 Hello, and welcome to this presentation of the STM32C0 System Memories Protection. It will cover the different means for protecting code and data. Memory protections have been designed for different purposes. A read protection, for example, will prevent the dumping of embedded software code through an external access and will protect the developer's intellectual property. A read protection will prevent certain flush sectors from being accidentally erased by a load overflow in a software or data update procedure. STM32C0 microcontrollers provide several features for protecting code and data located in flush memory and backup registers. In addition to these typical memory protections, the STM32C0 also implements a mechanism to ensure the safe execution of sensitive firmware. The following slides will describe all these protection features. The following means are provided for code protection purposes. RDP, the readout protection, PCROP, the proprietary code readout protection, WRP, the write protection. Secure user memory protection ensures the safe execution of sensitive applications in addition to code and data protection. Readout protection, or RDP, is a global mechanism that prevents external read access to flush memory, option bytes, and backup registers. An external access can be gained by using a JTAG connector, a zero-wire port, or the boot software embedded in the SRAM. Three levels of RDP protection are defined from level 0, which offers no protection at all, to level 2, which has full and permanent protection. Protection levels will be described in the following slides. PCROP is a memory access protection against code dumping. It's used to protect the intellectual property of the code. The protected firmware remains executable, but read and write access performed by the CPU executing malicious third-party code like Trojan horse are prohibited. The write protection mechanism prevents accidental or malicious write and erase operations. Secure user memory is a flush memory area with a specific protection mechanism to ensure the safe execution of sensitive firmware in addition to code and data protection. After system reset, the code in the secureable memory area can only be executed until the secureable area becomes secured and never again until the next system reset. This allows implementing software security services such as a secure key storage or safe boot. All protection mechanisms are configurable via the STM32C0 option bytes. This table summarizes the features of the various protection mechanisms. It provides the following information, type of memory which is protected, granularity of the protection, number of protection areas, definition of the size of the protected area. The read protection is activated by setting the RDP option byte and then by applying a system reset to reload the new RDP option byte. There are three levels of read protection from no protection, level 0, to maximum protection or no debug, level 2. When the lowest RDP level, level 0, is set, the device has no protection. All read and write operations on the flush memory and the backup registers are possible in all boot configurations, flush user boot, debug or boot from RAM. Option bytes are also changeable in this level. Level 0 is the factory default level. In level 1, read protection is set from the flush memory and the backup registers. In this level, protected memories are only accessible when booting from user flush memory. Whenever a debugger access is detected or boot isn't set to user flush memory area, any access to the protected memories generates a system heart fault and a bus error which block all code execution until the next power on reset. Note that option bytes can still be modified at this level, making it possible to remove the protection. This mechanism is explained in the next slides. We've seen in the previous slide that it's possible to modify option bytes in level 1. It's then possible to remove the protection by changing the protection level to level 0. This protection level regression will cause the flush memory and the backup registers to be mass erased. Flush areas protected by PCROP or configured as secure user memory can be erased or left unchanged depending on their erase policy configuration. Readout protection level 2 provides the same protection as in level 1 but the protection becomes permanent. Option bytes cannot be modified so once the RDP protection is set to this level, there's no way to modify it and level regression with mass erase mechanism is no longer possible. This level must only be considered in the final product when the development stage is completed. Note that to ensure that there are no backdoors, this protection cannot be bypassed even at ST factory. This slide shows the possible transitions between each readout protection level. It's always possible to raise the protection level but regression is only possible between level 1 and level 0 with the consequence of a full main flash erase operation. The RDP option byte is protected by a complementary byte. Note that the RDP level is coded in one option byte. Level 0 is coded by a hex double A value, level 2 is coded by a hex double C value and level 1 is coded by any value other than hex double A or hex double C. This table summarizes the different types of access authorized for the flush memory and backup registers according to the readout protection level, configured boot mode and with debug access as seen in previous slides. PCROP means proprietary code readout protection. Third parties may develop and sell specific software IPs for STM32 microcontrollers and