# Customer Training Workshop Traveo™ II Protection Units







#### **Target Products**

#### Target product list for this training material

| Family Category                             | Series     | Code Flash Memory Size |
|---------------------------------------------|------------|------------------------|
| Traveo™ II Automotive Body Controller Entry | CYT2B6     | Up to 576KB            |
| Traveo II Automotive Body Controller Entry  | CYT2B7     | Up to 1088KB           |
| Traveo II Automotive Body Controller Entry  | CYT2B9     | Up to 2112KB           |
| Traveo II Automotive Body Controller Entry  | CYT2BL     | Up to 4160KB           |
| Traveo II Automotive Body Controller High   | CYT3BB/4BB | Up to 4160KB           |
| Traveo II Automotive Body Controller High   | CYT4BF     | Up to 8384KB           |
| Traveo II Automotive Cluster                | CYT3DL     | Up to 4160KB           |
| Traveo II Automotive Cluster                | CYT4DN     | Up to 6336KB           |



### Introduction to Traveo II Body Controller Entry





**Hint Bar** 

### Introduction to Traveo II Body Controller High

Protection units (MPU/SMPU/PPU) are in CPUSS and peripheral interconnect





### Introduction to Traveo II Cluster





| Overview                                                                     | Hint Bar                                     |  |  |  |  |  |
|------------------------------------------------------------------------------|----------------------------------------------|--|--|--|--|--|
| <ul> <li>Allows/restricts bus transfers on the bus infrastructure</li> </ul> | Review TRM chapter 6 and<br>Register TRM for |  |  |  |  |  |
| <ul> <li>Includes four protection units (MPU/SMPU/PPU/SWPU)</li> </ul>       | additional details                           |  |  |  |  |  |
| Features                                                                     | Training section                             |  |  |  |  |  |
| <ul> <li>Supports various access attributes</li> </ul>                       | references:<br>CPUSS                         |  |  |  |  |  |
| <ul> <li>Address range (Start Address and Region Size)</li> </ul>            |                                              |  |  |  |  |  |
| - Read/Write                                                                 |                                              |  |  |  |  |  |
| <ul> <li>Execute (Code or Data)</li> </ul>                                   |                                              |  |  |  |  |  |
| <ul> <li>Privileged/Unprivileged</li> </ul>                                  |                                              |  |  |  |  |  |
| – Secure/Non-secure                                                          |                                              |  |  |  |  |  |
| <ul> <li>Protection context (PC)</li> </ul>                                  |                                              |  |  |  |  |  |
| <ul> <li>Protects protection structures</li> </ul>                           |                                              |  |  |  |  |  |
| <ul> <li>Captures protection violations in fault report structure</li> </ul> |                                              |  |  |  |  |  |
|                                                                              |                                              |  |  |  |  |  |

>

>

#### Copyright © Infineon Technologies AG 2020. All rights reserved.

#### Protection Context (PC) is an access attribute of the protection units >

- The PC prevents erroneous writing from the access with an unintended > PC to memory and peripheral
- The PC helps to apply different protection attributes without changing the SMPU, PPU, and SWPU settings
  - Traveo II supports eight PCs \_

Protection Context

- Used as the PC attribute for bus transfers
- Access to memory and peripheral is allowed or restricted by SMPU, PPU and -SWPU
- Changed by reprogramming the PC field in MSx\_CTL
- PC0 and PC1 are hardware-controlled and not available to the user; PC2 to PC7 are available



#### Hint Bar

**Review TRM chapter 6 and** 

the Register TRM for

additional details

### **Protection Context Programming and Restrictions**



#### > PC Programming

- Main CPU<sup>1</sup>, secondary CPU<sup>2</sup>, and test controller bus master have a PC field<sup>3</sup>
- A PC attribute is changed by reprogramming the PC field
- The PC is used as the access attribute for all bus transfers by the master
- The SMPUs, PPUs, and SWPUs allow/restrict bus transfers based on the PC attribute
- > PC Programming Restrictions
  - Changes to the PC can be restricted by the PC\_MASK<sup>4</sup> field
  - Controlled by secure CPU (CM0+)





<sup>1</sup> The main CPU refers to CM4 or CM7 CPU in the MCU. <sup>2</sup> The secondary CPU refers to CM0+ CPU in the MCU. <sup>3</sup> The PC field is located in the MPU\_MSx\_CTL register. <sup>4</sup> PC\_MASK field is located in the SMPU\_MSx\_CTL register. PC\_MASK\_0 is always '0' and cannot set any master. <sup>5</sup> PCs 4 and 6 are configurable; other PCs are nonconfigurable. **Hint Bar** 

Review TRM section 6.3 and the Register TRM for additional details



#### **Protection Context**

#### Software separation between ASIL<sup>1</sup> and QM<sup>2</sup>



<sup>1</sup> ASIL: Automotive Safety Integrity Level. This software function has safety requirements. <sup>2</sup> QM: Quality Management. This software function does not have safety requirements.

