21.6.19 SPM

Description

"SPM" is a command tool used in configure_tool. To configure security using Tcl, you must use the configure_tool Tcl command to pass the SPM configuration parameters.

Note: At least one "parameter:value" must be specified. You can repeat -params argument for multiple parameters.

configure_tool -name {SPM} -params {parameter:value}

Arguments

The following table list the "SPM" arguments for PolarFire.


Parameter	Type	Description
back_level_protection	boolean	The possible value for this argument are: true, 1 , false or 0. Specify true or 1 to set back level protection; Update Policy.
debug_passkey	hexadecimal	Specify value of DPK, value must be 64 hex characters; Debug Policy.
disable_authenticate_action	boolean	Disables Authenticate action. The possible value for this argument are: true, 1, false or 0.
disable_autoprog_iap_services	boolean	Disables Auto Programming and IAP Services. The possible value for this argument are: true, 1, false or 0.
disable_debug_jtag_boundary_scan	boolean	Disables debug JTAG Boundary Scan. The possible value for this argument are: true, 1, false or 0.
disable_debug_read_temp_volt	boolean	Disables reading temperature and voltage sensor (JTAG/SPI Slave). The possible value for this argument are: true, 1, false or 0.
disable_debug_ujtag	boolean	Disables debug; UJTAG. The possible value for this argument are: true, 1, false or 0.
disable_ext_zeroization	boolean	Disables external zeroization through JTAG/SPI Slave. The possible value for this argument are: true, 1, false or 0.
disable_external_digest_check	boolean	Disables external Fabric/sNVM digest requests through JTAG/SPI Slave. The possible value for this argument are: true, 1, false or 0.
disable_jtag	boolean	Disables JTAG. The possible value for this argument are: true, 1, false or 0.
disable_program_action	boolean	Disables Program action. The possible value for this argument are: true, 1, false or 0.
disable_puf_emulation	boolean	Disables external access to PUF emulation through JTAG/SPI Slave The possible value for this argument are: true, 1, false or 0.
disable_smartdebug_debug	boolean	Disables user debug access and active probes. The possible value for this argument are: true, 1, false or 0.
disable_smartdebug_live_probe	boolean	Disables SmartDebug Live Probe. The possible value for this argument are: true, 1, false or 0.
disable_smartdebug_snvm	boolean	Disables SmartDebug sNVM. The possible value for this argument are: true, 1, false or 0.
disable_spi_slave	boolean	Disables SPI Slave interface. The possible value for this argument are: true, 1, false or 0.
disable_user_encryption_key_1	boolean	Disables UEK1; Key Mode Policy. The possible value for this argument are: true, 1, false or 0.
disable_user_encryption_key_2	boolean	Disables UEK2; Key Mode Policy. The possible value for this argument are: true, 1, false or 0.
disable_verify_action	boolean	Disables Verify action. The possible value for this argument are: true, 1, false or 0.
fabric_update_protection	string	Fabric update protection. The possible values for this argument are the following: open - updates allowed using user defined encryption keys. disabled - disables Erase/Write operations.
security_factory_access	string	Microchip factory test mode access. The possible values for this argument are the following: open - factory test mode access allowed. disabled - disables factory test mode access.
security_key_mode	string	Key mode access. The possible values for this argument are the following: custom - custom security options. default - bit stream encryption with default key.
snvm_update_protection	string	sNVM update protection. The possible values for this argument are the following: open - updates allowed using user defined encryption keys. disable - disables Write operations.
user_encryption_key_1	hexadecimal	Specify value of UEK1, value must be 64 hex characters.
user_encryption_key_2	hexadecimal	Specify value of UEK2, value must be 64 hex characters.
user_passkey_1	hexadecimal	Specify value of Flashlock/UPK1, value must be 64 hex characters.
user_passkey_2	hexadecimal	Specify value of Flashlock/UPK2, value must be 64 hex characters.

The following table list the "SPM" arguments for SmartFusion 2 and IGLOO 2.


