

### **About this document**

#### **Scope and purpose**

This application note explains the functionality and how to configure the protection units for XMC7000 family MCU. This document serves as a guide to enhance system security based on different operations. It also explains the structure, access attributes, and some usage examples of each protection unit.

### **Associated part family**

XMC7000 family of XMC<sup>™</sup> industrial microcontrollers.



### **Table of contents**

## **Table of contents**

| Abou  | ıt this document                                               | 1  |
|-------|----------------------------------------------------------------|----|
| Table | e of contents                                                  | 2  |
| 1     | Introduction                                                   | 3  |
| 2     | Protection units                                               | 4  |
| 2.1   | Location of protection units                                   | 4  |
| 2.2   | Protection units overview                                      |    |
| 3     | Operation overview                                             | 5  |
| 3.1   | Protection properties of bus transfer                          |    |
| 3.2   | Attribute inheritance                                          |    |
| 3.3   | User/Privileged attribute switching                            |    |
| 3.4   | Protection context attribute setting                           |    |
| 3.5   | Bus transfer evaluation                                        | 10 |
| 3.5.1 | Evaluation process                                             | 10 |
| 3.5.2 | PC_MATCH operation                                             | 11 |
| 3.6   | Master identifier                                              | 13 |
| 3.7   | Protection violation                                           | 14 |
| 4     | Protection unit structure                                      | 15 |
| 4.1   | MPU structure                                                  | 15 |
| 4.2   | SMPU structure                                                 | 16 |
| 4.3   | PPU structure                                                  | 17 |
| 4.4   | Protection pair structure                                      | 18 |
| 5     | Configuration example of protection units                      | 20 |
| 5.1   | Configuration example: MPU implemented as part of the CPU      | 20 |
| 5.1.1 | Use case                                                       | 20 |
| 5.1.2 | Setting procedure                                              | 21 |
| 5.2   | Configuration of MPU implemented as part of bus infrastructure | 22 |
| 5.3   | Configuration example of SMPU                                  |    |
| 5.3.1 | Usage assumptions                                              | 22 |
| 5.3.2 | Setting procedure for SMPU                                     | 23 |
| 5.3.3 | Configuration                                                  |    |
| 5.4   | Configuration example of PPU                                   |    |
| 5.4.1 | Usage assumptions                                              |    |
| 5.4.2 | Setting procedure for PPU                                      |    |
| 5.4.3 | Configuration                                                  | 37 |
| 6     | Glossary                                                       | 43 |
| Refer | rences                                                         | 44 |
| Revis | sion history                                                   | 45 |
|       | aimer                                                          |    |



#### Introduction

### 1 Introduction

This application note describes the protection units in XMC7000 family series MCU. The series includes Arm® Cortex® CPUs with Enhanced Secure Hardware Extension (eSHE), CAN FD, memory, and analog and digital peripheral functions in a single chip.

The XMC7100 and XMC7200 series MCUs have two Arm® Cortex®-M7-based CPUs (CM7) and a Cortex®-M0+ CPU.

Protection units are an important part for security system design, and enforce security based on different operations. A protection unit allows or restricts bus transfers on the bus infrastructure based on specific properties. A protection violation is caused by a mismatch between a bus transfer's address region and access attributes and the protection structures' address range and access attributes.

These series have three types of protection units:

- Memory Protection Unit (MPU),
- Shared Memory Protection Unit (SMPU),
- Peripheral Protection Unit (PPU).

Memory protection is provided by the MPU and SMPU, and protection for peripheral resources is provided by the PPU.

The MPU, SMPU, and PPU protection structure definition follows the Arm® definition (in terms of memory region and access attribute definition) to ensure a consistent software interface.

If security is required, the SMPU and possibly PPUs registers must be controlled by a secured CPU that enforces system-wide protection.

To understand the functionality described and terminology used in this application note, see the "Protection Unit" chapter of the architecture reference manual.

In addition, this application note describes example code with the Peripheral Driver Library (PDL). The code snippets in this application note are part of PDL. See References for the PDL.

This sample program is for XMC7200 series.



**Protection units** 

## 2 Protection units

## 2.1 Location of protection units

Figure 1 shows the locations of MPUs, SMPUs, and PPUs in the XMC7200 series.



Figure 1 Protection unit locations in the XMC7200 series

See the architecture reference manual for the location of other series devices.

#### 2.2 Protection units overview

MPUs are associated with a single master. There are following two types of MPUs:

- An MPU that is implemented as part of the CPU: This type is found in the Arm® CPUs
- An MPU that is implemented as part of the bus infrastructure: This type is found in bus masters such as test controller

However, Peripheral DMA (P-DMA/DW), Memory DMA (M-DMA/DMAC), and Cryptography (CRYPTO) components do not have an MPU. These masters inherit the access control attributes of the bus transfer that programmed channels or components.

An SMPU is shared by all bus masters. A single set of SMPU region structures provides the same protection information to all SMPUs in the systems.

A PPU is shared by all bus masters. The PPU provides access control to the peripherals within a peripheral group. PPUs are of two types:

- Fixed PPU: The address to protect is fixed and cannot be modified by software.
- Programmable PPU: The address to protect is programmable by software.

The MPU and SMPU have a higher priority over the PPU. In addition, a programmable PPU has a higher priority than a fixed PPU.

See the architecture reference manual or more details on protection units.



**Operation overview** 

## **3** Operation overview

## 3.1 Protection properties of bus transfer

Protection units identify the following properties of bus transfer:

• An address range to be accessed

The MPU, SMPU, and PPU protection structure definition follows the Arm® definition. Therefore, note the following when setting the region address and region size of the protection unit.

- The base address of the region address must be aligned to the region size. When the region size is 64 KB, the base address must be aligned on a multiple of 64 KB, for example, at 0x00010000 or 0x00020000. See the registers reference manual for details.
- Access attributes such as the following:
  - Read/Write: Distinguish a read access from a write access
  - Execute: Distinguish a code access from a data access
  - User/Privileged: Distinguish a user access from a privileged access
  - Secured/non-secured: Distinguish a secured code access from a non-secured code access. The non-secured attribute allows both non-secured and secured accesses.
  - Protection context: Distinguish accesses from different protection contexts

Not all bus masters provide all these access attributes. No bus master has a protected context; Arm® CPUs do not have a secured attribute.

Access attributes not provided by the bus master are provided by the PROT\_MPUx\_MS\_CTL and PROT\_SMPU\_MSx\_CTL registers. These registers may be set during the boot process or by the secure CPU. Figure 2 shows the structure of PROT\_MPUx\_MS\_CTL registers.



Figure 2 PROT\_MPUx\_MS\_CTL register

This register grants a protection context attribute to its master access.

- PROT\_MPUx\_MS\_CTL.PC: Sets the protection context attribute of its own access
- PROT\_MPUx\_MS\_CTL.PC\_SAVED: The boot process sets this field. This field is present only for the CM0+ master.

Figure 3 shows the structure of the PROT\_SMPU\_MSx\_CTL registers.





#### **Operation overview**

#### Figure 3 PROT\_SMPU\_MSx\_CTL register

This register grants the following attributes to its master access:

- PROT\_SMPU\_MSx\_CTL.P: Provides the User/Privileged attribute for masters that do not provide their own attributes.
- PROT\_SMPU\_MSx\_CTL.NS: Provides the secured/non-secured attribute for masters that do not provide their own attributes.
- PROT\_SMPU\_MSx\_CTL.PC\_MASK\_15\_TO\_1 and PC\_MASK\_0: Restricts the protection context that the bus master can set to MPUx\_MS\_CTL.PC.

Note:

When one of the bits CPUSS\_CM0\_PC\_CTL.VALID[3:1] is '1' (the associated protection context handler is valid), write transfers of the application software to the associated bits of PROT\_SMPU\_MSx\_CTL.PC\_MASK\_15\_TO\_1[19:17] always writes '0'. This ensures that when valid protection context handlers are used to enter protection contexts 1, 2, or 3, the application software cannot enter those protection contexts. Also, the application software should clear the relevant bits of PROT\_SMPU\_MSx\_CTL.PC\_MASK\_15\_TO\_1[19:17] when CPUSS\_CMx\_PC\_CTL.VALID[3:1] bits are set to 1. See registers reference manual for more details.

- The PC\_MASK\_0 field is always '0'. This means that bus masters cannot set the PC = 0 attribute.
- PROT\_SMPU\_MSx\_CTL.PRIO: Sets the bus arbitration priority.

However, not all bus masters have these register fields. Table 1 shows the relationship of registers for each master.

