Security Enforcement

Security enforcement aims at protecting intellectual property, which includes: The DAL setting can be locked or reverted using Boot ROM commands depending on the Boot ROM user configuration. When DAL is equal to 0x0, read/write accesses using the AHB-AP are limited to the DSU external address range and DSU commands are restricted. When issuing a Boot ROM Chip-Erase, sensitive information is erased from volatile memory and Flash. Refer to Boot ROM more information about the Boot ROM features.

The DSU implements a security filter that monitors the AHB transactions generated by the ARM AHB-AP inside the DAP. If DAL=0x0, then AHB-AP read/write accesses outside the DSU external address range are discarded, causing an error response that sets the ARM AHB-AP sticky error bits (refer to the "ARM Debug Interface v5 Architecture Specification", which is available for download at

For security reasons, DSU features have limitations when used from a debug adapter. To differentiate external accesses from internal ones, the first 0x100 bytes of the DSU register map have been replicated at offset 0x100:

When the device is protected, the DAP can only issue MEM-AP accesses in the DSU address range limited to the 0x100- 0x2000 offset range.

The DSU operating registers are located in the 0x00-0xFF area and mirrored to 0x100-0x1FF to differentiate accesses coming from a debugger and the CPU. If the device is protected and an access is issued in the region 0x100-0x1FF, it is subject to security restrictions. For more information, refer to the table, Feature Availability Under Protection.

Figure 1. APB Memory Mapping

The DSU filters-out DAP transactions depending on the DAL setting and routes DAP transactions:

Table 1. DAP access rights depending on DAL:
DAP access to SAM L11 SAM L10
PPB or IOBUS No Yes (see Note 1) Yes No Yes
DSU internal address space No No (see Note 2) Yes No Yes
DSU external address space Yes Yes Yes Yes Yes
Other secure areas No No Yes No Yes
Other non-secure areas No Yes Yes No Yes
  1. 1.Refer to ARMv8-M debug documentation for detailed information on PPB and IOBUS access restrictions.
  2. 2.When DAL=1 DAP transfers are always non-secure. The DSU internal address space can only be accessed by secure hosts.

Some features not activated by APB transactions are not available when the device is protected:

Table 2. Feature Availability Under Protection
Features Availability when DAL equals to
0x0 0x1

(SAM L11 only)

CPU Reset Extension Yes Yes Yes
Clear CPU Reset extension Yes Yes Yes
Debugger Cold-Plugging Yes Yes Yes
Debugger Hot-Plugging No Yes Yes