15.1.2.21 secure

This attribute directs the compiler to allocate a function in the secure segment of program Flash.

For example, to declare a protected function:

void __attribute__((secure)) func();

An optional argument can be used to specify a protected access entry point within the secure segment. The argument may be a literal integer in the range 0 to 31 (except 16), or the word unused. Integer arguments correspond to 32 instruction slots in the segment access area, which occupies the lowest address range of each secure segment. The value 16 is excluded because access entry 16 is reserved for the secure segment interrupt vector. The value unused is used to specify a function for all of the unused slots in the access area.

Access entry points facilitate the creation of application segments from different vendors that are combined at run time. They can be specified for external functions as well as locally defined functions. For example:

/* an external function that we wish to call */
extern void __attribute__((boot(3))) boot_service3();
/* local function callable from other segments */
void __attribute__((secure(4))) secure_service4()
{
  boot_service3();
}
Note: In order to allocate functions with the boot or secure attribute, memory for the boot and/or secure segment must be reserved. This can be accomplished by setting configuration words in source code, or by specifying linker command options. For more information, see Chapter 8.8, “Options that Specify CodeGuard Security Features,” in the linker manual (DS51317).
If attributes boot or secure are used, and memory is not reserved, then a link error will result.

To specify a secure interrupt handler, use the secure attribute in combination with the interrupt attribute:

void __attribute__((secure,interrupt)) secure_interrupts();

When an access entry point is specified for an external secure function, that function need not be included in the project for a successful link. All references to that function will be resolved to a fixed location in Flash, depending on the security model selected at link time.

When an access entry point is specified for a locally defined function, the linker will insert a branch instruction into the secure segment access area. The exception is for access entry 16, which is represented as a vector (i.e, an instruction address) rather than an instruction. The actual function definition will be located beyond the access area; therefore the access area will contain a jump table through which control can be transferred from another security segment to functions with defined entry points.

Automatic variables are owned by the enclosing function and do not need the secure attribute. They may be assigned initial values, as shown:

void __attribute__((secure)) chuck_cookies()
{
 int hurl;
 int them = 55;
 char *where = "far";
 splat(where);
 /* ... */
}

Note that the initial value of where is based on a string literal which is allocated in the PSV constant section .secure_const. The compiler will set PSVPAG to the correct value upon entrance to the function. If necessary, the compiler will also restore PSVPAG after the call to splat().

The secure attribute may be combined with the auto_psv or no_auto_psv attribute. For details, see the section auto_psv, no_auto_psv.