Infineon Traveo II User Manual

Please read the Important Notice and Warnings at the end of this document 002-19843 Rev.*E

www.infineon.com page 1 of 49 <2021-02>

AN219843

Protection Configuration in Traveo II

Associated part family

Traveo™ II Family CYT2/CYT3/CYT4 Series

About this document

Scope and purpose

This application note explains the functionary and how to configure of the protection units for Traveo II family MCU. This document serves as a guide to enhance system security based on different operations. It also explains the structure, access attributes and some usage examples of each protection unit.

Intended audience

This document is intended for anyone using Traveo II family

Associated part family ..................................................................................................................... 1

About this document ....................................................................................................................... 1

Table of contents ............................................................................................................................ 1

1 Introduction .......................................................................................................................... 3

2 Protection Units ..................................................................................................................... 4

2.1 Location of Protection Units ................................................................................................................... 4

2.2 Protection Units Overview ...................................................................................................................... 4

3 Operation Overview ............................................................................................................... 5

3.1 Protection Properties of Bus Transfer .................................................................................................... 5

3.2 Attribute Inheritance ............................................................................................................................... 6

3.3 User/Privileged Attribute Switching ....................................................................................................... 7

3.3.1 User/Privileged Attribute Switching Procedure ................................................................................ 8

3.3.2 Configuration ..................................................................................................................................... 8

3.4 Protection Context Attribute Setting .................................................................................................... 10

3.4.1 Protection Context Attribute Switching Procedure ........................................................................ 11

3.4.2 Configuration ................................................................................................................................... 11

3.5 Bus Transfer Evaluation ........................................................................................................................ 15

3.5.1 Evaluation Process ........................................................................................................................... 15

3.5.2 PC_MATCH Operation ...................................................................................................................... 16

3.6 Master Identifier .................................................................................................................................... 18

3.7 Protection Violation .............................................................................................................................. 18

4 Protection Units Structure ..................................................................................................... 20

4.1 MPU Structure ....................................................................................................................................... 20

4.2 SMPU Structure ..................................................................................................................................... 21

4.3 PPU Structure ........................................................................................................................................ 22

4.4 Protection Pair Structure ...................................................................................................................... 23

2 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Table of contents

5 Configuration Example of Protection Units .............................................................................. 25

5.1 Configuration Example of MPU Implemented as Part of CPU ............................................................. 25

5.1.1 Use case ............................................................................................................................................ 25

5.1.2 Setting Procedure ............................................................................................................................ 26

5.1.3 Configuration ................................................................................................................................... 27

5.2 Configuration of MPU Implemented as Part of Bus Infrastructure ..................................................... 31

5.3 Configuration Example of SMPU ........................................................................................................... 32

5.3.1 Usage Assumptions .......................................................................................................................... 32

5.3.2 Setting Procedure for SMPU ............................................................................................................ 33

5.3.3 Configuration ................................................................................................................................... 33

5.4 Configuration Example of PPU ............................................................................................................. 38

5.4.1 Usage Assumptions .......................................................................................................................... 39

5.4.2 Setting Procedure for PPU ............................................................................................................... 39

5.4.3 Configuration ................................................................................................................................... 40

6 Glossary ............................................................................................................................... 45

Related Documents ........................................................................................................................ 46

Other References ........................................................................................................................... 47

Revision history............................................................................................................................. 48

3 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Introduction

1 Introduction

This application note describes the Protection Units in Cypress Traveo II family series MCU. The series includes Arm® Cortex® CPUs with Enhanced Secure Hardware Extension (eSHE), CAN FD, memory, and analog and digital peripheral functions in a single chip.

The CYT2 series has one Arm Cortex-M4F-based CPU (CM4) and Cortex-M0+-based CPU (CM0+). The CYT4 series has two Arm Cortex-M7-based CPUs (CM7) and a Cortex-M0+ CPU and the CYT3 series has one Arm Cortex-M7based CPUs (CM7) and CM0+.

