16.8 Security Enforcement
- Restricts access to internal memories from external tools depending on the debugger access level.
- Restricts access to a portion of the DSU address space from non-secure AHB hosts depending on the debugger access level.
The DSU implements a security filter that monitors the AHB transactions generated by the ARM AHB-AP inside the DAP. If DAL=0x0, then AHB-AP read/write accesses outside the DSU external address range are discarded, causing an error response that sets the ARM AHB-AP sticky error bits (refer to the "ARM Debug Interface v5 Architecture Specification", which is available for download at www.arm.com).
- The first 0x100 bytes form the internal address range
- The next 0x1F00 bytes form the external address range
When the device is protected, the DAP can only issue MEM-AP accesses in the DSU address range limited to the 0x100- 0x2000 offset range.
The DSU operating registers are located in the 0x00-0xFF area and mirrored to 0x100-0x1FF to differentiate accesses coming from a debugger and the CPU. If the device is protected and an access is issued in the region 0x100-0x1FF, it is subject to security restrictions. For more information, refer to the table, Feature Availability Under Protection.
The DSU filters-out DAP transactions depending on the DAL setting and routes DAP transactions:
- In the PPB or IOBUS space to the CPU debug port
- Outside the PPB space and outside the IOBUS space to the DSU host port
DAP access to | SAM L11 | SAM L10 | ||||
---|---|---|---|---|---|---|
DAL=0 | DAL=1 | DAL=2 | DAL=0 | DAL=2 | ||
PPB or IOBUS | No | Yes (see Note 1) | Yes | No | Yes | |
DSU internal address space | No | No (see Note 2) | Yes | No | Yes | |
DSU external address space | Yes | Yes | Yes | Yes | Yes | |
Other secure areas | No | No | Yes | No | Yes | |
Other non-secure areas | No | Yes | Yes | No | Yes |
- Refer to ARMv8-M debug documentation for detailed information on PPB and IOBUS access restrictions.
- When DAL=1 DAP transfers are always non-secure. The DSU internal address space can only be accessed by secure hosts.
Some features not activated by APB transactions are not available when the device is protected:
Features | Availability when DAL equals to | ||
---|---|---|---|
0x0 | 0x1 (SAM L11 only) |
0x2 | |
CPU Reset Extension | Yes | Yes | Yes |
Clear CPU Reset extension | Yes | Yes | Yes |
Debugger Cold-Plugging | Yes | Yes | Yes |
Debugger Hot-Plugging | No | Yes | Yes |