27.5.16 Boot Protect Hard Lock

Users can lock the boot section by issuing the Set Boot Protect Hard Lock command (SBPHL), and after command execution, INTFLAG.DONE and STATUSB.BPHL are set.

The command can be issued only if DSU STATUSB.PROT = 1. The SBPHL command is discarded if the device is not protected (DSU STATUSB.PROT = 0) and INTFLAG.PROGE rises. This means that it is the firmware has to issue the command. Once programmed, the fuse cannot be erased.

The boot section content and size cannot be modified with write or erase operations (WP, WQW, EP, and EB commands) when hard-locked, any attempt to write to an address inside the boot section will return an error and sets the INTFLAG.LOCKE bit. Also, any modify commands (write or erase) will be discarded and set both INTFLAG.PROGE and INTFLAG.LOCKE bits.

The controller also supports the option to protect a dual-boot section, if an over-the-air update is required. This is enabled by programming the DBPE fuse.

To enable the BPHL protection, follow these steps:

  1. Clear the page buffer (PBC command in CTRLB register).
  2. Load page buffer with the following 32-bit data, {27’b1, DBPE value to be programmed, BOOTPROT value to be programmed}, at an address with the following requirements:
    1. The expected values must be written to the page offset 0x30. BOOTPROT value from the User Row (UROW) is ignored.
    2. The address must be a writable location (R/W property). Any attempt to write a read-only location will trigger an error response, and page buffer will not be loaded with the new value.
  3. If INTFLAG.LOCKE = 0, execute SBPHL command in the CTRLB register. The BPHL fuse is programmed if INTFLAG.NVME = 0. Else, INTFLAG.PROGE is set and the BPHL is not programmed.
  4. Reset the device to refresh the STATUS.BOOTPROT and STATUS.DBPE bit fields.
When the SBPHL command is executed (before reset), the BOOTPROT value from the page buffer is programmed. BPHL fuse is then programmed and STATUS.BPHL = 1.
Note: BOOTPROT value from the User Row (UROW) is ignored, only the value programmed in the page buffer is.

After reset the STATUS.BOOTPROT and STATUS.DBPE bit fields reflect the value programmed during the SBPHL command execution. Once programmed, the BPHL fuse cannot be cleared, and the STATUS.BOOTPROT and STATUS.DBPE values cannot be changed if the Security bit is set.

It is recommended to check the programmed value in the STATUS register are the expected ones as they may not be recovered if the Set Chip Erase Hard Lock (SCEHL) command is executed.

  • STATUS.BPHL = 1
  • STATUS.BOOTPROT = expected BOOTPROT value programmed in the page buffer
  • STATUS.DBPE = expected DBPE value programmed in the page buffer

Execution of the SBPHL command is not allowed when the device is not protected (DSU STATUSB.PROT = 0). The command is discarded and INTFLAG.PROGE is set.

Execution of SBPDIS and CBPDIS commands is not allowed when the STATUS.BPHL bit and the DSU STATUSB.PROT bit are set. The commands are discarded and INTFLAG.PROGE is set.

Follow these procedure to configure and lock the boot sections:

  1. Program the boot section.
  2. Secure the part by issuing the Set Security bit command.
  3. Reset the device.
  4. Enable BPHL protection (see above).
  5. Optionally check whether the boot protection is effective (see above).
  6. Optionally issue the Set Chip Erase Hard Lock (SCEHL) command.
  7. Reset the device.

After each NVM command execution, the INTFLAG.PROGE must be checked.

The boot loader section size and content are now permanently locked.

Note:
  1. If the SCEHL command is not issued, the security fuse bit can still be erased by executing the chip erase command. It is therefore recommended to apply the SCEHL command after the SBPHL command.
  2. The SBPHL command execution is allowed even if the boot size is zero (BOOTPROT[3:0] = 0xF).
  3. When the security bit is cleared (DSU STATUSB.PROT = 0), the boot section can be updated if the SBPDIS command is executed.

The Smart EEPROM section is not allowed to overlap the boot sections. It is recommended to check SEESTAT.SMEECERR bit status after reset.

Note: In the case of dual ECC error, the fuse update mechanism is aborted. The firmware must check if the STATUS.BOOTPROT setting has the expected value, and the INTFLAG.ECCDE is not set. If one of these conditions is not met, the firmware must decide the most appropriate conditions to be applied. A device reset or placing the device in a lock-up state are the available options.

Dual-Boot Protection Enable

For applications where the bank swapping is a requirement, the device offers the option to implement a dual-boot protection mechanism, to avoid alternate boot section modifications with write or erase operations. This feature is available only when the boot protect hard lock mode is enabled.

The dual-boot protection is programmed when executing the SBPHL command. After reset, the fuse value is stored in the STATUS.DBPE bit.

If STATUS.DBPE = 0, swapping a bank is not possible. An alternate boot area is not relevant, hence the main array is contiguous. The execution of the BKSWRST command is discarded and INTFLAG.PROGE is set.

Table 27-10. Bank Swap Operation
STATUS.BPHL STATUS.DBPE Bank Swap Operation
0 0 Allowed
0 1 N/A
1 0 Not allowed
1 1 Allowed