#### **Protection Context**



- > Software separation between ASIL and QM
- Assign PC[4] to ASIL software



#### **Protection Context**



- > Software separation between ASIL and QM
- > Assign PC[4] to ASIL software
- > Restrict memory access between PCs with SMPU





#### **Protection Context**

#### > Software separation between ASIL and QM



#### **Protection Context**



- > Software separation between ASIL and QM
- > Assign PC[5] to QM software



#### **Protection Context**



- > Software separation between ASIL and QM
- > Assign PC[5] to QM software
- Restrict memory access between PCs with SMPU





### Block Diagram of Protection Unit





### Memory Protection Unit Block Diagram

m4cpuss MPU **Hint Bar** M-DMA P-DMA1 CM4 CPU CM0+ CPL Test Crypto P-DMA0 Controller Provides memory protection Arm provides additional Associated with a single master supporting material on fast infra slow infra their webpage at: Each CPU can independently give http://infocenter.arm.com SMPU SMPU SMPU SMPU SMPU SMPU SMPU different roles **Review TRM chapter 6** P-DMA, M-DMA, and Crypto inherit and Register TRM for Peripheral Block additional details the attribute of programmed transfer Master Master Master Master Interface Interface Interface Interface Up to sixteen regions **Training section** PPU PPU PPU PPU references: Two types of MPU: CPUSS Peripheral Peripheral Arm Cortex-M4/7 Group 0 Group 15 CYT2 series CM4: 8 regions and Cortex-M0+ CPU Bus infrastructure<sup>1</sup> for the test controller<sup>2</sup> CYT3/4 series CM7: 16 regions Access restriction: Address range, Read/Write, Execute, and Privileged/Unprivileged The region is equally divided into eight subregions <sup>1</sup> The definition of MPU aspect of bus infrastructure follows the Arm MPU definition. <sup>2</sup> The test controller is connected to the external debugger.



- > Use Case 1
  - Software (func1) of both CPUs accesses to memory with privileged write





- > Use Case 1
  - Software (func1) of Main CPU\_0 is allowed access to Region 0 and Region 1
  - Software (func1) of Main CPU\_1 or secondary CPU is allowed access to Region 0 and Region 2





- > Use Case 2
  - Software (func2) of both CPUs accesses to memory with unprivileged read





- > Use Case 2
  - Software (func2) of Main CPU\_0 is allowed access to Region 1
  - Software (func2) of Main CPU\_1 or secondary CPU is allowed access to all regions





Hint Bar

### P-DMA/M-DMA/Crypto Access Attribute

 Inherit the access control attributes of the programmed bus transfer for these bus transfer attributes





### Shared Memory Protection Unit Block Diagram

> SMPU

- Provides memory protection
- Shared by all bus masters
- Includes 16 regions
- Access restriction to:
  - Address range
  - Read/Write
  - Execute
  - Privileged/Unprivileged
  - Secure/Non-secure
  - Protection Context
- The region is equally divided into eight subregions
- Protection pair: slave and master protection structures





- > Use Case 1
  - Main CPU\_0 software accesses to memory with privileged write, non-secure, and PC[5]



#### 002-22193 \*D 2020-12-03

Copyright © Infineon Technologies AG 2020. All rights reserved.

- > Use Case 1
  - Main CPU\_0 software is allowed access to Region 1 and Region 3







- > Use Case 2
  - Main CPU\_1 software accesses to memory with unprivileged write, non-secure, and PC[6]



#### 002-22193 \*D 2020-12-03

Copyright © Infineon Technologies AG 2020. All rights reserved.

#### d.

#### > Use Case 2

SMPU Protection

Main CPU\_1 software is allowed access to Region 3





#### 002-22193 \*D 2020-12-03

Copyright © Infineon Technologies AG 2020. All rights reserved.

- > Use Case 3
  - Secondary CPU software accesses to memory with privileged write, Secure, and PC[4]





### SMPU Protection

Use Case 3



Hint Bar



### Peripheral Protection Unit Block Diagram



### **PPU** Protection



- Execute system settings such as clock and initial setting of peripheral in startup software at > power-up
  - Startup software: Privileged, PC[4] access to peripheral PPU Peripheral Main CPU PC Field for main CPU Region 0 Attribute: PC[4] PC[4] Privileged Read/Write System Control Unprivileged (Clock, Read/Write Interrupt, etc.) Startup Software PC[6] Privileged Privileged No Access Unprivileged No PC[4] Access + Region 0 Configure Transfer Normal Operation Attribute: Attribute is Peripheral Software Privileged. PC[4] Settings After Write, PC[4] Privileged PC[4] Setting Privileged Read/Write Peripheral PC[6] Unprivileged Control/ Read/Write Data Register PC[6] Privileged Read/Write
- >

Unprivileged Read/Write

### **PPU** Protection





Copyright © Infineon Technologies AG 2020. All rights reserved.