Table 1 Register field provided to the master

| rubte 1 Register i                                     | icia proviace | to the master    |               |                 | rable 2 Register field provided to the master |                    |  |  |  |  |
|--------------------------------------------------------|---------------|------------------|---------------|-----------------|-----------------------------------------------|--------------------|--|--|--|--|
| Register field                                         | CM0+ CPU      | CRYPTO component | P-DMA<br>(DW) | M-DMA<br>(DMAC) | СМ7 СРИ                                       | Test<br>controller |  |  |  |  |
| PROT_MPUx_MS_<br>CTL.PC                                | Yes           | -                | _             | -               | Yes                                           | Yes                |  |  |  |  |
| PROT_MPUx_MS_<br>CTL.PC_SAVED                          | Yes           | -                | _             | -               | _                                             | -                  |  |  |  |  |
| PROT_SMPU_MSx_<br>CTL.P                                | -             | -                | _             | -               | _                                             | Yes                |  |  |  |  |
| PROT_SMPU_MSx_<br>CTL.NS                               | Yes           | -                | _             | -               | Yes                                           | Yes                |  |  |  |  |
| PROT_SMPU_MSx_<br>CTL.PC_MASK_15_TO_1<br>and PC_MASK_0 | Yes           | -                | _             | -               | Yes                                           | Yes                |  |  |  |  |
| PROT_SMPU_MSx_<br>CTL.PRIO                             | Yes           | Yes              | Yes           | Yes             | Yes                                           | Yes                |  |  |  |  |

P-DMA (DW), M-DMA (DMAC), and CRYPTO components do not have MPU. Therefore, these peripheral functions do not have fields to set attributes.

Each master has an associated SMPU MS\_CTL register. However, in secure systems, this register can be typically controlled only by the secured master (CM0+) to prevent a master from changing its own privileged setting, security setting, arbitration priority, or enabled protection contexts.



**Operation overview** 

#### 3.2 Attribute inheritance

As mentioned earlier, P-DMA (DW), M-DMA (DMAC), and CRYPTO components inherit the access control attributes of the bus transfers that programmed the channels and components. The inherited access attribute is allowed/restricted by SMPU and PPU.

Figure 4 shows examples of the setting and behavior for inheriting the attributes.



Figure 4 Setting and behavior example for attribute inheritance

## 3.3 User/Privileged attribute switching

This section describes attribute switching of both CPUs supporting User/Privileged attributes. CPUs support two operating modes and two privilege levels as follows:

- Operation mode
  - Thread mode: This mode is used to execute the application software. This mode can run in Privileged level or User level.
  - Handler mode: This mode is used to handle exceptions. This mode only runs in Privileged level.
- Privileged levels
  - User level: The software has limited access.
  - Privileged level: The software can use all instructions and access all resources.

Privileged level is switched by the CPU-specific CONTROL register. Switching from Privileged level to User level is performed by the CONTROL register. However, the CONTROL register can be rewritten only with the privileged level. Therefore, switching from the User level to the Privileged level must always go through the Handler mode. The CPU enters the Handler mode when an exception or interrupt occurs. Figure 5 shows an example User/Privileged level switching by the supervisor call (SVC) instruction exception. The SVC instruction generates an exception and can enter the Handler mode.



#### **Operation overview**



Figure 5 Example User/Privileged level switching for both CPUs

- 1. CPUs are started in Thread/Privileged mode after reset release.
- 2. When an exception occurs in Thread/Privileged mode, the Handler/Privileged mode is entered; upon returning from handler processing, Thread/Privileged mode is entered again.
- 3. In the Thread/Privileged mode, transition to the Thread/User mode is allowed by the CONTROL register.
- 4. When an exception occurs in the Thread/User mode, the Handler/Privileged mode is entered; upon returning from handler processing, Thread/User mode is entered again.
- 5. When switching from the Thread/User mode to Thread/Privileged mode, use the SVC instruction to enter the Handler/Privileged mode. The SVC instruction can cause an SVC exception.
- 6. Set the Privileged level with the CONTROL register in the Handler/Privileged level. The CPU transitions to the Thread/Privileged mode after returning from handler processing.

See the Arm® documentation sets for CM7 and CM0+ for more details.

You need to register the SVC handler in advance.



**Operation overview** 

## 3.4 Protection context attribute setting

Protection contexts (PCs) are used to isolate software execution for security and safety purposes. PCs are used as the PC attribute for all bus transfers that are initiated by the master. SMPUs and PPUs allow or restrict bus transfers based on the PC attribute.

The series supports eight PCs. Protection contexts 0 and 1 out of eight PCs are special; these are controlled by hardware. In addition, PC0 has unrestricted access.

Specific bus masters have associated PC fields (PROT\_MPUx\_MS\_CTL.PC and PROT\_SMPU\_MSx\_CTL.PC\_MASK\_15\_TO\_1 and PC\_MASK\_0).

A bus master protection context is changed by reprogramming the associated PROT\_MPUx\_MS\_CTL.PC field. The PROT\_SMPU\_MSx\_CTL.PC\_MASK field restricts the PCs that can be set for the associated bus master.

For example, if PROT\_SMPU\_MSx\_CTL.PC\_MASK[15:0] = "0x06" (PC1, 2 = "1"), the PCs to which the associated bus master can be set are "PC = 1" and "PC = 2". A bus master cannot be changed to a PC not allowed (PC = 0, 3, 4, 5, 6, 7).

Figure 6 shows an example of changing the flow of PCs.



Figure 6 Change flow of PCs and behavior

Note: PC values that can be set by each master are restricted by

PROT\_SMPU\_MSx\_CTL.PC\_MASK\_15\_TO\_1 and PC\_MASK\_0.

Note: If the access attributes such as PC or secure change when the CM7 cache memory is enabled, data

that is not allowed access such as the new PC or non-secured may be stored in the cache memory. In this case, you need to run the cache memory clean and invalidate before switching the attribute of the protection context and secured. See AN234254-Multi-core handling guide in XMC7000 for

cache memory handling.

This allows a single bus master to take on different protection roles by reprogramming only the protection context field without changing the settings of SMPUs and PPUs.



**Operation overview** 

### 3.5 Bus transfer evaluation

### 3.5.1 Evaluation process

The evaluation of bus transfer by protection units is divided into two independent processes:

- Matching process: For each protection structure, this process determines whether a transfer address is contained within the address range.
- Access evaluation process: For each protection structure, this process evaluates the bus transfer access attributes against the access control attributes.

The following pseudo code shows the evaluation process of bus transfer.

Note: If no protection structure provides a match, access is allowed.

Note: If multiple protection structures provide a match, the access control attributes for access evaluation are provided by the protection structure with the highest index.

A protection unit evaluates the protection structures in the decreasing order. In other words, higher-indexed structures take precedence over lower-indexed structures.

When transfer addresses do not match, the protection structure with the next highest index is evaluated. When transfer addresses match, bus transfer access attributes are evaluated by the access evaluation process. If transfer access attributes do not match with the access evaluation process, it is detected as an access violation. Therefore, the protection structure with the next highest index is not evaluated.



**Operation overview** 

#### PC\_MATCH operation 3.5.2

The SMPU has a PC\_MATCH field, which controls "matching" and "access evaluation" processes.

Case of PC\_MATCH = 0

The following pseudo code shows the evaluation process when PC\_MATCH = 0:

```
match = 0;
for (i = n-1; i >= 0; i--)
                                 // n: number of protection regions
   if (Match ("transfer address") {
      match = 1; break;
   }
if (match)
   AccessEvaluate ("access attributes", "protection context");
else
   "access allowed"
```

When PC\_MATCH = "0", the protection context is evaluated only in the access evaluation process.

Figure 7 shows the operation example when PC\_MATCH of Region 5 is '0' and PC\_MATCH of Region 4 is '0'. Table 2 shows the settings for each region.

Region Setting1 for PC\_MATCH operation Table 2

| Region   | PC_MATCH | Region address | <b>Protection context</b> | User       |
|----------|----------|----------------|---------------------------|------------|
| Region 4 | 0        | AA             | 4                         | Read/Write |
| Region 5 | 0        | AA             | 5                         | Read-only  |



PC\_MATCH operation example 1 Figure 7



#### **Operation overview**

In this case, the protection context is not evaluated by the matching process. Therefore, both PC = 4 access and PC = 5 access is "match" in the matching process. The protection context is evaluated by the access evaluation process. For PC = 5, access is allowed; for PC = 4, access is not allowed. As a result, PC = 4 access cannot access this address because PC = 4 access is prohibited by Region 5 with a higher priority than Region 4.

