PEmicro logo
Cart New Account Login

Logo image
HomeAbout usProductsSupportForumsBlogCustomer Service


by Steven McGrath


PEmicro has added production programming support for the Renesas RA family Device Lifecycle Management (DLM) and TrustZone boundary settings to the Cyclone FX programmer. Device Lifecycle Management and TrustZone boundary settings are used to secure access to the on-chip Flash and Ram both from external debug/bootloader access as well as untrusted code running internal to the device on devices with DLM Technology and TrustZone support (such as Cortex-M33 devices). Configuration and programming of these settings is made simple with PEmicro's stand alone programmers.

Note: Renesas RA MCUs that do not support DLM Technology are securely programmed via the Debug Identification Code mechanism which is covered in a separate blog post. See PEmicro’s blog post “Securing Renesas RA/Synergy Devices via ID Code Protection”.

Renesas Device Lifecycle Management (DLM) Overview

Several lifecycle states of interest are Secure Software Development (SSD), Non-Secure Software Development (NSECSD) and Deployed (DPL). When the user is developing the secure portion of an application that are not meant to be accessible in the future by non-secure code, the SSD device lifecycle state is used. The user can transition to the NSECSD state to protect the secure portion while developing in the unsecure portions. After development is done, the most common lifecycle state will be Deployed (DPL), where the device will be out in the field and the application in its entirety (SSD and NSECSD regions) will be protected from external access. As long as device initialization is left active, the lifecycle can be reverted to SSD by first initializing (mass erasing) the device. In this way a device can be protected against reading but later fully erased and reprogrammed externally. It is possible to disable the initialization command to prevent erasing the device and also to activate more restrictive lifecycle states which disable debug and bootloader access altogether. In these cases, reprogramming a device would need to be assisted by the application running in the device itself. Refer to Renesas' DLM documentation for more in-depth descriptions of these states.

Programming Renesas Flash Options with Cyclone FX

PEmicro’s Cyclone Image Creation Utility is used to create stand alone programming images for programming Renesas RA devices during manufacturing via Cyclone programmers. Images, in addition to erasing and programming flash, have the ability to (A) Initialize the device (mass erase), (B) set the Device Lifecycle, and (C) set the memory boundaries for TrustZone operation for Ram and Flash. When a Renesas RA device with DLM/TrustZone support is selected in the utility, the “Renesas Flash Options” tab will become available. This tab has the options for setting the DLM state, initializing the device, disabling the initialization command, and setting the TrustZone boundaries. 


Renesas Flash Options Tab in Cyclone Image Creation

As can be seen in the following diagram, PEmicro's Cyclone production programmer transitions through three stages during programming:

Stages of Programming Flow

If the "Initialize Device" setting is checked, the Cyclone FX programmer will first put the RA device into bootloader  mode and attempt to mass erase the device via the Initialize command. This is useful if the target device has already had it's TrustZone boundaries set or is in a secure state (Non-Secure Debug or Deployed state). After the mass erase, the device will once again become reprogrammable. If the device is a blank device, it is not necessary to initialize it.

After this a programming image script will run to program the main flash array via debug mode of the part. The flash can be programmed with multiple binaries, verified, and tests can be run at an extremely high data rate (75mbits/s). A simple script which erases, programs, and verifies a "Blinky" application that was developed in e2Studio looks like this:

Sample "Blinky" Programming ScriptFinally, the bootloader is re-entered if the user specifies that the Device Lifecycle or TrustZone memory boundaries should be set.

The Device Lifecycle is used to protect the device from external debug/bootloader memory read access as well as to restrict access to certain code running inside the device if TrustZone boundaries are set.  The Device Lifecycle is commonly set to the Deploy (DPL) state during production as it prevents external access to memory without mass erasing the device first. 

Boundary settings are most commonly set when an application has both secure and non-secure portions. These boundaries specify what sections of code flash, data flash, and SRAM will be accessible to non-secure code running on the part. To make it simple to configure programming the correct TrustZone memory boundaries, there is an "Import Boundaries from RDP File" button on the options page which can import the boundaries from an application developed in e2Studio (by selecting the application's RDP file). Here is an image of the boundaries after importing the .RDP file from the same Blinky example which is being programmed in the script above :

Imported Boundary Settings

Once the user is satisfied with their Image Script and DLM/TrustZone settings, the user would build a Stand Alone Programming Image (SAP). A single click in the Image Creation Utility generates this stand alone programming image which is a single file containing all information necessary to program the device. The SAP image can be fully encrypted (an eSAP Image) so that it can only be used on Cyclone FX programmers which have been provisioned with the appropriate key(s).

Encrypted SAP Image

This image is what is deployed into manufacturing to be programmed via Cyclone FX programmers. Cyclone FX programmers come with an extensive set of automation software which allow loading of images to the Cyclone as well as automated control. 

Confirming DLM State on the Cyclone FX

As part of Cyclone FX programming operations, the most recently programmed DLM/Trustzone state is recorded in the logs. This can use useful when first configuring and testing SAP images to program desired binaries, DLM state, and boundaries. It lets the user confirm that the device's security settings were set as expected (though the Cyclone would yield an error anyways if they didn't match the image settings). On the Cyclone touchscreen (or within the Remote Display tab of Cyclone Control GUI), to see the values, the user would first select the “Menu” button followed by “Status”, “Show Logs” and “Show Last DLM State Log” options. The screen should look similar to the figure below, showing the DLM/TrustZone boundary settings that were read directly from the Renesas RA MCU after programming.

DLM State Display Log

The Cyclone FX is an extremely easy to use, flexible and powerful high speed production programmer perfectly suited to programming Renesas RA device with advanced features such as DLM and TrustZone. 

In addition to production programming tools, PEmicro probes can be used with e2Studio during the development process (see "PEMicro Supports Debugging with Renesas' e² studio IDE").






search in blog posts

Tags

Product pages
Cyclone (112)
Cyclone FX (117)
Multilink (76)
Multilink FX (69)
GDB Server (37)
Prog ACMP (39)
Interface Library Routines (7)


Manufacturer
ARM (97)
NXP (93)
Microchip (7)
Cypress (7)
Infineon (7)
Maxim (3)
Nordic Semiconductor (3)
Silicon Labs (6)
Silergy Teridian (1)
STMicroelectronics (13)
Texas Instruments (2)
Toshiba (3)
Renesas (15)


Categories
Production Programming (116)
Debug (73)
Automated Control (33)
Miscellaneous (40)



© 2022 P&E Microcomputer Systems Inc.
Website Terms of Use and Sales Agreement