- > SWPU is used to access restrictions to flash (write<sup>1</sup>) and eFuse (read/write)
  - SWPU prevents malicious or unintended access of flash or eFuse.
  - SWPU has three Protection Units:
    - FWPU: Flash Write Protection Unit. (Up to 16 regions)
    - ERPU: eFuse Read Protection Unit. (Up to 4 regions)
    - EWPU: eFuse Write Protection Unit. (Up to 4 regions)
  - SWPU has two configuration parts:
    - Boot protection: It cannot be updated.
    - Application protection: It is additional access restrictions specific to the application.
  - SWPU is read during boot process from SFlash, and stores them in RAM
  - Access restriction to:
    - Address range
    - Read/Write
    - Privileged/Unprivileged
    - Secure/Non-secure
    - Protection Context
  - Protection pair: slave and master protection structures



Hint Bar

Review TRM section 6.5 for setting example

#### SWPU Structure (Application Protection)

#### SWPU is stored in SFlash

| SWPU | Field Name      | Size    | Description                                          |
|------|-----------------|---------|------------------------------------------------------|
|      | Object Size     | 4 bytes | Number of configured elements                        |
| FWPU | N_FWPU          | 4 bytes | Number of FWPU objects. Up to 16 regions             |
|      | FWPU0_SL_ADDR   | 4 bytes | Configures the FWPU0 base address                    |
|      | FWPU0_SL_SIZE   | 4 bytes | Configures the FWPU0 region size and FWPU0 enable    |
|      | FWPU0_SL_ATT    | 4 bytes | Configures the FWPU0 slave attribute                 |
|      | FWPU0_MS_ATT    | 4 bytes | Configures the FWPU0 master attribute                |
|      | :               | 4 bytes |                                                      |
| ERPU | N_ERPU          | 4 bytes | Number of ERPU objects. ERPU has up to four regions. |
|      | ERPU0_SL_OFFSET | 4 bytes | Configures the ERPU0 base address offset             |
|      | ERPU0_SL_SIZE   | 4 bytes | Configures the ERPU0 region size and ERPU0 enable    |
|      | ERPU0_SL_ATT    | 4 bytes | Configures the ERPU0 slave attribute                 |
|      | ERPU0_MS_ATT    | 4 bytes | Configures the ERPU0 master attribute                |
|      | :               |         |                                                      |
| EWPU | N_EWPU          | 4 bytes | Number of EWPU objects. EWPU has up to four regions. |
|      | EWPU0_SL_OFFSET | 4 bytes | Configures the EWPU0 base address offset             |
|      | EWPU0_SL_SIZE   | 4 bytes | Configures the EWPU0 region size and ERPU0 enable    |
|      | EWPU0_SL_ATT    | 4 bytes | Configures the EWPU0 slave attribute                 |
|      | WPU0_MS_ATT     | 4 bytes | Configures the EWPU0 master attribute                |
|      |                 |         |                                                      |

:

#### **Protection Pair**



- > SMPU, PPU, and SWPU have a protection pair for protection of protection structures
  - Master structure: Protection of slave structure
  - Slave structure: Protection of resources
  - Change slave setting attributes by master setting attributes





- Access is evaluated by each protection unit in the following order:
  - MPU (High) > SMPU > PPU (Low)
- The slave address regions in programmable PPU may overlap with other slave address regions. In this case, access is evaluated by the PPU in the following order:
  - PPU master structure (High) > Programmable slave structures > Fixed slave structure (Low)
- The bus transfer will not reach its target
- > Violation information is reported to the fault reporting structure
  - Violation address
  - Bus transfer attribute
  - Accessed bus master



## **Hint Bar** Training section references: Fault Structure Advantage: Prevents erroneous writing by not allowing transfer Possible analysis of violation transfer



# Part of your life. Part of tomorrow.



| Revision | ECN     | Submission<br>Date | Description of Change                                                                                                                                                                                                                                          |
|----------|---------|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **       | 6138645 | 04/17/2018         | Initial release                                                                                                                                                                                                                                                |
| *A       | 6346788 | 12/10/2018         | Added slide 2.<br>Updated slides 3, 4, and 5.<br>Revised description on slides 10 and 11 from Privileged to Unprivileged<br>In all slides, changed CM4 and CM0+ to main CPU and secondary CPU, and<br>added notes 4 and 5 on slide 8<br>Changed slides 22 – 27 |
| *В       | 6633371 | 7/22/2019          | Added slide 5.<br>Updated slide 2, 18.                                                                                                                                                                                                                         |
| *C       | 6825576 | 03/06/2020         | Changed document title<br>from PROTECTION UNITS (M4CPUSS_VER2/M7CPUSS)<br>to TRAVEO(TM) II PROTECTION UNITS (M4CPUSS_VER2/M7CPUSS)                                                                                                                             |
| *D       | 7060711 | 01/06/2021         | Updated Slide 2, 3, 7, 8, 16, 29, 34<br>Added slide 32, 33                                                                                                                                                                                                     |