• Case of PC\_MATCH = 1

The following pseudo code shows the evaluation process when PC\_MATCH = 1:

When PC\_MATCH = "1", the protection context is evaluated not only by the access evaluation process, but also by the matching process.

Figure 8 shows the operation example when PC\_MATCH of Region5 is '1' and PC\_MATCH of Region4 is '0'. Table 3 shows the settings for each region.

Table 3 Region Setting2 for PC\_MATCH operation

| Region   | PC_MATCH | Region address | <b>Protection context</b> | User       |
|----------|----------|----------------|---------------------------|------------|
| Region 4 | 0        | AA             | 4                         | Read/Write |
| Region 5 | 1        | AA             | 5                         | Read only  |



Figure 8 PC\_MATCH operation example 2



#### **Operation overview**

In this case, the protection context is also evaluated by the matching process. PC = 5 access is "match" in the matching process and is evaluated by the access evaluation process. However, PC = 4 access is "Not matched", and is evaluated by the matching process with Region 4 of the next highest priority. It is evaluated by the access evaluation process after the matching process, and access is allowed.

It is possible to assign different attributes to the same address area depending on the protection context by using PC\_MATCH.

Note: PC\_MATCH is provided only for the SMPU. This functionality is not supported because a PPU

structure provides access attributes for all protection contexts.

Note: When the region address has only one attribute, use PC\_MATCH with "0".

## 3.6 Master identifier

Each bus master has a dedicated master identifier. This identifier is used for correspondence with the register suffix in protection units and identification of access violation master by protection units. Table 4 lists the master identifiers. See the related datasheet [1] for bus master identifier using products.

Table 4 Master identifiers

| Master identifier | Bus master         | Bus master         |
|-------------------|--------------------|--------------------|
|                   | XMC7100 series     | XMC7200 series     |
| 0                 | CM0+ CPU           | CM0+ CPU           |
| 1                 | CRYPTO component   | CRYPTO component   |
| 2                 | P-DMA (DW) 0       | P-DMA (DW) 0       |
| 3                 | P-DMA (DW) 1       | P-DMA (DW) 1       |
| 4                 | M-DMA (DMAC)       | M-DMA (DMAC)       |
| 5                 | SDHC               | SDHC               |
| 6                 | Ethernet 0         | -                  |
| 9                 | -                  | Ethernet 0         |
| 10                | _                  | Ethernet 1         |
| 13                | CM7_1 CPU          | CM7_1 CPU          |
| 14                | CM7_0 CPU          | CM7_0 CPU          |
| 15                | DAP Tap Controller | DAP Tap Controller |



**Operation overview** 

#### **Protection violation** 3.7

If the MPU that is implemented as part of the CPU detects access violations, the programmable-priority MemManage fault or HardFault handler is invoked. If an MPU fault occurs on an access that is not in the TCM, the AXI or AHB transactions for that access are not performed. See the Arm® documentation sets for CM7, and CM0+ for more MPU details.

If the MPU that is implemented as part of the bus infrastructure and SMPU detects a bus transfer that causes a violation of the protection status, the bus transfer results in a bus error.

In case of write transfers that violate PPU protection, the bus master will not see the bus error when buffering is enabled (CPUSS\_BUFF\_CTL.WRITE\_BUFF = 1). This is because AHB-Lite bridges in the bus infrastructure will buffer the write transfer and send the OK response to masters. In this case, the system must depend on the fault reported by the PPU. Write transfers that violate the PPU cause a bus error if buffering is disabled (CPUSS\_BUFF\_CTL.WRITE\_BUFF = 0). Read transfers that violate PPU protection always result in a bus error.

The bus transfers that violate protection units do not reach their target memory location or peripheral register.

A protection violation detected by the MPU that is implemented as part of the bus infrastructure, SMPU, and PPU is captured in the fault report structure. The fault report structure can generate an interrupt to indicate the occurrence of a fault. In addition, information on the violating bus transfer is communicated to the fault report structure.

The fault reporting structure captures the following information:

- Violating address
- Violating attribute
  - User Read/User Write/User Execute
  - Privileged Read/Privileged Write/Privileged Execute
  - Non-secured
  - Protection context identifier
- Violating master identifier
- Protection units that detected the violation or fault type<sup>1</sup>



#### **Protection unit structure**

## 4 Protection unit structure

#### 4.1 MPU structure

Figure 9 shows the MPU structure that is implemented as part of the bus infrastructure. See the Arm® documentation sets for CM7 and CM0+ for details of the MPU that is implemented as part of CM7 and CM0+.



Figure 9 MPU structure

The MPU protection structure sets the property to be allowed and restricted by master access. An MPU protection identifies the following properties:

- Address range
  - ADDR.ADDR24 [31:8]: Specifies the base address of the region
  - ATT.REGION\_SIZE [28:24]: Specifies the size of a region. The region size is in the range of [256 B, 4 GB].
  - ADDR.SUBREGION\_DISABLE [7:0]: Individual disable settings for eight subregions within the region
- Access attribute
  - ATT.UR: Control for User Read access
  - ATT.UW: Control for User Write access
  - ATT.UX: Control for User Execute access
  - ATT.PR: Control for Privileged Read access
  - ATT.PW: Control for Privileged Write access
  - ATT.PX: Control for Privileged Execute access
  - ATT.NS: Control for Secured access
- Region enable
  - ATT.ENABLED: Region enable

The MPU does not provide a protection context. The definition of this MPU type follows the Arm® MPU definition (in terms of memory region and access attribute definition) to ensure a consistent software interface.

A region can be partitioned into eight equally sized subregions; it is possible to specify individual enables for the subregions within a region with the ADDR.SUBREGION\_DISABLE field.

For example, when SUBREGION\_DISABLE is 0x82 (bit fields 1 and 7 are '1') in the divided subregion [0: 7], subregion1, 7 are disabled, subregions 0, 2, 3, 4, 5, and 6 are enabled. Table 5 shows the areas of the eight subregions and the Enable/Disable states if the start address is 0x10005400, and the region ranges from 0x10005400 to 0x100055ff (512 bytes).



#### **Protection unit structure**

Table 5 Each subregion area and state

| Subregion   | Area                     | State   |
|-------------|--------------------------|---------|
| Subregion 0 | 0x10005400 to 0x1000543f | Enable  |
| Subregion 1 | 0x10005440 to 0x1000547f | Disable |
| Subregion 2 | 0x10005480 to 0x100054bf | Enable  |
| Subregion 3 | 0x100054c0 to 0x100054ff | Enable  |
| Subregion 4 | 0x10005500 to 0x1000553f | Enable  |
| Subregion 5 | 0x10005540 to 0x1000557f | Enable  |
| Subregion 6 | 0x10005580 to 0x100055bf | Enable  |
| Subregion 7 | 0x100055c0 to 0x100055ff | Disable |

#### 4.2 SMPU structure

Figure 10 shows the SMPU structure.



Figure 10 SMPU structure

The SMPU protection structure sets the property to be allowed and restricted by master access. SMPU protection identifies the following properties:

- Address range
  - ADDR.ADDR24 [31:8]: Specifies the base address of a region
  - ATT.REGION\_SIZE [28:24]: Specifies the size of a region. The region size is in the range of [256 B, 4 GB].
  - ADDR.SUBREGION\_DISABLE [7:0]: Individual disables for eight subregions within the region
- Access attribute
  - ATT.UR: Control for User Read access
  - ATT.UW: Control for User Write access
  - ATT.UX: Control for User Execute access
  - ATT.PR: Control for Privileged Read access
  - ATT.PW: Control for Privileged Write access
  - ATT.PX: Control for Privileged Execute access
  - ATT.NS: Control for Secured access
  - ATT.PC\_MASK\_15\_TO\_1 and PC\_MASK\_0: Control for individual protection contexts
  - The PC\_MASK\_0 field is always '1'. In other words, PC=0 is always allowed.



#### **Protection unit structure**

- ATT.PC\_MATCH: Specifies whether the PC field participates in the "matching" process or the "access evaluation" process. See PC\_MATCH operation for more details.
- Region enable
  - ATT.ENABLED: Region enable

The SUBREGION function of SMPU is the same as that of the MPU.

#### 4.3 PPU structure

Figure 11 shows the PPU structure.



