systems. 1.1 global read ou t protection (rdp) the global read out protection allows the embedded firmware code (preloaded in the flash memory) to protect against reverse engineering, dumping using debug tools or other means of intrusive attack. this protection is set by the user after the binary code is loaded to the embedded flash memory. table 2 describes the 3 user-defined protection levels. once the user code is loaded in the flash me mory of the product, it can be protected against code dumping.this is possible by acti vating either level 1 or level 2 protection, otherwise by rdp option byte programming, following the rules described in figure 1. table 2. rdp protection level levels description level 0 no protection (default) level 1 flash memory is protected against reading by debugging or code dumping by the ram loaded code level 2 all debug features are disabled
flash code protection AN4246 4/11 docid024207 rev 1 figure 1. rdp levels both protection levels (1 an d 2) have the same abilities to protect the flash memory. its content cannot be read by serial wire or jtag debug access, bootloader system software or by loading any other sw to the volatile ram memory. the main difference between the two protection levels is the volatile data (ram content) protection which only exists on level 2. when rdp protection is set to level 1, debug tools still can be connected and access all the volatile resources of the mcu (ram and registers). these tools are used to check the part and/or system, by loading some test code to the ram. also, level 1 protection allows to recover a programmed part by erasing the entire flash content. this is done by re-programming the rdp option byte from level 1 to level 0 (see figure 1 ). on the other hand, level 2 protection is irrevers ible (fuse). once the rdp is set to level 2, the rdp option byte and all the other option bytes are frozen and can non longer be modified. however, the user flash content, with the exce ption of all the write-protected sectors (see section 1.2: write protection ), still can be updated under the co ntrol of the user code itself. an iap (in application programming) bootloader code can be implemented in order to allow a firmware update of some sectors. in order to ensure the protection of previously programmed user code, the bootloader protocol can be a user specified (implementin g the relevant protection against attacks, dumping and/or malicious code update). note: some examples of secu re bootloader implementati on using the embedded aes accelerator available on stm32 are described in application note an4023 - stm32 secure firmware upgrade. for additional details on read protection, re fer to the microcontroller reference manuals. level 1 0 l e v e l 2 l e v e l h a a = p d r h c c = p d r rdp /= aah rdp /= cch default options write (rdp level increase) includes - options erase - new options program options write (rdp level decrease) includes - mass erase - options erase - new options program options write (rdp level identical) includes - options erase - new options program rdp = aah others option(s) modified rdp /= aah & /= cch others options modified write options including rdp = aah write options including rdp = cch write options including rdp = cch write optionsincluding rdp /= cch & /= aah ai16045
docid024207 rev 1 5/11 AN4246 flash code protection 1.2 write protection the write protection, applied by a flash area (sector), protects the content of the specified sectors against code update or erase. one option bit is used to acti vate the write protection for ea ch flash sector. when the write protection is set for sector i (option bit nwrpi = 0), this sector cannot be erased or programmed. table 3 shows the sector write protection depending on the rdp level. note: under these conditions, the integrity of th e embedded firmware written in these sectors is guaranteed against any modification. 1.3 proprietary code read out protection the proprietary code read out protection (p crop) is an alternative protection which is applied also by sector, allowing the protection of specific code (intellectual property) against attacks. the pcrop implements 2 main features on th e microcontroller code protection and the code management. table 4 compares both pcrop features to the rdp protection method. this protection is based on an execute-only mechanism. the flash code area can only be reached by the stm32 cpu (as an instruction code), while all other accesses (dma, debug and cpu data read) are strictly prohibited. while protecting the executable code against reading, a side effect generated by this execute-only mechanism makes the protected code itself (executed from this area) unable to access the associated data values stored in the same area (e.g. literal pool). in order to avoid the need of data accesses in this area (s pecially for literal pool accesses), a specific command line option must be chosen in the arm/keil compiler: ( armcc --no_literal_pools --max_string_in_code = 0 ) . table 3. write protection levels description level 0 or 1 the other option bytes still can be modified. (1) 1. the sector write protection is very important for safety function s. if they are programmed in the write protected sectors, these functions are fully protected against accidental erase or update. level 2 all the option bytes are definitively frozen. (2) 2. a write protected sector cannot be erased or modified, either intentionally or not. table 4. protection against attacks type of protection comparison external attacks similar to the protection offered by rdp (but which can be restricted to a specific flash area) internal attacks (such as trojan horse type) possible use of some ?unsecured? third party code in an application, while still preserving the privacy of some parts of the code