Protection units are an important part for security system design, and enforce security based on different operations. A protection unit allows or restricts bus transfers on the bus infrastructure based on specific properties. A protection violation is caused by a mismatch between a bus transfer's address region and access attributes and the protection structures' address range and access attributes.

These series have three types of protection units: Memory Protection Unit (MPU), Shared Memory Protection Unit (SMPU), and Peripheral Protection Unit (PPU). Memory Protection is provided by MPU and SMPU; protection for peripheral resources is provided by PPU.

The MPU, SMPU, and PPU protection structure definition follows the Arm definition (in terms of memory region and access attribute definition) to ensure a consistent software interface.

If security is required, the SMPU and possibly PPUs registers must be controlled by a "secure" CPU that enforces system-wide protection.

To understand the functionality described and terminology used in this application note, see the “Protection Unit” chapter of the Architecture Technical Reference Manual (TRM).

In addition, this application note describes example code with the Sample Driver Library (SDL). The code snippets in this application note are part of SDL. See Other References for the SDL.

SDL basically has a configuration part and a driver part. The configuration part mainly configures the parameter values for the desired operation. The driver part configures each register based on the parameter values in the configuration part. You can configure the configuration part according to your system. This sample program shows for CYT2B7 series.

4 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Protection Units

2 Protection Units

2.1 Location of Protection Units

Figure 1 shows the locations of MPUs, SMPUs, and PPUs in the CYT2B series.

m4cpuss

Peripheral Block

fast_infra slow_infra

CM4 CPU

MPU

SMPU

CM0+ CPU

MPU

SMPU

CRYPTO

SMPU

P-DMA 0 P-DMA 1

SMPU

Master

Interface

PPU

Peripheral

Group 0

SMPU

Master

Interface

PPU

Master

Interface

PPU

Master

Interface

PPU

SMPU/

MPU

Slow external masters

Test

Controller

SMPU/

MPU

M-DMA

SMPU

Peripheral

Group 15

Figure 1 Protection Unit Locations in the CYT2B Series

See the Architecture TRM for other series location.

2.2 Protection Units Overview

MPUs are associated with a single master. There are following two types of MPUs.

• An MPU that is implemented as part of the CPU: This type is found in the Arm CPUs.

• An MPU that is implemented as part of the bus infrastructure: This type is found in bus masters such as test

controller.

However, Peripheral DMA (P-DMA 0/1), Memory DMA (M-DMA), and Cryptography (CRYPTO) component do not have an MPU. These masters inherit the access control attributes of the bus transfer that programmed channels or components.

An SMPU is shared by all bus masters. A single set of SMPU region structures provides the same protection information to all SMPUs in the systems.

A PPU is shared by all bus masters. PPU provides access control to the peripherals within a peripheral group. There are the following two types of PPU:

• Fixed PPU: The address to protect is fixed and cannot be modified by software.

• Programmable PPU: The address to protect is programmable by software.

MPU and SMPU have a higher priority over PPU. In addition, programmable PPU has a higher priority than fixed PPU.

See the Architecture TRM for more details on protection units.

5 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

3 Operation Overview

3.1 Protection Properties of Bus Transfer

Protection units identify the following properties of bus transfer:

• An address range to be accessed

• Access attributes such as the following:

− Read/Write: Distinguish a read access from a write access

− Execute: Distinguish a code access from a data access

− User/Privileged: Distinguish a user access from a privileged access

− Secure/non-secure: Distinguish a "secure" code access from a "non-secure" code access. The non-secure

attribute allows both non-secure and secure accesses.

− Protection context: Distinguish accesses from different protection contexts

Not all bus masters provide all these access attributes. No bus master has a protected context; Arm CPUs do not have a secure attribute.

Access attributes not provided by the bus master are provided by the PROT_MPUx_MS_CTL and PROT_SMPU_MSx_CTL registers. These registers may be set during the boot process or by the secure CPU.

Figure 2 shows the structure of PROT_MPUx_MS_CTL registers.

PROT_MPUx_MS_CTL

PC[3:0]

Master Control 0

PC_SAVED

[19:16]

Master Control 1

...