Parameter	Type	Description
back_level_bypass	boolean	The possible values for this argument are: true, 1 , false or 0. Specify true or 1 to bypass the back level protection; Update Policy.
back_level_protection	boolean	The possible values for this argument are: true, 1 , false or 0. Specify true or 1 to set back level protection; Update Policy.
back_level_update_version	integer	Specify back level version value between 0 and 65535; Update Policy.
debug_cortex_m3	boolean	The possible values for this argument are: true, 1 , false or 0. Specify true or 1 to disable Cortex M3 debug. This lock bit is protected by DPK; Debug Policy; SmartFusion 2 only.
debug_digest_request	boolean	The possible value for this argument are: true, 1 , false or 0. Specify true or 1 to disable design digest check request via JTAG and SPI. Use FlashLock/UPK1 to allow digest check; Debug Policy.
debug_disable_jtag	boolean	The possible values for this argument are: true, 1 , false or 0. Specify true or 1 to disable JTAG (1149.1) test instructions (HIGHZ, EXTEST, INTEST, CLAMP, SAMPLE, and PRELOAD). I/Os will be tri-stated when in JTAG programming mode. Use FlashLock/UPK1 to unlock; Debug Policy.
debug_passkey	hexadecimal	Specify value of DPK, value must be 64 hex characters; Debug Policy.
debug_ujtag_access	boolean	The possible values for this argument are: true, 1 , false or 0. Specify true or 1 to disable access to UJTAG. Use DPK to unlock; Debug Policy.
disable_user_encryption_key_1	boolean	The possible value for this argument are: true, 1 , false or 0. Specify true or 1 to disable UEK1; Key Mode Policy.
disable_user_encryption_key_2	boolean	The possible value for this argument are: true, 1 , false or 0. Specify true or 1 to disable UEK2; Key Mode Policy.
disable_user_encryption_key_3	boolean	Disables UEK3; Key Mode Policy. The possible values for this argument are: true, 1, false or 0. Note: UEK3 is only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices. All other devices will set this to false by default.
factory_access	string	Sets Microchip factory test mode access level. The possible values for this argument are the following: Open - All Microchip factory test mode access without FlashLock/UPK1. FlashLock(default) - Microchip factory test mode is disabled. FlashLock/UPK1 is required to unlock. Permanent - Permanently disable Microchip factory test mode access
iap_isp_services	boolean	The possible value for this argument are: true, 1, false or 0. Specify true or 1 to disable access to IAP/ISP services; Update Policy.
security_key_mode	string	Key mode access. The possible values for this argument are the following: Custom - Custom security settings. Allows user encryption keys, security policy settings, and Microchip factory test mode access level. Default - Bitstream encryption with default key. No security lock bits are set.
smartdebug_access	string	Debug Policy. The possible values for this argument are the following: Full - SmartDebug has full access to debug features. None - Disable read/write access to SmartDebug architecture. DPK is required for read/write access.
update_auto_prog_lock	boolean	Disables Auto Programming; Update Policy. The possible value for this argument are: true, 1, false or 0.
update_envm_protection	string	Update Policy. The possible values for this argument are the following: Passkey - eNVM updates are disabled. Use FlashLock/UPK1 to unlock Write/Verify/Read operations. Open - Updates to eNVM are allowed using UEK1 or UEK2; FlashLock/UPK1 is NOT required for updates.
update_fabric_protection	string	Update Policy. The possible values for this argument are the following: Passkey - Fabric updates are disabled. Use FlashLock/UPK1 to unlock Erase/Write/Verify/ operations. Open - Updates to Fabric are allowed using UEK1 or UEK2; FlashLock/UPK1 is NOT required for updates.
update_jtag_lock	boolean	Disables access to JTAG programming. Use FLashLock/UPK1 to unlock; Update Policy. The possible value for this argument are: true, 1, false or 0.
update_spi_slave_lock	boolean	Disables access to SPI Slave. Use FLashLock/UPK1 to unlock; Update Policy. The possible value for this argument are: true, 1, false or 0.
use_debug_policy	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to used Debug Policy.
use_key_mode_policy	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to used Key Mode Policy.
use_update_policy	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to used Update Policy.
use_user_key_set_1	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to enable User Key Set 1.
use_user_key_set_2	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to enable User Key Set 2.
use_user_key_set_3	boolean	The possible values for this argument are: true, 1, false or 0. Specify true or 1 to enable User Key Set 3. Note: User Key Set 3 is only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices.
user_encryption_key_1	hexadecimal	Specify value of UEK1, value must be 64 hex characters.
user_encryption_key_2	hexadecimal	Specify value of UEK2, value must be 64 hex characters.
user_encryption_key_3	hexadecimal	Specify value of UEK3, value must be 64 hex characters. Note: UEK3 is only available for M2S060, M2GL060, M2S090, M2GL090, M2S150, and M2GL150 devices. All other devices will set this to false by default.
user_passkey_1	hexadecimal	Specify value of Flashlock/UPK1, value must be 64 hex characters.
user_passkey_2	hexadecimal	Specify value of UPK2, value must be 64 hex characters.
user_security_policy_protection	string	The possible values for this argument are the following: FlashLock - User keys and Security policies will be protected from erase/write by FlashLock/UPK1. Permanent - Permanently protect UEK1, UEK2, Security Policies, and Microchip factory test mode access level. Note: Once programmed, these settings cannot be changed.