flash code protection AN4246 6/11 docid024207 rev 1 this command line option translates the literal pool operations with alternative instructions. these instructions build the register values without any data read access. it is mainly needed for loading registers with variable addr esses. as an alternative method is less efficient, this option translates these operations in a slightly less effective code. however, the loss of performance is limited (below 5%), which is acceptable for the protected parts of the code. the pcrop sector is selected by using the same option bytes as the write protection. as a result, these 2 options are exclusive each ot her. however, the sectors protected against reading (pcrop) are also protected against wr iting/erasing. therefore, the pcrop may be considered as a superset of the sector write protection. in order to activate the pcrop (change th e function of the nwrp option bits), the sprmod option bit must be activated. this operation is irreversible. also in pcrop mode, a sector which was set to be read-protected ca nnot be reset to the unprotected state. as a result, new sectors ma y be added to the read protected area (when rdp is set to level 0 or 1), but the protected ones cannot be unprotected, either erased or modified. depending on the rdp level, there is a possible workaround for recovering a protected chip. if the stm32 is in rdp level 1 and the rdp option byte is set to level 0, the user?s flash area will be totally erased. this is the only case where the sprmod and nwrp bits may be reset and all the protected sectors may be unprotected. however, as this operation is always associated to the global erase of the user flash area, the code protection is not affected. when the rdp is set to level 2, all the option bytes are frozen and can no longer be modified. as a result, the protected sectors never can be erased or modified, so the protection becomes permanent.
docid024207 rev 1 7/11 AN4246 examples 2 examples 2.1 secure firmware update (sfu) bootloader protection a secure firmware update bootloader (as descri bed in an4023) can be included. it allows programming a third party code in the stm3 2 flash memory, without compromising the secure bootloader mechanism and/or keys. 2.2 preloaded third-party ip code the third-party code which contains critical inte llectual property code can be preloaded (e.g. through a fast rom procedure) in the stm32 flash memory and protected against reading by activating the pcrop mechanism. then, the stm32 microcontrollers including the protected code can be used/programmed by the end user, without af fecting the protected code.
conclusion AN4246 8/11 docid024207 rev 1 3 conclusion stm32 microcontrollers ar e provided with various flash pr otection mechanisms to fulfill the different needs of the intellectual property protection. these range from a single user global code protection to a finer grain code protection where multiple ip firmware can coexist in the stm32 microcontroller memory. this solution allo ws the application to operate in potentially unsafe environments without compromising code protection or integrity.
docid024207 rev 1 9/11 AN4246 reference documents 4 reference documents programming manual (pm0062), stmicroelectronics reference manual (rm0038), stmicroelectronics
revision history AN4246 10/11 docid024207 rev 1 5 revision history table 5. document revision history date revision changes 03-apr-2013 1 initial release.
docid024207 rev 1 11/11 AN4246 please read carefully: information in this document is provided solely in connection with st products. stmicroelectronics nv and its subsidiaries (?st ?) reserve the right to make changes, corrections, modifications or improvements, to this document, and the products and services described he rein at any time, without notice. all st products are sold pursuant to st?s terms and conditions of sale. purchasers are solely responsible for the choice, selection and use of the st products and services described herein, and st as sumes no liability whatsoever relating to the choice, selection or use of the st products and services described herein. no license, express or implied, by estoppel or otherwise, to any intellectual property rights is granted under this document. i f any part of this document refers to any third party products or services it shall not be deemed a license grant by st for the use of such third party products or services, or any intellectual property contained therein or considered as a warranty covering the use in any manner whatsoev er of such third party products or services or any intellectual property contained therein. unless otherwise set forth in st?s terms and conditions of sale st disclaims any express or implied warranty with respect to the use and/or sale of st products including without limitation implied warranties of merchantability, fitness for a parti cular purpose (and their equivalents under the laws of any jurisdiction), or infringement of any patent, copyright or other intellectual property right. st products are not authorized for use in weapons. nor are st products designed or authorized for use in: (a) safety critical applications such as life supporting, active implanted devices or systems with product functional safety requirements; (b) aeronautic applications; (c) automotive applications or environments, and/or (d) aerospace applications or environments. where st products are not designed for such use, the purchaser shall use products at purchaser?s sole risk, even if st has been informed in writing of such usage, unless a product is expressly designated by st as being intended for ?automotive, automotive safety or medical? industry domains according to st product design specifications. products formally escc, qml or jan qualified are deemed suitable for use in aerospace by the corresponding governmental agency. resale of st products with provisions different from the statements and/or technical features set forth in this document shall immediately void any warranty granted by st for the st product or service described herein and shall not create or extend in any manner whatsoev er, any liability of st. st and the st logo are trademarks or registered trademarks of st in various countries. information in this document supersedes and replaces all information previously supplied. the st logo is a registered trademark of stmicroelectronics. all other names are the property of their respective owners. ? 2013 stmicroelectronics - all rights reserved stmicroelectronics group of companies australia - belgium - brazil - canada - china - czech republic - finland - france - germany - hong kong - india - israel - ital y - japan - malaysia - malta - morocco - philippines - singapore - spain - sweden - switzerland - united kingdom - united states of america www.st.com


▲Up To Search▲   

 
Price & Availability of AN4246

All Rights Reserved © IC-ON-LINE 2003 - 2022  
[Add Bookmark] [Contact Us] [Link exchange] [Privacy policy]
Mirror Sites :  [www.datasheet.hk]   [www.maxim4u.com]  [www.ic-on-line.cn] [www.ic-on-line.com] [www.ic-on-line.net] [www.alldatasheet.com.cn] [www.gdcy.com]  [www.gdcy.net]
 . . . . .
  We use cookies to deliver the best possible web experience and assist with our advertising efforts. By continuing to use this site, you consent to the use of cookies. For more information on cookies, please take a look at our Privacy Policy. X