Figure 11 PPU structure

The PPU protection structure sets the property to be allowed and restricted by master access. The PPU can have independent attribute settings for all protection context attributes. PPU protection identifies the following properties:

- Address range
  - ADDR.ADDR30 [31:2]: Specifies the base address of a region
  - SIZE.REGION\_SIZE [28:24]: Specifies the size of a region. The region size is in the range of [4 B, 2 GB].

In the Fixed PPU structure, it has a fixed, constant address region.

- Access attribute
  - ATT.PCx\_UR: Control for PCx User Read access
  - ATT.PCx\_UW: Control for PCx User Write access
  - ATT.PCx\_PR: Control for PCx Privileged Read access
  - ATT.PCx\_PW: Control for PCx Privileged Write access
  - ATT.PCx\_NS: Control for PCx Secure access
- Region enable



#### **Protection unit structure**

- SIZE.VALID: Region enable

Note: In the series, the protection context is supported from 0 to 7. Therefore, only ATT0,1 are present.

## 4.4 Protection pair structure

Registers of protection units are the same registers as other peripherals. Furthermore, the registers of a protection structure can be included in the address range of another protection structure as with peripherals. Therefore, a protection structure can be protected by another protection structure.

The protection structure that protects a protection structure is called the master structure, and the protection structure to be protected by master is called the slave structure. The Slave structure protects peripherals.

The protection structure of a slave and master is referred to as a protection pair. SMPUs and PPUs have protection pairs. Figure 12 shows the protection pair structure.



Figure 12 Protection pair structure

The master structure that protects the slave protection structure has the following features:

- Address range
  - ADDR.ADDR: Read-only; it has a fixed, constant address region.
  - ATT.REGION\_SIZE: Read-only; it has a fixed, constant address region.
  - ADDR.SUBREGION\_DISABLE: Read-only; it has a fixed, constant address region.
- Access attribute
  - ATT.UR: Fixed to '1'; User Read accesses are always allowed
  - ATT.UW: Control for User Write access
  - ATT.UX: Fixed to '0'; User execute accesses are never allowed
  - ATT.PR: Fixed to '1'; Privileged Read accesses are always allowed
  - ATT.PW: Control for Privileged Write access
  - ATT.PX: Fixed to '0'; Privileged Execute accesses are never allowed



#### **Protection unit structure**

- ATT.NS: Control for Secured access

The above is an example of the SMPU master structure.

In the master structure, the protected region is fixed; read access is always allowed, and execution access is not allowed. SMPUs can be enabled or disabled, but PPUs cannot be disabled.



**Configuration example of protection units** 

## 5 Configuration example of protection units

An example of using the protection units is explained according to the following usage assumptions.

Note:

The addresses and peripheral channel numbers shown in this section are those of the XMC7200 series. See the technical reference manual [2] for the actual addresses and peripheral channel numbers.

## 5.1 Configuration example: MPU implemented as part of the CPU

This section explains how to protect the area used by the operating system (OS) from tasks accesses, and shows an example of the configuration of the MPU.

#### **5.1.1** Use case

This section provides configuration examples for the MPU. An MPU distinguishes between User/Privileged, Read/Write, and Execute accesses. Table 6 shows the access restriction for the MPU.

Table 6 Example access restriction for MPU implemented as part of the CPU

| Region                              | Attribute                  |
|-------------------------------------|----------------------------|
| Region 0 (Background address)       | Privileged: Read/Write     |
| Base address: 0x00000000            | User: Read/Write           |
| Size: 4 GB                          | Execution is permitted     |
| Region 1 (Code flash)               | Privileged: Read only      |
| Base address: 0x10000000            | User: Read only            |
| Size: 8 MB                          | Execution is permitted     |
| Region 2 (Work flash)               | Privileged: Read only      |
| Base address: 0x14000000            | User: No access            |
| Size: 256 KB                        | Execution is not permitted |
| Region 3 (SRAM)                     | Privileged: Read/Write     |
| Base address: 0x28000000            | User: Read/Write           |
| Size: 1 MB                          | Execution is permitted     |
| Region 4 (Peripheral registers)     | Privileged: Read/Write     |
| Base address: 0x40000000            | User: Read/Write           |
| Size: 64 MB                         | Execution is not permitted |
| Region 5 (System registers for ARM) | Privileged: Read/Write     |
| Base address: 0xE0000000            | User: Read/Write           |
| Size: 512 MB                        | Execution is not permitted |
| Other regions (Unused)              | -                          |

Region 0 is used as the background region. If no attributes are specified by another region, the background region will be applied.



#### **Configuration example of protection units**

Note that when the MPU Implemented as part of the CPU is enabled, access to unconfigured areas will cause access violations. To prevent unintended access violations, this type of MPU supports overlapping. Therefore, the highest region number has the highest priority, while the lowest region number (Region 0) has the lowest priority. Attributes of a region that overlaps Region 0 have a higher priority than attributes of Region 0. That is, Region 0 can be used as a background region (determination of the attributes of all areas).

See the Arm® documentation sets for CM7, and CM0+ for more MPU details.

Region 1 is read-only for both Privileged and User access. Execution is allowed, but data cannot be written. Region 2 is read-only for Privileged only. You cannot access it. Data cannot be written by both Privileged and User access, and execution is not allowed. Region 3 can be accessed from either Privileged or User, and execution is allowed. Region 4 and 5 can be accessed from either Privileged or User, and execution is not allowed.

## **5.1.2** Setting procedure

This type of MPU is set by CPU-specific registers. The MPU must be disabled when it is set, and it is necessary to set the MPU in the Privileged level. Figure 13 shows an example of how to set an MPU.



Figure 13 Procedure example for setting MPU implemented as part of the CPU



#### **Configuration example of protection units**

The MPU must be disabled when setting it. First, specify the region to be set with the MPU\_RNR register. After setting MPU\_RNR, set the base address, region size, and access attribute with the MPU\_RBAR and MPU\_RASR registers. Repeat this for each region. Also, MPU\_RBAR and MPU\_RASR registers of unused regions are set to '0'. Finally, the MPU is enabled.

It is also possible to specify the region number to set the MPU directly with the MPU\_RBAR register. MPU\_RASR also be used to set the subregion and memory attributes such as Normal memory, Strongly-ordered, and Device.

See the Arm® documentation sets for CM7, and CM0+ for more details.

## 5.2 Configuration of MPU implemented as part of bus infrastructure

This type of MPU is set by the MPU.ADDR and MPU.ATT registers and is used by a test controller. However, normally, this MPU is set with CMO+ as a secure CPU depending on security requirements.

This MPU is set in the boot process.

## 5.3 Configuration example of SMPU

The SMPU provides the memory protection function and is shared by all bus masters. All bus masters have the same restriction for each region.

The SMPU has a protection pair structure with master/slave. Therefore, the setting the Slave structure attribute is restricted by the master structure setting.

## 5.3.1 Usage assumptions

The SMPU distinguishes User/Privileged, Secure/Non-secure, and protection contexts.

Table 7 shows an example of access restriction for an SMPU.

Table 7 Example access restriction for SMPU

| Region                                                | Privileged                              | User                                        | Secure         | Allowed protection context | PC_MATCH             | Resources |
|-------------------------------------------------------|-----------------------------------------|---------------------------------------------|----------------|----------------------------|----------------------|-----------|
| Region 2<br>Base address:<br>0x28019000<br>Size: 4 KB | Read/Write<br>Execution is<br>permitted | Read/Write<br>Execution is not<br>permitted | Non-<br>secure | PC = 6                     | Access<br>evaluation | SRAM      |
| Region 3 Base address: 0x28018000 Size: 4 KB          | Read/Write<br>Execution is<br>permitted | Read/Write<br>Execution is not<br>permitted | Non-<br>secure | PC = 5                     | Access<br>evaluation | SRAM      |

Regions 2 and 3 have access restricted by the protection context.

Region 2 can access with protection context = 6, and Region 3 can access with protection context = 5.



**Configuration example of protection units** 

## **5.3.2** Setting procedure for SMPU

Figure 14 shows an example of the setting procedure.



Figure 14 Procedure example for setting SMPU

The access attribute for setting the slave structure (PROT\_SMPU\_STRUCTx\_ADDR0 and PROT\_SMPU\_STRUCTx\_ATT0) is allowed by the master structure (PROT\_SMPU\_STRUCTx\_ADDR1 and PROT\_SMPU\_STRUCTx\_ATT1).

It is necessary to read back the register for ensuring the completion of register write access when SMPU setting is completed.



**Configuration example of protection units** 

## 5.3.3 Configuration

Table 8 and Table 9 list the parameters and functions of the configuration part in PDL for SMPU configuration.