Figure 2 PROT_MPUx_MS_CTL Register

This register grants a protection context attribute to its master access.

• PROT_MPUx_MS_CTL.PC: Sets the protection context attribute of its own access

• PROT_MPUx_MS_CTL.PC_SAVED: The boot process sets this field. This field is only present for the CM0+

master.

Figure 1 shows the structure of the PROT_SMPU_MSx_CTL registers.

PROT_SMPU_MSx_CTL

Master Control 0

PC_MASK

_15_TO_1

[23:17]

Master Control 1

...

PRIO

[9:8]

PC_MASK_0

Figure 3 Figure 1. PROT_SMPU_MSx_CTL Register

This register grants a following attributes to its master access.

• PROT_SMPU_MSx_CTL.P: Provides the User/Privileged attribute for masters that do not provide their own

attribute.

6 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

• PROT_SMPU_MSx_CTL.NS: Provides the Secure/Non-Secure attribute for masters that do not provide their

own attributes.

• PROT_SMPU_MSx_CTL.PC_MASK_15_TO_1 and PC_MASK_0: Restricts the protection context that the bus

master can set to MPUx_MS_CTL.PC.

• The PC_MASK_0 field is always ‘0’. This means that bus masters cannot set the PC = 0 attribute.

• PROT_SMPU_MSx_CTL.PRIO: Sets the bus arbitration priority.

However, not all bus masters have these register fields. Table 1 shows the relationship of registers for each master.

Table 1 Register Field Provided to the Master

CM0+ CPU

CRYPTO Component

P-DMA 0

P-DMA 1

M-DMA

CM4F CPU

Test Controller

PROT_MPUx_MS_ CTL.PC

Yes – – – –

Yes

PROT_MPUx_MS_ CTL.PC_SAVED

Yes – – – – – –

PROT_SMPU_MSx_ CTL.P

– – – – – – Yes

PROT_SMPU_MSx_ CTL.NS

Yes – – – –

Yes

PROT_SMPU_MSx_ CTL.PC_MASK_15_T O_1 and PC_MASK_0

Yes – – – –

Yes

PROT_SMPU_MSx_ CTL.PRIO

Yes

P-DMA0/1, M-DMA, and CRYPTO components do not have MPU. Therefore, these peripheral functions do not have fields to set attributes.

Each master has an associated SMPU MS_CTL register. However, in secure systems, this register can be typically controlled only by the secure master (CM0+) to prevent a master from changing its own privileged setting, security setting, arbitration priority, or enabled protection contexts.

3.2 Attribute Inheritance

As mentioned earlier, P-DMA, M-DMA, and CRYPTO components inherit the access control attributes of the bus transfers that programmed the channels and component. The inherited access attribute is allowed/restricted by SMPU and PPU.

Figure 4 shows examples of the setting and behavior for inheriting attributes.

7 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

CPU

Channel Setting Task

Task Attribute

- User

- Non-Secure

- PC=7

P-DMA

Configuration Register

Channel Attribute

- User

- Non-Secure

- PC=7

Channel A

Channel Setting

Inherit Access Attributes

P-DMA

Channel Attribute

- User

- Non-Secure

- PC=7

Channel A

Memory or Peripheral

User Write, Non-Secure, PC=7

User Read, Non-Secure, PC=7

Figure 4 Setting and Behavior Example for Attribute Inheritance

3.3 User/Privileged Attribute Switching

This section describes attribute switching of both CPUs supporting User/Privileged attributes. CPUs support two operating modes and two privilege levels as follows:

• Operation Mode

− Thread Mode: This mode is used to execute application software. This mode can run in Privileged level or

User level.

− Handler Mode: This mode is used to handle exceptions. This mode only runs in Privileged level.

• Privileged Levels

− User Level: The software has limited access

− Privileged Level: The software can use all instructions and access all resources

Privileged level is switched by the CONTROL register. It is a CPU-specific register. Switching from Privileged level to User level is performed by the CONTROL register. However, the CONTROL register can be rewritten only with the privileged level. Therefore, switching from the User level to the Privileged level must always go through the Handler mode. The CPU enters the Handler mode when an exception or interrupt occurs. Figure 5 shows an example User/Privileged level switching by the SVC (Supervisor call) instruction exception. The SVC instruction generates an exception and can enter the Handler mode.

8 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

Handler/Privileged Thread/Privileged Thread/User

Reset Relese

(1) Operation

(2) Operation (2) Operation

(3) Change CONTROL

= Unprivileged

(3) Operation

(4) Operation (4) Operation

(5) Operation

(6) Change CONTROL

= Privileged

(6) Operation

(5) SVC

2) Exception

(4) Exception

(5) SVC Exception

Figure 5 Example User/Privileged Level Switching for Both CPUs

1. CPUs are started in Thread/Privileged mode after reset release.

2. When an exception occurs in Thread/Privileged mode, the Handler/Privileged mode is entered, and upon

return from handler processing, Thread/Privileged mode is entered again.

3. In the Thread/Privileged mode, transition to the Thread/User mode is allowed by the CONTROL register.

4. When an exception occurs in the Thread/User mode, the Handler/Privileged mode is entered, and upon

return from handler processing, Thread/User mode is entered again.

5. When switching from the Thread/User mode to Thread/Privileged mode, use SVC instruction to enter the

Handler/Privileged mode. The SVC instruction can cause an SVC exception.

6. Set the Privileged level with the CONTROL register in the Handler/Privileged level. The CPU transitions to

the Thread/Privileged mode after returning from handler processing.

See the Arm documentation sets for CM4, CM7, and CM0+ for more details.

You need to register the SVC handler in advance.

3.3.1 User/Privileged Attribute Switching Procedure

This section explains how to switch between Privileged and User modes.

3.3.2 Configuration

Table 2 lists the functions in SDL for User/Privileged attribute switching using SVC instruction.

Table 2 List of Functions

Functions

Description

Remarks

GetUserMode()

Change Privileged Level to User

GetPrivilegedMode()

Change Privileged Level to Privileged

SVC_GetPrivilegedMode()

Generates SVC interrupt.

Cy_SysLib_SvcHandler(pSvcArgs)

SVC handler pSvcArgs: SVC Index

Change to Privileged if index is “2”

9 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

The following code shows an example of switching using SVC.

Code Listing 1 Example of User/Privileged Switching using SVC

int main(void) { SystemInit();

__enable_irq();

: /* Get user mode from here */ GetUserMode();

: /* Access privileged write only port register after getting privileged mode */ SVC_GetPrivilegedMode(); :

/* Access privileged write only port register after getting user mode */ GetUserMode(); :

for(;;); }

Code Listing 2 GetUserMode() Function

void GetUserMode(void)

{

__ASM("MRS r0, CONTROL"); // Read CONTROL register into R0

__ASM("ORR r0, r0, #1"); // nPRIV -> 1

__ASM("MSR CONTROL, r0"); // Write R0 into CONTROL register

}

Code Listing 3 SVC_GetPrivilegedMode()

void SVC_GetPrivilegedMode(void)

{

__ASM("SVC 0x02"); // SVC index = 2: Get privileged mode

}

Change Privileged Mode to User Mode. See Code Listing 2.

Change from User Mode to Privileged Mode. See Code Listing 3.

Change from Privileged Mode to User Mode. See Code Listing 2.

Read CONTROL Register

Write back to CONTROL Register

(3) Change to User Mode

(5) SVC Exception with Index 2. It calls the SVC handler. See Code Listing 4.

CPUs are started in Thread/Privileged mode after reset release.

