GPIO ASIL protection

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 
已解决

GPIO ASIL protection

跳至解决方案
974 次查看
mattiasecchiaro
Contributor I

Dear support,

We use the S32K148 MCU in an automotive application with some ASIL B functionalities.

We want to prevent non safe code (unprivileged code) from changing the GPIO outputs.

Safe code (Highest ASIL level of the application) must still be able to change GPIO Outputs at all times (not only at startup but also at runtime).

It seems that we cannot protect the GPIO controller using MPU: p.281 of S32K-RM.pdf rev 13.

mattiasecchiaro_1-1637569274126.png

 

We know that the mux of the GPIOs can be protected, S32K1xx_Memory_Map.xlsx:

mattiasecchiaro_2-1637569274146.png

 

However the S32K148 doesn’t seem to allow to configure the access rights of the GPIO controller.

mattiasecchiaro_3-1637569274159.png

 

The aliased peripheral does not have any registers allowing privilege control.

mattiasecchiaro_4-1637569274174.png

mattiasecchiaro_5-1637569274277.png

 

We thought we could use the clock gating of the SIM module (which himself can be protected from unprivileged access), but on p.169 of S32K-RM.pdf rev 13, it says that clock gating is not available for our MCU S32K148, only for S32K11x variants.

mattiasecchiaro_6-1637569274290.png

 

Is there a way to protect the access to the GPIOs outputs for S32K148?

 

Thanks.

标签 (1)
0 项奖励
1 解答
936 次查看
aarul
NXP Employee
NXP Employee

Hello

You can implement software measure and application-level measures to detect such failures. Few suggestions:

1. You can reduce the probability of this condition by disabling the access to the GPIO software driver (which resides in memory) to non-safe code. 

2. If you have application level measures such as redundant GPIO pins and loop-back implemented (refer to "Section 5.7.2 I/O functions" in Safety Manual), then a corruption by non-safe code can be detected. 

3. You can perform SW tests (read-back) to ensure that the values in the GPIO before execution of non-safe code and after execution of non-safe code are same. 

4. If you very few pins to be used as GPIO, you can even consider using a different peripheral (like TRGMUX). 

Hope this helps,

Regards

-Aarul

 

 

在原帖中查看解决方案

0 项奖励
4 回复数
951 次查看
aarul
NXP Employee
NXP Employee

Hello

In the first snippet you posted, there is a statement that says "Peripheral access protection is supported by AIPS". Can you please evaluate and confirm if the following register can enable protection to GPIO accesses that you are looking for or you are looking for something different?

aarul_0-1639644760592.png

Regards

-Aarul

0 项奖励
945 次查看
mattiasecchiaro
Contributor I

Hello Aarul,

thanks for the answer.

We tried, but, as already written, the S32K148 doesn’t allow to configure the access rights of the GPIO controller (the aliased peripheral does not have any registers allowing privilege control).

You can also look at the other snippets posted, taken from file S32K1xx_Memory_Map.xlsx (sheet Peripheral Memory Map).

 

Regards,

Mattia.

0 项奖励
937 次查看
aarul
NXP Employee
NXP Employee

Hello

You can implement software measure and application-level measures to detect such failures. Few suggestions:

1. You can reduce the probability of this condition by disabling the access to the GPIO software driver (which resides in memory) to non-safe code. 

2. If you have application level measures such as redundant GPIO pins and loop-back implemented (refer to "Section 5.7.2 I/O functions" in Safety Manual), then a corruption by non-safe code can be detected. 

3. You can perform SW tests (read-back) to ensure that the values in the GPIO before execution of non-safe code and after execution of non-safe code are same. 

4. If you very few pins to be used as GPIO, you can even consider using a different peripheral (like TRGMUX). 

Hope this helps,

Regards

-Aarul

 

 

0 项奖励
933 次查看
mattiasecchiaro
Contributor I

Hello,

thanks for the suggestions.

Solution 1 seems not to completely protect GPIOs, since the registers are still accessible.

Solutions 2 and 4 involve changes in hardware that we cannot manage now.

So, we'll go for solution 3 (SW readback of the GPIO registers).

Regards,

Mattia.

0 项奖励