Table 8 Parameters

| Parameters                              | Description                                           | Value                                                                                                                                                  |
|-----------------------------------------|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| MASTER_ID_OF_THIS_CPU                   | Defines the master for which PROT_SMPU_MSx_CTL is set | CPUSS_MS_ID_CM0 (CM0+)                                                                                                                                 |
| TP_PRIVILEGED                           | Defines the PROT_SMPU_MSx_CTL.P value                 | 1ul (Privileged mode)                                                                                                                                  |
| TP_SECURE                               | Defines the PROT_SMPU_MSx_CTL.NS value                | 0ul (Non-Secure)                                                                                                                                       |
| TP_PROT_CONTEXT                         | Defines the PROT_SMPU_MSx_CTL.PC value                | 6ul                                                                                                                                                    |
| TP_PERMITTED_ADDR                       | Defines the base address of SMPU<br>Region 2          | 0x28019000UL                                                                                                                                           |
| TP_PERMITTED_CONTEXT                    | Defines the PC value that can access Region 2         | 6ul                                                                                                                                                    |
| TP_PROHIBITED_ADDR                      | Defines the base address of SMPU<br>Region 3          | 0x28018000UL                                                                                                                                           |
| TP_PROHIBITED_CONTEXT                   | Defines the PC value that can access Region 3         | 5ul                                                                                                                                                    |
| smpuStruct(2 or 3)Config.address        | Sets Region 2 or 3 base address                       | Region 2: TP_PERMITTED_ADD Region 3: TP_PROHIBITED_ADDR                                                                                                |
| smpuStruct(2 or 3)Config.regionSize     | Sets Region 2 or 3 size                               | CY_PROT_SIZE_4KB (4 KB)                                                                                                                                |
| smpuStruct(2 or 3)Config.subregions     | Sets Region 2 or 3 sub-region setting                 | 0x00ul (Unused)                                                                                                                                        |
| smpuStruct(2 or 3)Config.userPermission | Sets Region 2 or 3 access attribute for user          | CY_PROT_PERM_RW (Execution is not permitted)                                                                                                           |
| smpuStruct(2 or 3)Config.privPermission | Sets Region 2 or 3 access attribute for privileged    | CY_PROT_PERM_RWX (Full access)                                                                                                                         |
| smpuStruct(2 or 3)Config.secure         | Sets Region 2 or 3 access attribute for non-secure    | Oul (Non-secure)                                                                                                                                       |
| smpuStruct(2 or 3)Config.pcMatc         | Sets Region 2 or 3 PC_MATCH setting                   | Oul (Access evaluation)                                                                                                                                |
| smpuStruct(2 or 3)Config.pcMask         | Sets Region 2 or 3 PC_MASK setting                    | Region 2:<br>1ul <<<br>(TP_PERMITTED_CONTEXT - 1)<br>(Protection context = 6 is<br>permitted)<br>Region 3:<br>1ul <<<br>(TP_PROHIBITED_CONTEXT -<br>1) |



## **Configuration example of protection units**

| Parameters             | Description                                                  | Value                                 |
|------------------------|--------------------------------------------------------------|---------------------------------------|
|                        |                                                              | (Protection context = 5 is permitted) |
| PROT_SMPU_SMPU_STRUCT2 | Defines the base address SMPU structure registers (region 2) | 0x40232080ul                          |
| PROT_SMPU_SMPU_STRUCT3 | Defines the base address SMPU structure registers (region 3) | 0x402320C0ul                          |



### **Configuration example of protection units**

Table 9 Functions

| Functions                                                      | Description                                                                                                                                                                                                                                   | Value                                                                                                                                  |
|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------|
| Cy_Prot_ConfigBusMaster(busMaster, privileged, secure, pcMask) | Configures the PROT_SMPU_MS0_CTL register busMaster; indicate setting register number privileged: P field setting value secure: NS field setting value pcMask: Specifies a protection context value that can be set by the associated master. | busMaster; MASTER_ID_OF_THIS_CPU privileged: TP_PRIVILEGED secure: TP_SECURE pcMask: 1 << (TP_PROT_CONTEXT-1) (Protection context = 6) |
| Cy_Prot_DisableSmpuSlaveStruct(*base)                          | SMPU region disable *base: Base address of the SMPU structure                                                                                                                                                                                 | *base: PROT_SMPU_SMPU_STRUCT2 or PROT_SMPU_SMPU_STRUCT3                                                                                |
| Cy_Prot_EnableSmpuSlaveStruct(*base)                           | SMPU region enable *base: Base address of the SMPU structure                                                                                                                                                                                  | *base: PROT_SMPU_SMPU_STRUCT2 or PROT_SMPU_SMPU_STRUCT3                                                                                |
| <pre>Cy_Prot_ConfigSmpuSlaveStruct(*base, config)</pre>        | Configures the SMPU structure *base: Base address of the SMPU structure Config: Configuration data                                                                                                                                            | *base: PROT_SMPU_SMPU_STRUCT2 or PROT_SMPU_SMPU_STRUCT3 Config: smpuStruct(2 or 3)Config                                               |

Code Listing 1 shows an example of SMPU configuration.



#### **Configuration example of protection units**

```
/* privileged */
#define TP PRIVIREGED
                              (1)
#define TP SECURE
                              (0)
                                              /* non secure */
                                              /* enable context 6 */
                              (6)
#define TP PROT CONTEXT
/* This area is going to be prohibited accessing from a master who has
TP PROHIBITED CONTEXT as context */
#define TP PROHIBITED ADDR
                            (0x28018000UL)
#define TP PROHIBITED CONTEXT (5)
/* This area is going to be permitted accessing from a master who has
TP PERMITTED CONTEXT as context */
#define TP PERMITTED ADDR
                            (0x28019000UL)
#define TP PERMITTED CONTEXT (TP PROT_CONTEXT)
const cy stc smpu cfg t smpuStruct2Config =
                  = (uint32 t*)(TP PERMITTED ADDR),
    .address
                                                              // 4KB:
    .regionSize
                  = CY PROT SIZE 4KB,
0x1000 Byte
                = 0 \times 00,
   .subregions
   .userPermission = CY_PROT_PERM_RWX,
   .privPermission = CY PROT PERM RWX,
   .secure
                  = 0,
                                                              // Non secure
    .pcMatch
                   = 0,
    .pcMask
                  = 1 << (TP_PERMITTED_CONTEXT - 1), // enable
context "TP PERMITTED CONTEXT"
};
const cy stc smpu cfg t smpuStruct3Config =
                  = (uint32 t*) (TP PROHIBITED ADDR),
    .address
                  = CY PROT SIZE 4KB,
                                                               // 4KB:
    .regionSize
0x1000 Byte
   .subregions
                = 0x00,
    .userPermission = CY PROT PERM RWX,
    .privPermission = CY_PROT_PERM_RWX,
                                                               // Non
    .secure
                  = 0,
secure
```



#### **Configuration example of protection units**

```
= 0,
    .pcMatch
                    = 1 << (TP_PROHIBITED_CONTEXT - 1),
                                                               // enable
    .pcMask
context "TP PERMITTED CONTEXT"
};
int main(void)
    /* Variable to capture return value of functions */
      cy rslt t result = CY RSLT SUCCESS;
      cy en prot status t status;
    /* Initialize the device and board peripherals */
   result = cybsp init();
    /* Board init failed. Stop program execution */
    if (result != CY RSLT SUCCESS)
        CY ASSERT (0);
    /* Enable global interrupts */
    enable irq();
    /* Initialize retarget-io to use the debug UART port */
    result = cy retarget io init(CYBSP DEBUG UART TX, CYBSP DEBUG UART RX,
                                 CY RETARGET IO BAUDRATE);
    /* retarget-io init failed. Stop program execution */
    if (result != CY RSLT SUCCESS)
    {
        CY ASSERT(0);
    }
    /* Print message */
    /* \x1b[2J\x1b[;H - ANSI ESC sequence for clear screen */
    printf("\x1b[2J\x1b[;H");
```



