[LPC55]: Disable ISP and SWD to utilize code protection

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

[LPC55]: Disable ISP and SWD to utilize code protection

[LPC55]: Disable ISP and SWD to utilize code protection

In some early LPC products, such as LPC11xx, LPC17xx, LPC18xx, LPC40xx, LPC43xx, LPC8xx, etc, CRP is used to utilize code protection. CRP has three different security levels: Figure 1 shows the security levels of CRP1, CRP2, and CRP3.

ZhangJennie_0-1684590850572.png

Figure 1

The LPC55 series (LPC55(S)0x, 1x,2x, and 6x) uses Secure boot and Protected Flash Region (PFR) configuration instead of CRP for security protection. The part number with S (eg. LPC55S) supports Secure boot, for instance, LPC55S28 and LPC55S06. However, non-S series products, such as LPC5506, LPC5528,  can only utilize code protection by configuring FPR related fields.

CRP2 is the most commonly used protection level. With CRP2, SWD access is blocked, so users can not read, write, or erase Flash via SWD or ISP. In addition, users cannot erase part of Flash to modify existing code. Once in CRP2 mode, Flash can only be recovered by Mass Erase Flash, which effectively prevents attacker from reading and modifying the Flash code.

Unfortunately, the LPC5500 device such as LPC55(S)0x, 1x,2x,6x doesn't have exactly the same functional mechanism as the CRP2, which is questioned by many users. However, if we need to achieve the same functionality as CRP2, we can configure CMPA to disable ISP and SWD debugging port.

1.   Disable ISP

Customer Manufacturing/Factory Configuration Area (CMPA) is part of the PFR, Configure BOOT_CFG to select whether the ISP mode is enabled. Table 1 shows the field table starting with 9E40 word address in CMPA. ISP control domains have been marked in red (as shown in Table 1). Table 2 shows the mode selection of ISP domains, 111 is ISP disabled. If the ISP mode is disabled, set BOOT_CFG to 0b1110000.

Word AddressHEX

Byte Address

Field Description

6

5

4

3

2

1

0

9E40

9E400

BOOT_CFG

Default ISP mode

0

0

0

0

9E404

SPI_FLASH_CFG

0

0

0

0

0

0

0

9E408

USB_ID

USB Vendor ID

9E40C

SDIO_CFG

0

0

0

0

0

0

0

9E41

9E410

CC_SOCU_PIN

ISP_CMD_EN

MCM33_DBGEN

0

0

0

0

0

9E414

CC_SOCU_DFLT

ISP_CMD_EN

MCM33_DBGEN

TAPEN

SPIDEN

SPNIDEN

DBGEN

NIDEN

Table 1

Default ISP mode

Bit 64

Auto ISP

000

USB_HID_MSC

001

UART ISP

010

SPI Slave ISP

011

I2C slave ISP

100

Disable ISP

111

Table 2

2.   Disable SWD

The DCFG_CC_SOCU is a configuration that specifies debug access restrictions per debug domain. These access restrictions are also referred as constraint attributes in this section. The debug subsystem is sub-divided into multiple debug domains to allow finer access control. Figure 2 shows debug domains and their corresponding control bit position in DCFG_CC_SOCU. Logically, DCFG_CC_SOCU has two components: SOCU_PIN and SOCU_DFLT. The SOCU_PIN and SOCU_DFLT registers are used together to define SWD debug access for the module. Which is logically composed of two components:

  • SOCU_PIN: A bitmask that specifies which debug domains are predetermined by device configuration.
  • SOCU_DFLT: Provides the final access level for those bits that the SOCU_PIN field indicated are predetermined by device configuration.

In another words, set the corresponding bit of SOCU_PIN and SOCU_DFLT register to 1 at the same time to enable the module. This module is disabled by setting the corresponding bits of the SOCU_PIN and SOCU_DFLT registers to 0 simultaneously. See Figure 2.

ZhangJennie_1-1684591151287.png

Figure 2

Note that the default value of CC_SOCU_PIN and CC_SOCU_DFLT in LPC55 PFR are all zeros. Therefore, in this case, although SOCU_PIN and SOCU_DFLT are both 0, the bit reverse rule is not met (Figure 3 below). Therefore, all debugging permissions are enabled by default when CC_SOCU_PIN and CC_SOCU_DFLT are all 0.

ZhangJennie_2-1684591191419.png

Figure 3

Note: the distinction between CC_SOCU_PIN(CC_SOCU_DFLT) and SOCU_PIN(SOCU_DFLT). The former with CC_ includes the reverse bit of the latter.

For example, if SOCU_PIN and SOCU_DFLT are set to all zeros and the reverse bit is set to 1, all SWD modules are disabled.

ZhangJennie_3-1684591227902.png

Figure 4

3. Implementation

The following uses LPC5506 as an example to configure the CMPA field:

3.1  Disable ISP and SWD

ZhangJennie_4-1684591266203.png

Figure 5

Keep the default CMPA values except for the two highlighted in red in Figure 5.

1) Set BOOT_CFG to 0x70 to disable ISP.

2) Set all SOCU_PIN and SOCU_DFLT to 0, and set all reverse bits to 1. That is, disable all debug accessing subdomains.

3.2 Enable ISP and SWD

ZhangJennie_5-1684591308131.png

Figure 6

Keep the default CMPA values except for the two highlighted in red in Figure 6.

1) Set BOOT_CFG to 0x00 to enable Auto ISP.

2) Restore the default values of DCFG_CC_SOCU, that is, CC_SOCU_PIN and CC_SOCU_DFLT to all zeros. in this case, all debug permissions are restored (turned on) because the rule of bit reversal is not met (see Part 2 of this article).

3.3 Code Implementation

Enable or disable the SWD and ISP functions by serial command (1 or 0).

ZhangJennie_6-1684591332748.png

Figure 7

The demo code is attached. This routine has been tested on the LPCXpresso55S06 development board.

NOTE:

    As system security requirements and the attack surface evolves, it is important for customers to understand the types of attacks (especially advanced physical attacks) which NXP does not claim to protect against, or strongly mitigate, so that appropriate mitigation can be taken by the customer at the system level if necessary.

 

标签 (1)
附件
评论

This would appear that any mass erase of the flash via SWD is completely disabled in the future (unless somehow the enable code in the above example is run) . Is this correct, or am I mistaken?

We only have the SWD interface (on LPC5528 boards) to program production boards so we need a way to read protect the flash via SWD (no read allowed from any interface) and only allow mass erase via any interface. Is this possible?

0% 有帮助 (0/1)
版本历史
最后更新:
‎05-28-2023 07:24 AM
更新人: