30.6.12 SAM L11 TrustZone Protection Considerations

On TrustZone protected devices, the Flash and Data Flash areas are partitioned into secure, non-secure, and non-secure callable sections to accommodate with TrustZone core capability.

Figure 30-4. NVM Memory Organization

The various memory regions and attributes are provides in the table below.

Table 30-3. Memory Regions and Attributes
Memory Region Base Address Size Attribute
Secure Flash (BOOT region) 0x00000000 BS*ROWSIZE - BNSC*0x20 Secure
Non-Secure Callable Flash (BOOT region) BS*ROWSIZE-BNSC*0x20 BNSC*0x20 Secure
Non-Secure Flash (BOOT region) BS*ROWSIZE (remaining BOOT region) Non-secure
Secure Flash (APPLICATION region) BOOTPROT*ROWSIZE AS*ROWSIZE - ANSC*0x20 Secure
Non-Secure Callable Flash (APPLICATION region) BOOTPROT*ROWSIZE-ANSC*0x20 ANSC*0x20 Secure
Non-Secure Flash (APPLICATION region) (BOOTPROT+AS)*ROWSIZE (remaining APPLICATION region) Non-secure
Secure Data Flash 0x00400000 DS*ROWSIZE Secure
Non-Secure Data Flash 0x00400000 + DS*ROWSIZE (remaining Data NVM area) Non-secure

Access to various sections is restricted as shown in the following table. All sections can be read and write without restriction when the access is secure. When the access is non-secure the secure sections are not accessible. When defined non-secure callable sections have the same attributes as the secure sections, therefore the NVMCTRL considers them as secure regions. The system may also have a secure callable boot and application regions. These regions have the same attributes as the secure sections, so there is no special treatment needed in NVMCTRL.

Any illegal access will result in a bus error. The boot and application non-secure callable regions are shown for reference but have no effect on the NVMCTRL. These regions are included in secure regions therefore the NVMCTRL considers them as secure regions.

Table 30-4. Memory Regions AHB Access Limitations
Memory Region Secure Access Non-Secure Access Limitations
Secure Flash (BOOT region) R+W - -
Non-Secure Callable Flash (BOOT region) R+W - -
Non-Secure Flash (BOOT region) R+W R+W
Secure Flash (APPLICATION region) R+W -
Non-Secure Callable Flash (APPLICATION region) R+W - -
Non-Secure Flash (APPLICATION region) R+W R+W
Secure Data Flash R+W -
Non-Secure Data Flash R+W R+W

NVM Software Calibration Row

NVM Temperature Log Row

R+W R
NVM User Row (UROW) R+W R
NVM Boot Configuration Row(BOCOR) R+W - No read if BCREN is cleared.

No write if BCWEN is cleared.

The Boot Configuration row (BOCOR) contains information that is read by the boot ROM and written to the IDAU and NVMCTRL registers. The BOCOR is read/writable if SCFGB.BCREN/BCWEN are set, respectively.

Important: SCFGB.BCREN/BCWEN are copied from BOCOR during the Boot ROM execution.
Table 30-5. Memory Regions Modify operations Limitations (WP, EP commands)
Memory Region Secure Access Non-Secure Access Limitations
Secure Flash (BOOT region) Y N No if SULCK.BS=0
Non-Secure Callable Flash (BOOT region) Y N No if SULCK.BS=0
Non-Secure Flash (BOOT region) Y Y No if NSULCK.BNS=0
Secure Flash (APPLICATION region) Y N No if SULCK.AS=0
Non-Secure Callable Flash (APPLICATION region) Y N No if SULCK.AS=0
Non-Secure Flash (APPLICATION region) Y Y No if NSULCK.ANS=0
Secure Data Flash Y N No if SULCK.DS=0
Non-Secure Data Flash Y Y No if NSULCK.DNS=0
NVM User Row (UROW) Y N No if BOCOR.URWEN=0
NVM Boot Configuration Row (BOCOR) Y N No if BOCOR.BCWEN=0

The NSULCK SULCK bitfields in the user row define the NSULCK and SULCK register default value after a reset.

Special care must be taken when sharing the NVMCTRL between the secure and non-secure domains. When the secure code modifies the NVM, it is recommended that it disables all write accesses to the APB non-secure alias and writes to AHB non-secure regions by writing a ‘0’ to NONSEC.WRITE. This avoids any interference with non-secure modify operations. In this case, even a secure application cannot write the page buffer at a non-secure location because the IDAU changes security attributions of Non-Secure transactions to Non-Secure regions to Non-Secure.

The NONSEC.WRITE reset value is '1', meaning that it is always possible to program a Non-Secure Flash or Data Flash region after a debugger probe cold-plugging. But if the debugger connects with the hot-plugging procedure then NONSEC.WRITE must be '1' to let the debugger program Non-Secure regions otherwise the transaction will cause a hardfault (seen as a DAP fault at DAP level).

For applications that do not require Non-Secure regions programming other than from a secure code, it is recommended to always disable Non-Secure writes by disabling NONSEC.WRITE. When disabled secure code needs to enable it to be able to modify Non-Secure regions following this procedure:
  1. Disable the interrupt.
  2. Write a ‘1” to NONSEC.WRITE to allow writes to the non-secure region.
  3. Write the page buffer.
  4. Write a ‘0’ to NONSEC.WRITE.
  5. Enable the interrupt.

If the NSCHK interrupt is enabled, a NONSEC.WRITE modification will generate an interrupt so that the non-secure world is aware of this change. Depending on NSCHK.WRITE and INTFLAG.NSCHK will rise upon a rising or falling NONSEC.WRITE transition. The interrupt can be configured as secure or non-secure in the NVIC. If secure then a software mechanism can be implemented to call a non-secure NVMCTRL IRQ handler from the secure world.

The NVMCTRL monitors the Page Buffer write accesses and accepts only writes to non-secure regions when the transaction is non-secure. Moreover it checks that any write to the page buffer is in the same page as the previous write when the Page Buffer is not empty. When this check fails, an error is returned to the bus host that initiated the transaction. This ensures that it is not possible to mix different page writes into the Page Buffer. Therefore, any Page Buffer write access must at some point be followed by a manual or automatic Write Page (WP) that automatically clears the page buffer or a Clear Page Buffer (PBC) command.

For security reasons, the ADDR register is not accessible from the non-secure alias. The only way to change it is to write a data to the Page Buffer. If the intention is to issue a command that doesn't write the NVM (for instance an Erase Row command (ER)) then the PBC command must be issued to avoid locking further write accesses (even secure writes). The status of the Page Buffer is reflected by the STATUS.LOAD bitfield.