#### **Configuration example of protection units**

```
printf("----
\r\n");
   printf("XMC7000 MCU: Protection Unit - Shared Memory Protection
(SMPU) \r\n");
   printf("-----
\r\n\n");
#if (CY CPU CORTEX MOP)
   printf("[CMOP] Prot Application Main...\r\n");
#else
   /* Disables, cleans and invalidates data cache to avoid write allocate.
* /
   SCB DisableDCache();
   printf("[CM7] Prot Application Main...\r\n");
#endif /* (CY CPU CORTEX MOP) */
   /*********
   /* 1. Setting for MSx CTL */
   /**********
   /* 1.1 Setting for MSx CTL (for this CPU) to allow the PC value to
become "TP PROT CONTEXT" */
   printf("-----
\r\n");
   printf("Setting for MSx CTL (for this CPU) to allow the PC value to
become TP PROT CONTEXT \r\n");
   status = Cy Prot ConfigBusMaster (MASTER ID OF THIS CPU, TP PRIVIREGED,
TP SECURE, 1 << (TP PROT CONTEXT-1));
   CY ASSERT(status == CY PROT SUCCESS);
   /********/
   /* 2. Setting for MPU PC */
   /*********
   /* 2.1 Setting for MPU so that this CPU's PC value becomes
"TP PROT CONTEXT" */
   printf("Setting for MPU so that this CPU's PC value becomes
TP PROT CONTEXT \r\n");
   status = Cy_Prot SetActivePC(MASTER ID OF THIS CPU, TP_PROT_CONTEXT);
   CY ASSERT (status == CY PROT SUCCESS);
```



#### **Configuration example of protection units**

```
/*********
   /* 3. Setting for SMPU_STRUCT 2 */
   /**********
   printf("Setting for SMPU STRUCT 2, memory address: 0x%lx \r\n",
TP PERMITTED ADDR);
   /* 3.1 Disable SMPU STRUCT 2 */
   status = Cy Prot DisableSmpuSlaveStruct(PROT SMPU SMPU STRUCT2);
   CY ASSERT (status == CY PROT SUCCESS);
   /* 3.2 Setting SMPU STRUCT 2 for PERMITTED area */
   status = Cy Prot ConfigSmpuSlaveStruct(PROT SMPU SMPU STRUCT2,
&smpuStruct2Config);
   CY ASSERT(status == CY PROT SUCCESS);
   /* 3.3 Enable SMPU STRUCT 2 */
   status = Cy Prot EnableSmpuSlaveStruct(PROT SMPU SMPU STRUCT2);
   CY ASSERT (status == CY PROT SUCCESS);
   /**********
   /* 4. Setting for SMPU STRUCT 3 */
   /**********
   printf("Setting for SMPU STRUCT 3, memory address: 0x%lx \r\n",
TP PROHIBITED ADDR);
   /* 4.1 Disable SMPU STRUCT 3 */
   status = Cy Prot DisableSmpuSlaveStruct(PROT SMPU SMPU STRUCT3);
   CY ASSERT (status == CY PROT SUCCESS);
   /* 4.2 Setting SMPU STRUCT 3 for PROHIBITED area */
   status = Cy Prot ConfigSmpuSlaveStruct(PROT SMPU SMPU STRUCT3,
&smpuStruct3Config);
   CY ASSERT(status == CY PROT SUCCESS);
   /* 4.3 Enable SMPU STRUCT 3 */
   status = Cy Prot EnableSmpuSlaveStruct(PROT SMPU SMPU STRUCT3);
   CY ASSERT(status == CY PROT SUCCESS);
   /**********/
```



#### **Configuration example of protection units**

```
Memory access test1
   /**********
   /* 5.1 This area can be accessed by this master */
   printf("\r\n");
   printf("-----
\r\n");
   printf ("This area 0x%lx can be accessed by this master \n',",
TP PERMITTED ADDR);
   printf("Writing 0xA5A5A5A5 to Permitted address 0x%lx \r\n",
TP PERMITTED ADDR);
   *(uint32 t*)(TP PERMITTED ADDR) = 0xA5A5A5A5; /* write dummy data */
   //*(volatile uint32 t*)(TP PERMITTED ADDR); /* dummy read */
   printf("Reading 0x%lx from address 0x%lx \r\n", *(volatile
uint32 t*)(TP PERMITTED ADDR), TP PERMITTED ADDR);
   /**********
          Memory access test2
   /**********
   /* 6.1 This area can NOT be accessed by this master */
   /* These accessing are expected to cause HardFault */
   printf("-----
\r\n");
   printf ("This area 0x%lx can NOT be accessed by this master \r\n",
TP PROHIBITED ADDR);
   printf("Writing 0xA5A5A5A5 to Prohibited address 0x%lx \r\n",
TP PROHIBITED ADDR);
   printf ("write dummy data <- will be get HardFault here \r\n");
   *(uint32 t*)(TP PROHIBITED ADDR) = 0xA5A5A5A5; /* write dummy data <-
will be get HardFault here. */
   //*(volatile uint32 t*)(TP PROHIBITED ADDR);
                                             /* dummy read */
   printf("Reading 0x%lx from address 0x%lx \r\n", *(volatile
uint32 t*)(TP PROHIBITED ADDR), TP PROHIBITED ADDR);
   for (;;)
   {
      Cy_SysLib Delay(1000);
   }
}
```



#### **Configuration example of protection units**

#### Code Listing 1 Example of SMPU configuration

#### Code Listing 2 Cy\_Prot\_ConfigBusMaster() function

```
cy en prot status t Cy Prot ConfigBusMaster (en prot master t busMaster,
bool privileged, bool secure, uint32 t pcMask)
{
   cy en prot status t status = CY PROT SUCCESS;
   uint32 t regVal;
   volatile uint32 t *addrMsCtl; /* addrMsCtl is pointer to a register
that is volatile by
                                   * nature as can be changed outside of
firmware control.
                                   */
   CY_ASSERT_L1(CY_PROT_IS_BUS_MASTER_VALID(busMaster));
    CY ASSERT L2(CY PROT IS PC MASK VALID(pcMask));
    /* Get the address of Master x protection context control register
(MSx CTL) */
    addrMsCtl = (uint32_t *)(CY_PROT_BASE + (uint32_t)((uint32_t)busMaster
<< CY PROT MSX CTL SHIFT));
    /* Get bitfields for MSx CTL */
    regVal = VAL2FLD(PROT SMPU MS0 CTL NS, !secure) /* Security setting
            | VAL2FLD(PROT_SMPU_MS0_CTL_P, privileged) /* Privileged
setting */
            | VAL2FLD(PROT SMPU MS0 CTL PC MASK 15 TO 1, pcMask); /*
Protection context mask */
```



#### **Configuration example of protection units**

#### Code Listing 2 Cy\_Prot\_ConfigBusMaster() function

```
/* Set the value of MSx CTL */
    *addrMsCtl = regVal;
    /* Check if the MSx CTL register is successfully updated with the new
register value.
     * The register will not be updated for the invalid master-protection
context.
    * /
   status = (*addrMsCtl != regVal) ? CY PROT FAILURE : CY PROT SUCCESS;
   return status;
```

Note:

(\*) This process This process specifies the value of the protection context that can be set by the corresponding master. In secure system, it is run by secure muster. See "Protection Properties of Bus Transfer" for more details.

#### Code Listing 3 Cy\_Prot\_DisableSmpuSlaveStruct() function

```
cy en prot status t
Cy Prot DisableSmpuSlaveStruct(PROT SMPU SMPU STRUCT Type* base)
   cy en prot status t status;
    CY ASSERT L1 (NULL != base);
    PROT SMPU SMPU STRUCT ATTO(base) &=
~_VAL2FLD(PROT_SMPU_SMPU_STRUCT_ATTO_ENABLED, CY_PROT_STRUCT_ENABLE);
    status = ( FLD2VAL(PROT SMPU SMPU STRUCT ATTO ENABLED,
PROT SMPU SMPU STRUCT ATTO(base)) == CY PROT STRUCT ENABLE) ?
                CY PROT FAILURE : CY PROT SUCCESS;
    return status;
```