Set Index to “2”

10 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

Code Listing 4 SVC Handler

void Cy_SysLib_SvcHandler(uint32_t* pSvcArgs) { uint8_t svcIdx = ((char*)pSvcArgs[6])[-2];

switch(svcIdx) { case 0: : break; case 1: : break; case 2: GetPrivilegedMode(); break; default: break; } }

Code Listing 5 GetPrivilegedMode() Function

void GetPrivilegedMode(void) { __ASM("MRS r0, CONTROL"); // Read CONTROL register into R0 __ASM("BIC r0, r0, #1"); // nPRIV -> 0 __ASM("MSR CONTROL, r0"); // Write R0 into CONTROL register }

3.4 Protection Context Attribute Setting

Protection Contexts (PCs) are used to isolate software execution for security and safety purposes. PCs are used as the PC attribute for all bus transfers that are initiated by the master. SMPUs and PPUs allow or restrict bus transfers based on the PC attribute.

The series supports eight PCs. Protection contexts 0 and 1 out of eight PCs are special; these are controlled by hardware. In addition, PC0 has unrestricted access.

Specific bus masters have associated PC fields (PROT_MPUx_MS_CTL.PC and PROT_SMPU_MSx_CTL.PC_MASK_15_TO_1 and PC_MASK_0).

A bus master protection context is changed by reprogramming the associated PROT_MPUx_MS_CTL.PC field. The PROT_SMPU_MSx_CTL.PC_MASK field restricts the PCs that can be set for the associated bus master.

For example, if PROT_SMPU_MSx_CTL.PC_MASK[15:0] = “0x06” (PC1, 2 = "1"), the PCs to which the associated bus master can be set are “PC = 1” and “PC = 2”. A bus master cannot be changed to a PC not allowed (PC=0,3,4,5,6,7).

Figure 6 shows an example of changing the flow of PCs.

SVC Processing for Index 0.

SVC Processing for Index 1.

SVC Processing for Index 2. Change to Privileged Mode. See Code Listing 5.

Read CONTROL Register

Write back to CONTROL Register

(6) Change to Privileged Mode

11 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

Start

(1) Change PC

TASK A processing

(2) Change PC

TASK B processing

Start

Task switch

Task A

Task B

PC = 4

All bus transfers initiated by the master are accessed as PC = 4.

PC = 5

All bus transfers initiated by

the master are accessed as PC = 5.

Task A (PC=4)

Task B (PC=5)

CPU SMPU

Region 0

Region 1

Region 2

Memory

Task B is

Not-allowed

Task B is Not-allowed

Task A is

Not-allowed

Region 0 PC = 4

Region 1 PC = 4

Region 2

PC = 5

Figure 6 Change Flow of PCs and Behavior

Note: PC values that can be set by each master are restricted by

PROT_SMPU_MSx_CTL.PC_MASK_15_TO_1 and PC_MASK_0.

This allows a single bus master to take on different protection roles by reprogramming only the protection context field without changing the settings of SMPUs and PPUs.

3.4.1 Protection Context Attribute Switching Procedure

This section explains how to switch protection context shown in Figure 6.

• Region 0 and 1: PC=4 access has permissions

• Region 2: PC=5 access has permissions

3.4.2 Configuration

Table 3 and Table 4 list the parameters and functions in SDL for protection context switching.

Table 3 List of Parameters

Parameters

Description

Value

RESERVED_MEMORY_BLOCK_SIZE

Define Memory size of each region

0x400

PROTECTION_CONTEXT_OF_TASK_ A

Define Protection Context number for TASK A

PROTECTION_CONTEXT_OF_TASK_ B

Define Protection Context number for TASK B

PC_MASK_OF_TASK_A

Define PROT_SMPU_MSx_CTL.PC_MASK value for enabling PC=4.

PC_MASK_OF_TASK_B

Define PROT_SMPU_MSx_CTL.PC_MASK value for enabling PC=5.

gReservedRam.taskA_Region0/1/2

Set start address and memory size of Region 0/1/2

Memory size = RESERVED_MEMORY_BLOCK_SIZ E

12 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview Parameters

Description

Value

gSmpuStructConfigOfTask(A/B). address

Set SMPU region (Base Address)

gReservedRam.taskA_Region0/1/ 2

gSmpuStructConfigOfTask(A/B). regionSize

Set SMPU region (Region Size)