Return Type	Description
Integer	Returns 0 on success and 1 on failure.

Error Codes


Error Code	Description
None	Required parameter 'params' is missing.
None	Key size is incorrect.

Supported Families


Supported Families
PolarFire®
PolarFire SoC
SmartFusion® 2
IGLOO® 2

Example

The following example configures SPM for PolarFire:

configure_tool \
         -name {SPM} \
         -params {back_level_protection:false} \
         -params {disable_smartdebug_live_probe:false} \
         -params {disable_smartdebug_snvm:false} \
         -params {disable_user_encryption_key_1:false} \
         -params {disable_user_encryption_key_2:false}

The following example configures SPM for SmartFusion 2:

configure_tool \
         -name {SPM} \
         -params {back_level_bypass:false} \
         -params {back_level_protection:false} \
         -params {back_level_update_version: 32} \
         -params {debug_cortex_m3:false} \
         -params {debug_digest_request:false} \
         -params {debug_disable_jtag:false} \
         -params {debug_passkey:8A1081239567235A7453336CFBBC45668754SADDCAFA7010FA209F7396F3EA17} \
         -params {debug_ujtag_access:false} \
         -params {disable_user_encryption_key_1:false} \
         -params {disable_user_encryption_key_2:false} \
         -params {disable_user_encryption_key_3:false} \
         -params {factory_access:flashlock} \
         -params {iap_isp_services:true} \
         -params {security_key_mode:custom} \
         -params {smartdebug_access:full} \
         -params {update_auto_prog_lock:true} \
         -params {update_envm_protection:passkey} \
         -params {update_fabric_protection:passkey} \
         -params {update_jtag_lock:false} \
         -params {update_spi_slave_lock:false} \
         -params {use_debug_policy:false} \
         -params {use_key_mode_policy:false} \
         -params {use_update_policy:false} \
         -params {use_user_key_set_1:true} \
         -params {use_user_key_set_2:false} \
         -params {use_user_key_set_3:false} \
         -params {user_encryption_key_1:9E108123949848EC7453336DFBBC0CAE60C8541C2AFA7010FA209F7396F3EA17} \
         -params {user_encryption_key_2:4D5656BA56541156C54E54563D2114BC45C854B456563010FA265F7396F3EA17} \
         -params {user_encryption_key_3:CA5665B39498DAEC745355BDFB89535BA4A45DFC2AFA7010FA209F7396F3EA17} \
         -params {user_passkey_1:252BED2AB1C4C5BAE13C4791CEDF7A069D940A6935629A0A9CE5B24E21C13D39} \
         -params {user_passkey_2:B59EAD2356B66DAAE1654981BEA57A045653231CA5547A0A99AD254E234BCA39} \
         -params {user_security_policy_protection:flashlock}