#### **Configuration example of protection units**

#### Code Listing 4 Cy\_Prot\_ConfigSmpuSlaveStruct() function

```
cy en prot status t
Cy Prot ConfigSmpuSlaveStruct(PROT SMPU SMPU STRUCT Type* base, const
cy stc smpu cfg t* config)
    cy en prot status t status = CY PROT SUCCESS;
    uint32 t addrReg;
    uint32 t attReg;
    CY ASSERT L1 (NULL != base);
    CY ASSERT L2(CY PROT IS PC MASK VALID(config->pcMask));
    CY ASSERT L3(CY PROT IS SMPU SL PERM VALID(config->userPermission));
    CY ASSERT L3(CY PROT IS SMPU SL PERM VALID(config->privPermission));
    CY ASSERT L3(CY PROT IS REGION SIZE VALID(config->regionSize));
    if(((uint32 t)config->pcMask & CY PROT SMPU PC LIMIT MASK) != OUL)
        /* PC mask out of range - not supported in device */
        status = CY PROT BAD PARAM;
    else
        addrReg= VAL2FLD(PROT SMPU SMPU STRUCT ADDR0 SUBREGION DISABLE,
config->subregions)
                    | VAL2FLD(PROT SMPU SMPU STRUCT ADDR0 ADDR24,
(uint32 t)((uint32 t)config->address >> CY PROT ADDR SHIFT));
        attReg= ((uint32 t)config->userPermission &
CY PROT ATT PERMISSION MASK)
                    (uint32 t)(((uint32 t)config->privPermission &
CY PROT ATT PERMISSION MASK) << CY PROT ATT PRIV PERMISSION SHIFT)
                    | VAL2FLD(PROT SMPU SMPU STRUCT ATTO NS, !(config-
>secure))
                    VAL2FLD(PROT SMPU SMPU STRUCT ATTO PC MASK 15 TO 1,
config->pcMask)
                    VAL2FLD(PROT SMPU SMPU STRUCT ATTO REGION SIZE,
config->regionSize)
                    | VAL2FLD(PROT SMPU SMPU STRUCT ATTO PC MATCH,
config->pcMatch);
        PROT SMPU SMPU STRUCT ATTO(base) = attReg;
        PROT SMPU SMPU STRUCT ADDR0(base) = addrReg;
```



#### **Configuration example of protection units**

#### Code Listing 4 Cy\_Prot\_ConfigSmpuSlaveStruct() function

#### Code Listing 5 Cy\_Prot\_EnableSmpuSlaveStruct() function



**Configuration example of protection units** 

## 5.4 Configuration example of PPU

The PPU provides the peripheral protection function and is shared by all bus masters.

Generally, the peripheral register address is fixed. Therefore, there are two types of PPUs: Fixed PPU with fixed protected address range, and Programmable PPU with programmable protected address range. Typically, the protection base address and size of the programmable PPU are set by CMO+ with the Protection Context 0 in the boot process.

This section explains how to configure a fixed PPU. A fixed PPU is the same as a programmable PPU except that the protected address area is fixed.

A PPU has also protection pair structure with master/slave settings. Therefore, the setting attribute of slave structure is restricted by the master structure setting.

## 5.4.1 Usage assumptions

The PPU distinguishes User/Privileged, Secure/Non-Secure, and Protection Context. Fixed PPU configuration is described according to the following use cases.

- Used fixed PPU 228 (GPIO\_ENH Port #0)
- Protection context = 5: Privileged and User are not allowed to access to GPIO Port#0.
- Protection context = 6: Privileged and User are allowed to access to GPIO Port#0.

Table 10 shows an example of access restriction for this fixed PPU.

Table 10 Example access restriction for PPU

| Setting PPU | <b>Protection context</b> | Privileged | User       | Secure     |
|-------------|---------------------------|------------|------------|------------|
| PPU_FX228   | PC = 5                    | No Access  | No Access  | Non-Secure |
|             | PC = 6                    | Read/Write | Read/Write |            |

PPU\_FX0 is allowed only CM0+-privileged access. In addition, accesses need the secured attribute. The application software of CM7 is not allowed access this area.

PPU\_FX1 is allowed only CM7 access. It is an area dedicated to the application software.

PPU\_FX2 is an area where only CM0+ can access. CM7 is allowed read-only access with privileged access.

PPU\_FX3 is an area where both CM0+ and CM7 can access with privileged access.

Note: See the datasheet [1] for actual addresses and peripheral channel numbers of target product.



**Configuration example of protection units** 

## 5.4.2 Setting procedure for PPU

Figure 15 shows an example of the setting procedure.



Figure 15 Setting procedure for example of the PPU

The access attribute for the slave structure (PROT\_PPU\_FXx\_SL\_ATT0) setting is allowed by the master structure (PROT\_PPU\_FXx\_MS\_ATT0).

It is necessary to read back the register for ensuring the completion of register write access when SMPU setting is completed.

## **5.4.3** Configuration

Table 11 and Table 12 list the parameters and functions of the configuration part in PDL for fixed PPU configuration.

Table 11 Parameters

| Parameters                   | Description                                                    | Value                                                        |
|------------------------------|----------------------------------------------------------------|--------------------------------------------------------------|
| MASTER_ID_OF_THIS_CPU        | Defines the master for which PROT_SMPU_MSx_CTL is set.         | CPUSS_MS_ID_CM0 (CM0+)                                       |
| PERI_MS_PPU_FX_GPIO_PRT0_PRT | Defines the configure fixed PPU register address of target     | (volatile<br>stc_PERI_MS_PPU_FX_t*)<br>&PERI_MS->PPU_FX[228] |
|                              |                                                                | (Shows the base address of Fixed PPU 228)                    |
| TP_PRIVILEGED                | Defines the PROT_SMPU_MSx_CTL.P value                          | 1ul (Privileged mode)                                        |
| TP_SECURE                    | Defines the PROT_SMPU_MSx_CTL.NS value                         | Oul (Non-Secure)                                             |
| TP_PERMITTED_PC              | Defines the protection context for permitted access            | CY_PROT_PC6 (6ul)                                            |
| TP_PROHIBITED_PC             | Defines the protection context for not permitted access        | CY_PROT_PC5 (5ul)                                            |
| TP_PERMITTED_PC_MASK         | Defines the PROT_SMPU_MSx_CTL.PC_MASK value for the bus master | 1ul << (TP_PERMITTED_PC-<br>1ul)                             |



### **Configuration example of protection units**

| Parameters                             | Description                                                              | Value                             |
|----------------------------------------|--------------------------------------------------------------------------|-----------------------------------|
| TP_PROHIBITED_PC_MASK                  | Defines the PROT_SMPU_MSx_CTL.PC_MASK value for bus master               | 1ul <<<br>(TP_PROHIBITED_PC-1ul)  |
| ppuFixedAttr_AllEnable.userPermission  | Sets the user access attribute for the target PC of Fixed PPU            | CY_PROT_PERM_RWX (Full access)    |
| ppuFixedAttr_AllEnable.privPermission  | Sets the privileged access attribute for target PC of Fixed PPU          | CY_PROT_PERM_RWX (Full access)    |
| ppuFixedAttr_AllEnable.secure          | Sets the non-secured access attribute for the target PC of the fixed PPU | TP_SECURE (Non-Secure)            |
| ppuFixedAttr_AllDisable.userPermission | Sets the User access attribute for the target PC of the fixed PPU        | CY_PROT_PERM_DISABLED (No Access) |
| ppuFixedAttr_AllDisable.privPermission | Sets the Privileged access attribute for the target PC of the fixed PPU  | CY_PROT_PERM_DISABLED (No Access) |
| ppuFixedAttr_AllDisable.secure         | Sets the non-secured access attribute for the target PC of the fixed PPU | TP_SECURE (Non-Secure)            |

#### Table 12 Functions

| Functions                                                           | Description                                                                                                                          | Value                                                                                                                                       |
|---------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
| <pre>Cy_Prot_ConfigPpuFixedSlave Struct(*base, setPC, config)</pre> | Configures the Fixed PPU register *base; Base address of the fixed PPU structure setPC: Indicate setting PC config: Access attribute | *base: PERI_MS_PPU_FX_GPIO_PRT0_PR T setPC: TP_PERMITTED_PC or TP_PROHIBITED_PC config: &ppuFixedAttr_AllEnable or &ppuFixedAttr_AllDisable |

Code Listing 6 shows an example of the fixed PPU configuration.