CY_PROT_SIZE_1KB (1KB)

gSmpuStructConfigOfTask(A/B). subregions

Set SMPU region (Subregion setting)

0x00u (Not used)

gSmpuStructConfigOfTask(A/B). userPermission

Set SMPU region (User Permission setting)

CY_PROT_PERM_RWX (=0x07u) Full access for User

gSmpuStructConfigOfTask(A/B). privPermission

Set SMPU region (Privileged Permission setting)

CY_PROT_PERM_RWX (=0x07u) Full access for Privileged

gSmpuStructConfigOfTask(A/B). secure

Set SMPU region (Non-Secure setting)

False (Non-Secure)

gSmpuStructConfigOfTask(A/B). pcMatch

Set SMPU region (PC Match setting)

False (PC field participates in "matching")

gSmpuStructConfigOfTask(A/B). pcMask

Set SMPU region (PC_MASK setting)

Region 0/1: PC_MASK_OF_TASK_A

Region 2: PC_MASK_OF_TASK_B

PROT_SMPU_SMPU_STRUCT0/1/2

Define Base address of PROT_SMPU_SMPU_STRUCT0/1/ 2

It depends on the product. See

Registers TRM.

CPUSS_MS_ID_CM4

Define Bus muster Identifiers. It depends on the product. See

Master Identifier.

Table 4 List of Functions

Functions

Description

Value

Cy_Prot_ConfigBusMaster (busMaster, privileged, secure, pcmask)

PROT_PROT_SMPU_MSx_CT L setting

busMaster: Bus muster Identifiers

privileged; P field setting secure: NS filed setting pcmask: PC_MASK field

setting See Registers TRM.

busMaster: CPUSS_MS_ID_CM4 privileged; true (User mode) secure: false (Non-Secure) pcmask: PC_MASK field setting

Cy_Prot_ConfigSmpuSlaveStruct (*base, *config)

SMPU Region setting *base: Register Base address *config: Configuration

parameter

*base: PROT_SMPU_SMPU_STRUCT0/1/2

*config: gSmpuStructConfigOfTask(A/B)

Cy_Prot_EnableSmpuSlaveStruct (*base)

SMPU Region enable *base: Register Base address

*base: PROT_SMPU_SMPU_STRUCT0/1/2

13 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview Functions

Description

Value

Cy_Prot_SetActivePC(busMaster , PC)

PROT_MPU_MSx_CTL setting busMaster: Bus muster

Identifiers PC: PC value

busMaster: CPUSS_MS_ID_CM4 PC:

PROTECTION_CONTEXT_OF_TASK_ A or

PROTECTION_CONTEXT_OF_TASK_ B

The following description will help you understand the register notation of the driver part of SDL:

• addrMpu->unMS_CTL.u32Register is the PROT_MPUx_MS_CTL register mentioned in the Registers TRM.

Other registers are also described in the same manner. “x” signifies the bus master Identifiers.

• Performance improvement measures

• For register setting performance improvement, the SDL writes a complete 32-bit data to the register. Each

bit field is generated in advance in a bit writable buffer and written to the register as the final 32-bit data.

tempSL_ATT0.u32Register = base->unSL_ATT0.u32Register;

tempSL_ATT0.stcField.u1PC1_UR = (config->userPermission & CY_PROT_PERM_R);

tempSL_ATT0.stcField.u1PC1_UW = (config->userPermission & CY_PROT_PERM_W) >> 1;

tempSL_ATT0.stcField.u1PC1_PR = (config->privPermission & CY_PROT_PERM_R);

tempSL_ATT0.stcField.u1PC1_PW = (config->privPermission & CY_PROT_PERM_W) >> 1;

tempSL_ATT0.stcField.u1PC1_NS = !(config->secure);

base->unSL_ATT0.u32Register = tempSL_ATT0.u32Register;

See cyip_prot_v2.h and cyip_peri_ms_v2.h under hdr/rev_x/ip for more information on the union and structure representation of registers.

Code Listing 6 shows an example of switching protection context.

