15.4.7.6 Tamper Detection

Tamper detection is done through wake-up pins (WKUP) with a specific configuration. Up to 5 WKUP inputs can be enabled to act as tamper detection. Some wake-up/tamper pins are referenced in the VDDBU domain (output of the power switch) and some others in the VDD3V3 domain.

Refer to the table “Pinout and Multiplexing”.

A tamper detection can perform a partial or full immediate clear of the General-Purpose Backup, an immediate clear of the keys of the AES and the AESB crypto engine as well as the scrambling keys of the Quad SPI (QSPI). In addition, a tamper detection can lock the SHA.

Each tamper input has a dedicated Low Power Debouncer (LPDBC). For wake-up pins to be enabled as tamper to perform the actions defined above, follow the steps:

  1. Configure the corresponding LPDBCENx bit in SUPC_WUMR to 1.
  2. Configure the corresponding LPDBCx bit field in SUPC_WUMR to a value other than 0.

For the different possible actions on tamper events, configure the corresponding peripheral.

Some power reduction can be performed in the tamper circuitry. For example, if the tamper sensor is biased through a resistor and constantly driven by the power supply when the tamper is active, this leads to power consumption as long as the tamper detection switch is in its active state. To reduce the energy when the switch is in active state, the tamper sensor circuitry can be intermittently powered, and thus a specific waveform must be applied to the sensor circuitry.

The waveform is generated using RTCOUT0 in all modes including Backup mode. Refer to the section “Real-Time Clock (RTC)” for waveform generation.

Figure 15-4 and Figure 15-5 below show examples of optimized power consumption circuitry where two tamper switches are used. RTCOUT0 powers the external pullup used by the tamper sensor circuitry.

The SUPC provides two modes for driving the pull-up/down resistor with RTCOUT0. The waveform provided by the RTCOUT0 pin differs slightly depending on the mode configured in SUPC_BMR.MRTCOUT.

When SUPC_BMR.MRTCOUT=1, the RTCOUT0 pin is stuck at 1 while there is no tamper detected on any inputs, thus no dynamic power consumption due to RTCOUT0 swicthing. As soon as a tamper detection occur (SUPC_SR.LPDBCSx differs from 0), RTCOUT0 starts powering the tamper detection circuitry in an intermittent way to reduce the energy when the switch is in active state.

Figure 15-6 shows the waveforms provided by RTCOUT0 according to the configuration of SUPC_BMR.MRTCOUT.

The WKUP inputs enabled for tamper detection can be configured to perform a system wake-up upon tamper detection. This is enabled by writing SUPC_WUMR.LPDBCENx=1 and SUPC_WUIR.WKUPENx=1.

The WKUP inputs enabled for tamper detection can also be used when VDDCORE is powered.

Low-power tamper detection requires the RTC to be configured to generate a duty cycle programmable pulse (i.e., OUT0 = 0x7 in RTC_MR) in order to create the sampling points of both debouncers. For the debouncer circuitry, the sampling point is the falling edge of the RTCOUT0 waveform (carried on internal wire of the system).

Figure 15-4. Low-power Debouncer (Push-to-Make Switch, Pull-up Resistors)
Figure 15-5. Low-power Debouncer (Push-to-Break Switch, Pull-down Resistors)
Figure 15-6. Low-power Debouncer Waveforms

The figure below shows the energy consumed by the tamper detection circuitry when configured in different operating modes. When the system is in Backup mode, the energy required by the tamper circuitry depends on the ratio tamper period versus inactive period.

Figure 15-7. Energy Required by Tamper Detection Circuitry

The debouncing period duration is configurable. The period is set for all debouncers; the duration cannot be adjusted for each debouncer. The number of successive identical samples to wake up the system can be configured from 2 up to 8 in SUPC_WUMR.LPDBC. The period of time between two samples can be configured by programming RTC_MR.TPERIOD. Power parameters can be adjusted by modifying the period of time in RTC_MR.THIGH.

The wake-up polarity of the inputs can be independently configured by writing SUPC_WUIR.WKUPTx.

In order to determine which wake-up/tamper pin triggers the system wake-up, a status flag is associated for each low-power debouncer. These flags can be read in SUPC_SR (no clear on read) or in SUPC_ISR (cleared on read).

A tamper detection can perform a partial or full immediate clear of the General-purpose Backup registers by writing RTC_TAMPER.TAMPCLR=1 (refer to the section “Real-Time Controller (RTC)”).

A tamper detection can perform an immediate clear of the keys of the AES crypto engine. Refer to the section “Advanced Encryption Standard (AES)” to enable the immediate clear.

A tamper detection can perform an immediate clear of the keys of the AES Bridge (AESB) and the scrambling keys of the Quad SPI (QSPI). Refer to the sections “AES Bridge (AESB)” and “Quad SPI (QSPI)” to enable the immediate clear.

Note that it is not mandatory to use the RTCOUT0 pin when using the WKUPx pins as tampering inputs in any mode. Using the RTCOUT0 pin provides a “sampling mode” to further reduce the power consumption of the tamper detection circuitry. If RTCOUT0 is not used to bias external pull-ups or pull-down, the RTC.OUT0 field must be configured to create an internal sampling point for the debouncer logic. The period of time between two samples can be configured by programming RTC_MR.TPERIOD.

The following figure illustrates the use of WKUPx without the RTCOUT0 pin. Note that VDD in the figure below can be VBAT or VDD3V3 depending on the wake-up/tamper pins used.

Figure 15-8. Using WKUP Pins Without RTCOUT0 Pins