#### **Configuration example of protection units**

```
#define MASTER ID TO BE CHECKED CPUSS MS ID CM7 0
#endif /* (CY CPU CORTEX MOP) */
#define TP PRIVIREGED
                                             /* privileged */
                       (1)
#define TP SECURE
                             (0)
                                              /* non secure */
#define TP PERMITTED PC
                           (CY PROT PC6) /* context 6 */
                                             /* context 5 */
#define TP PROHIBITED PC (CY PROT PC5)
#define TP PERMITTED PC MASK (CY PROT PCMASK6) //(1 << (TP PERMITTED PC-
#define TP PROHIBITED PC MASK (CY PROT PCMASK5) //(1 << (TP PROHIBITED PC-
1u))
int main(void)
   /* Variable to capture return value of functions */
      cy rslt t result = CY RSLT SUCCESS;
      cy en prot status t status;
   /* Initialize the device and board peripherals */
   result = cybsp init();
   /* Board init failed. Stop program execution */
   if (result != CY RSLT SUCCESS)
    {
       CY ASSERT(0);
   /* Enable global interrupts */
    enable irq();
   /* Initialize retarget-io to use the debug UART port */
   result = cy_retarget io init(CYBSP DEBUG UART TX, CYBSP DEBUG UART RX,
                                CY RETARGET IO BAUDRATE);
   /* retarget-io init failed. Stop program execution */
   if (result != CY RSLT SUCCESS)
    {
```



#### **Configuration example of protection units**

```
CY ASSERT (0);
   }
   /* Print message */
   /* \x1b[2J\x1b[;H - ANSI ESC sequence for clear screen */
   printf("x1b[2J\\x1b[;H");
   printf("-----
\r\n");
   printf("XMC7000 MCU: Protection Unit - Peripheral Protection
(PPU) \r\n");
   printf("-----
\r\n\n");
#if (CY CPU CORTEX MOP)
   printf("[CMOP] Prot Application Main...\r\n");
#else
   /* Disables, cleans and invalidates data cache to avoid write allocate.
   SCB DisableDCache();
   printf("[CM7] Prot Application Main...\r\n");
#endif /* (CY CPU CORTEX MOP) */
   /***************/
   /* 1. Setting for GPIO 0 Register attribute */
   /***************
   printf("Configure PC5 denied to access GPIO PO \r\n");
   /\star 1 1. Set permissions so that master whose PC is 5 can not access
   status = Cy Prot ConfigPpuFixedSlaveAtt(PERI MS PPU FX GPIO PRT0 PRT,
TP PROHIBITED PC MASK, CY PROT PERM DISABLED, CY PROT PERM DISABLED,
TP SECURE);
   CY ASSERT(status == CY PROT SUCCESS);
   printf("Configure PC6 allowed to access GPIO PO \r\n");
   /* 1 2. Set permissions so that master whose PC is 6 can access GPIO 0
* /
   status = Cy Prot ConfigPpuFixedSlaveAtt(PERI MS PPU FX GPIO PRT0 PRT,
TP PERMITTED PC MASK, CY PROT PERM RW, CY PROT PERM RW, TP SECURE);
   CY ASSERT(status == CY PROT SUCCESS);
```



#### **Configuration example of protection units**

```
/*********************************
   /* 2. Setting for MPUx (MPU for this Master) */
   /***************
   printf("Setting for MSx CTL to allow the PC value to become PC6 or PC5
\r\n");
   /* 2 1. Setting for MSx CTL to allow the PC value to become
"TP PERMITTED PC" or "TP PROHIBITED PC" */
   status = Cy Prot ConfigBusMaster(MASTER ID TO BE CHECKED,
TP PRIVIREGED, TP SECURE, TP PERMITTED PC MASK|TP PROHIBITED PC MASK);
   CY ASSERT(status == CY PROT SUCCESS);
   /***********
   /* 3. Access with PC permitted */
   /***********
   printf("Setting Permitted PC %d to bus master %d \r\n",
TP PERMITTED PC, MASTER ID TO BE CHECKED);
   /* 3 1. Setting for MPU so that this CPU's PC value becomes
"TP PERMITTED PC" */
   status = Cy Prot SetActivePC (MASTER ID TO BE CHECKED, TP PERMITTED PC);
   CY ASSERT(status == CY PROT SUCCESS);
   /* 3 2. Read from GPIO 0 register */
   printf ("Reading GPIO PO OUT register 0x%lx \r\n", GPIO PRTO->OUT);
   /**********/
   /* 4. Access with PC prohibited */
   /*********/
   printf("Setting Prohibited PC %d to bus master %d \r\n",
TP PROHIBITED PC, MASTER ID TO BE CHECKED);
   /st 4 1. Setting for MPU so that this CPU's PC value becomes
"TP PROHIBITED PC" */
   status = Cy Prot SetActivePC (MASTER ID TO BE CHECKED,
TP PROHIBITED PC);
   CY ASSERT(status == CY PROT SUCCESS);
   /* 4 2. Read from GPIO 0 register (this will cause hardfault) */
   printf ("Read from GPIO 0 register (this will cause hardfault) \r\n");
   printf ("Reading GPIO PO OUT register 0x%lx \r\n", GPIO PRTO->OUT);
```



#### **Configuration example of protection units**

### Code Listing 6 **Example of fixed PPU configuration**

```
for (;;)
{
        Cy_SysLib_Delay(1000);
}
```

### Code Listing 7 Cy\_Prot\_ConfigPpuFixedSlaveStruct() function



Glossary

# 6 Glossary

| Terms        | Description                                                                                                                                     |  |
|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------|--|
| MPU          | Memory Protection Unit                                                                                                                          |  |
| SMPU         | Shared Memory Protection Unit                                                                                                                   |  |
| PPU          | Peripheral Protection Unit                                                                                                                      |  |
| PCs          | Protection Contexts. See the "Protection Context" section in the Direct Memory Access chapter of the architecture reference manual for details. |  |
| DMB          | Data memory barrier. It is instruction in the Thumb instruction set.                                                                            |  |
| DSB          | Data Synchronization Barrier. It is instruction in the Thumb instruction set.                                                                   |  |
| ISB          | Instruction Synchronization Barrier. It is instruction in the Thumb instruction set.                                                            |  |
| P-DMA (DW)   | Peripheral DMA. See the Direct Memory Access chapter of the architecture reference manual for details.                                          |  |
| M-DMA (DMAC) | Memory DMA. See the Direct Memory Access chapter of the architecture reference manual for details.                                              |  |
| CRYPTO       | Cryptography Component. See the Cryptography Block chapter of the architecture reference manual for details.                                    |  |



#### References

#### References

The following are the XMC7000 datasheets, technical reference manuals, and application notes. Contact Technical Support to obtain XMC7000 family reference documents and PDL.

#### [1] Device datasheet

- XMC7100 series 32-bit Arm® Cortex®-M7 microcontroller datasheet
- XMC7200 series 32-bit Arm® Cortex®-M7 microcontroller datasheet

#### [2] Reference manuals

- XMC7000 MCU family architecture reference manual
- XMC7100 register reference manual
- XMC7200 register reference manual

#### [3] Application notes

- AN234802 Secure system configuration in XMC7000 family
- AN234334 Getting started with XMC7000 MCU on ModusToolbox™
- AN234254 Multi-core handling guide in XMC7000
- AN234196 Using the CRYPTO module in XMC7000 family



## **Revision history**

# **Revision history**

| Document revision | Date       | Description of changes                                          |
|-------------------|------------|-----------------------------------------------------------------|
| **                | 2022-01-25 | Initial release                                                 |
| *A                | 2022-04-28 | Updated code snippets to follow the PDL (3.0) version           |
|                   |            | Changed m4cpuss to m7cpuss in Figure 1                          |
|                   |            | Updated XMC7100 and added XMC7200 bus master ID in Table 4      |
|                   |            | Updated SRAM address from 0x08000000 to 0x28000000              |
| *B 2024-03-:      | 2024-03-19 | Updated references documents                                    |
|                   |            | Added description in 3.1 Protection properties of bus transfer. |
|                   |            | Added Note in 3.5.2 PC_MATCH operation.                         |
|                   |            | Updated example code                                            |

#### **Trademarks**

All referenced product or service names and trademarks are the property of their respective owners.

Edition 2024-03-19 Published by

Infineon Technologies AG 81726 Munich, Germany

© 2024 Infineon Technologies AG. All Rights Reserved.

Do you have a question about this document?

Email: erratum@infineon.com

Document reference 002-34279 Rev.\*B

#### Important notice

The information contained in this application note is given as a hint for the implementation of the product only and shall in no event be regarded as a description or warranty of a certain functionality, condition or quality of the product. Before implementation of the product, the recipient of this application note must verify any function and other technical information given herein in the real application. Infineon Technologies hereby disclaims any and all warranties and liabilities of any kind (including without limitation warranties of non-infringement of intellectual property rights of any third party) with respect to any and all information given in this application note.

The data contained in this document is exclusively intended for technically trained staff. It is the responsibility of customer's technical departments to evaluate the suitability of the product for the intended application and the completeness of the product information given in this document with respect to such application.

#### Narnings

Due to technical requirements products may contain dangerous substances. For information on the types in question please contact your nearest Infineon Technologies office.

Except as otherwise explicitly approved by Infineon Technologies in a written document signed by authorized representatives of Infineon Technologies, Infineon Technologies' products may not be used in any applications where a failure of the product or any consequences of the use thereof can reasonably be expected to result in personal injury.