Code Listing 6 Example of User/Privileged Switching Protection Context

#define RESERVED_MEMORY_BLOCK_SIZE (0x400) // 1K

#define PROTECTION_CONTEXT_OF_TASK_A (4u) #define PROTECTION_CONTEXT_OF_TASK_B (5u)

#define PC_MASK_OF_TASK_A (1u<<(PROTECTION_CONTEXT_OF_TASK_A-1u)) #define PC_MASK_OF_TASK_B (1u<<(PROTECTION_CONTEXT_OF_TASK_B-1u))

struct { uint8_t taskA_Region0[RESERVED_MEMORY_BLOCK_SIZE]; uint8_t taskA_Region1[RESERVED_MEMORY_BLOCK_SIZE]; uint8_t taskB_Region2[RESERVED_MEMORY_BLOCK_SIZE]; } gReservedRam;

cy_stc_smpu_cfg_t gSmpuStructConfigOfTaskA = { .address = NULL, // Will be updated in run time .regionSize = CY_PROT_SIZE_1KB, .subregions = 0x00u, .userPermission = CY_PROT_PERM_RWX, .privPermission = CY_PROT_PERM_RWX, .secure = false, // Non secure .pcMatch = false, .pcMask = PC_MASK_OF_TASK_A, // only enable for task A };

Define each region size

Define Protection context for Task A (PC=4)

Define Protection context for Task B (PC=5)

Define PC_Mask for each SMPU region.

Define SRAM region.

Configure SMPU for region 0 and 1. (PC=4 access has permissions)

14 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

cy_stc_smpu_cfg_t gSmpuStructConfigOfTaskB = { .address = NULL, // Will be updated in run time .regionSize = CY_PROT_SIZE_1KB, .subregions = 0x00u, .userPermission = CY_PROT_PERM_RWX, .privPermission = CY_PROT_PERM_RWX, .secure = false, // Non secure .pcMatch = false, .pcMask = PC_MASK_OF_TASK_B, // only enable for task B };

int main(void) { SystemInit();

cy_en_prot_status_t status;

/* Setting for MS14_CTL (for CM4) to allow the PC value to become 4 or 5 */ status = Cy_Prot_ConfigBusMaster(CPUSS_MS_ID_CM4, true, false, (PC_MASK_OF_TASK_A|PC_MASK_OF_TASK_B)); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Setting for SMPU_STRUCT 0 */

/* Setting SMPU_STRUCT 0 for task A */

gSmpuStructConfigOfTaskA.address = (uint32_t*)gReservedRam.taskA_Region0; status = Cy_Prot_ConfigSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT0, &gSmpuStructConfigOfTaskA); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Enable SMPU_STRUCT 0 */ status = Cy_Prot_EnableSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT0); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Setting for SMPU_STRUCT 1 */

/* Setting SMPU_STRUCT 1 for task A */

gSmpuStructConfigOfTaskA.address = (uint32_t*)gReservedRam.taskA_Region1; status = Cy_Prot_ConfigSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT1, &gSmpuStructConfigOfTaskA); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Enable SMPU_STRUCT 1 */ status = Cy_Prot_EnableSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT1); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Setting for SMPU_STRUCT 2 */

/* Setting SMPU_STRUCT 2 for task B */

gSmpuStructConfigOfTaskB.address = (uint32_t*)gReservedRam.taskB_Region2; status = Cy_Prot_ConfigSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT2, &gSmpuStructConfigOfTaskB); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Enable SMPU_STRUCT 2 */ status = Cy_Prot_EnableSmpuSlaveStruct(PROT_SMPU_SMPU_STRUCT2); CY_ASSERT(status == CY_PROT_SUCCESS); for(;;) { /* Setting for MPU so that CM4 PC for task A */ status = Cy_Prot_SetActivePC(CPUSS_MS_ID_CM4, PROTECTION_CONTEXT_OF_TASK_A); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Do task A */ Routine_TaskA();

/* Setting for MPU so that CM4 PC for task B */ status = Cy_Prot_SetActivePC(CPUSS_MS_ID_CM4, PROTECTION_CONTEXT_OF_TASK_B); CY_ASSERT(status == CY_PROT_SUCCESS);

/* Do task B */ Routine_TaskB(); } }

Note: (*)This process specifies the value of the protection context that can be set by the corresponding

master. In a secure system, it is run by secure master. See Protection Properties of Bus Transfer for more details.

