12.1 Features

PIC32CM LS00/LS60 Specific Security features can be divided into two main categories.

The first category relates to the Arm TrustZone for ARMv8-M technology features:

  • Flexible hardware isolation of memories and peripherals:
    • Up to five regions for the Flash
    • Up to two regions for the Data Flash
    • Up to two regions for the SRAM
    • Individual security attribution (secure or non-secure) for each peripheral using the Peripheral Access Controller (PAC)
    • Mix-Secure peripherals which support both secure and non-secure security attributions
  • Three debug access levels allowing:
    • The highest debug level with no restrictions in term of memory and peripheral accesses
    • A restricted debug level with non-secure memory regions access only
    • The lowest debug level where no access is authorized except with a debugger using a Boot ROM-specific mode
  • Different chip erase support according to security settings
  • Security configurations are fully stored in NVM Configuration rows and safely auto-loaded at start-up during Boot ROM execution using CRC checks
  • Security configurations lock capability
    Important: Debug access levels transitions as Chip Erase commands support are described in the Boot ROM chapter.

The second category relates to the PIC32CM LS00/LS60-specific security features, which are not related to Arm TrustZone for ARMv8-M technology support:

  • Built-in cryptographic accelerator accessible through cryptographic libraries stored in ROM
    • Supporting AES-128/192/256 encryption/decryption, SHA-256 authentication, GCM encryption and authentication
  • SHA- or HMAC-based Secure Boot
  • ATECC608B CryptoAuthentication™ Device (PIC32CM LS60 only)
    • One Permanent Primary P-256 Elliptic Curve Cryptography (ECC) Private Key
    • One Internal Sign Private Key for Key Attestation
    • Three Secondary P-256 ECC Private Keys
    • Signer Public Key from Signer Certificate
    • Public Key Validation Support
    • One Customizable Symmetric Secret Key Slot
    • I/O Protection Key Slot to Protect Communication
    • Secure Boot Enabled with Customizable Secure Boot Public Key
    • ECDH/KDF Key Slot Capable of Being Used with AES Keys and Commands
    • X.509 Compressed Certificate Storage
    • Customizable Certificate Storage Slots
  • Device Identity Composition Engine (DICE) security standard support with Unique Device Secret (UDS)
  • Secure Pin Multiplexing to isolate on dedicated SERCOM I/O pins a secured communication with external devices from the Non-secure application (PIC32CM LS00 only)
  • Data Flash Scrambling

The PIC32CM LS00/LS60 has other security features, which are not described in this chapter as they are common to both PIC32CM LE00 and PIC32CM LS00/LS60 such as:

  • Up to eight tamper input pins and eight tamper output pins for static and dynamic intrusion detections
  • One True Random Number Generator (TRNG)
  • Data Flash and TrustRAM rapid tamper, silent access features
  • A unique 128-bit serial number