original equipment manufacturers may use them when developing their own application code. In order to protect the software intellectual property, the code must not be copied or read. The PCROP's purpose is to protect the confidentiality of third parties software intellectual property code against malicious users independent of the RDP level setting. The protected firmware can only be executed by the Cortex M0 plus core. Any other accesses by DMA, debug and data read, write and erase are strictly prohibited. To be compliant with this constraint, the firmware must be compiled with the appropriate compilation option. For example, minus execute underscore only for Kyle tools. Without this option, constants are interleaved with functions in the read only section called the literal pool. The Cortex M0 plus MPU doesn't support execute only access permissions. The proprietary code readout protected areas in flash memory are defined through the option bytes. Two PCROP areas can be defined. Each area is configured with a granularity of 512 bytes and can be set from 512 bytes up to the full bank. The areas are protected against data accesses. Note that pages protected with the PCROP feature are also protected against write access offering protection against unwanted page write or erase operations. The PCROP protection can only be removed by RDP level regression from level 1 to level 0. When executed, this mechanism triggers a full mass erase of the flash memory. Depending on the PCROP RDP option bit, the PCROP areas are erased when the RDP protection is changed from level 1 to level 0. The write protection protects code and non-volatile data from unwanted or accidental erasure. This protection is only available on the main flash memory. The write protection can be set on a selection of flash memory sectors only. There are 16 pages of 2 kilobytes in STM32C0 microcontrollers. When a sector is protected, it cannot be erased or programmed. Any attempt to write access to sector will cause a flash memory error. If at least one sector is write protected, a mass erase of the flash memory cannot be performed. The protection needs to be removed first. The purpose of the secure memory is to store code and data available during the boot time that becomes inaccessible once the boot program sets a control bit. The typical use case consists in performing an authentication and possibly decryption of the software image present in the flash memory by using cryptographic keys contained in the secure memory. The authentication and decryption programs are also stored in the secure memory. Option bits are used to set the size of the secure memory in page units. Base address is always hex 8 million, which corresponds to Cortex M0 plus reset vectors. When the sec size field of the option bytes is equal to zero, secure memories disabled. This field can only be modified in RDP level zero. When software sets the sec prot bit in the flash CR register, the secure memory is no longer accessible. In case of secure boot, used to perform image authentication and decryption, the sec prot bit is set to 1 when the authentication is successful just before branching to the first instruction of the image. Once the sec prot bit is set, it cannot be cleared by software. The only way to clear this bit is to apply a reset. Of course, code present in the secure memory may decide to erase a part of the secure memory. Furthermore, changing the flash read protection level from level 1 to level 0 triggers the erasure of the secure memory. Note that the code present in the secure area can also be protected against read and write accesses by mapping it into proprietary code readout protection areas. Changing the RDP level from level 1 to level 0 would erase these PCROP areas, whatever the value of the PCROP RDP bit. Only the contents of PCROP areas outside the secure memory address range will be preserved. Taking control of the Cortex-M0 Plus by using invasive debug can be temporarily disabled through the dbgswen control bit. For instance, the secure boot can decide to clear this bit before performing authentication and decryption and then to set this bit to 1 to re-enable invasive debug once the authentication is successful. In the STM32C0, three different boot modes can be selected. Boot from Embedded SRAM, boot from System Memory and boot from Main Flash Memory. Executing a secure boot from Securable Memory implies that the boot area is the flash memory. To disable the other boot areas, the boot log option bit has to be set in the FlashSec R register. It's always possible to set the boot log bit. However, resetting is possible only when RDP level is 0 or RDP is changed from level 1 to level 0, which causes the mass arrays. During option byte loading, the options are read by double word. If the word and its complement are matching, the option word is copied into the option register. If the comparison between the word and its complement fails, a status bit OPTVR is set. Mismatch values are forced into the option registers as indicated in the second bullet. Upon an option byte programming failure, for any reason, such as the loss of power or reset during the option byte change sequence, the mismatch values of the option bytes are loaded after reset. Those mismatch values force a secure configuration that might permanently lock the device. The STM32C0 implements a new feature. Debug capabilities remain enabled in case of option byte mismatch. Please refer to the flash memory presentation to learn more about the memory architecture, option bytes and flash memory operations. Thank you for attending this presentation.