Enabled PC=5 by PC_MASK

Configure SMPU for region 2. (PC=5 access has permissions)

Set PROT_SMPU_MS14_CTL.PC_MASK. See Configuration

Example of SMPU for SMPU setting details. (*)

Set SMPU region

0. For details on setting SMPU, see

Configuration Example of SMPU.

Enable SMPU region 0. For details on setting SMPU, see Configuration Example of SMPU.

(1) Change protection context to PC=4 for TASK A. See 0.

(2) Change protection context to PC=5 for TASK B. See 0.

Access to RAM region 0 and 1. See Code Listing 8.

Access to RAM region 2. See Code Listing 8.

Set SMPU region 1. For details on setting SMPU, see

Configuration Example of SMPU.

Enable SMPU region 1. For details on setting SMPU, see Configuration Example of SMPU.

Set SMPU region 2. For details on setting SMPU, see

Configuration Example of

Enable SMPU region 1. For details on setting SMPU, see Configuration Example of SMPU.

15 of 49 002-19843 Rev.*E <2021-02>

Protection Configuration in Traveo II

Operation Overview

Code Listing 7 Cy_Prot_SetActivePC() Function

cy_en_prot_status_t Cy_Prot_SetActivePC(en_prot_master_t busMaster, uint32_t pc) { cy_en_prot_status_t status = CY_PROT_SUCCESS; un_PROT_MPU_MS_CTL_t tProtMpuMsCtl = {0ul}; volatile stc_PROT_MPU_t* addrMpu = (stc_PROT_MPU_t*)(&PROT->CYMPU[busMaster]);

if(pc > (uint32_t)CY_PROT_MS_PC_NR_MAX) { /* Invalid PC value - not supported in device */ status = CY_PROT_BAD_PARAM; } else { tProtMpuMsCtl.stcField.u4PC = pc; addrMpu->unMS_CTL.u32Register = tProtMpuMsCtl.u32Register; status = ((addrMpu->unMS_CTL.stcField.u4PC != pc) ? CY_PROT_FAILURE : CY_PROT_SUCCESS); }

return status; }

Code Listing 8 Routine_TaskA() and Routine_TaskB() Function

void Routine_TaskA(void) { for(uint32_t i = 0; i < RESERVED_MEMORY_BLOCK_SIZE; i++) { gReservedRam.taskA_Region0[i] += 1; }

for(uint32_t i = 0; i < RESERVED_MEMORY_BLOCK_SIZE; i++) { gReservedRam.taskA_Region1[i] += 1; } }

void Routine_TaskB(void) { for(uint32_t i = 0; i < RESERVED_MEMORY_BLOCK_SIZE; i++) { gReservedRam.taskB_Region2[i] += 1; } }

3.5 Bus Transfer Evaluation

3.5.1 Evaluation Process

The evaluation of bus transfer by protection units is divided into two independent processes.

• Matching process: For each protection structure, this process determines whether a transfer address is

contained within the address range.

• Access evaluation process: For each protection structure, this process evaluates the bus transfer access

attributes against the access control attributes.

The following pseudo code shows the evaluation process of bus transfer.

match = 0; for (i = n-1; i >= 0; i--) // n: number of protection regions if (Match (“transfer address”, “protection context”) { match = 1; break; }

if (match) AccessEvaluate (“access attributes”, “protection context”); else “access allowed”

Matching Process

Access Evaluation Process

Access to region 0 and 1 with TASK A. If these regions are accessed with TASK B, it will cause bus fault.

Access to region 2 with TASK B. If these regions are accessed with TASK A, it will cause bus fault.

Check protection context value, if available.

Change protection context.

+ 34 hidden pages