This blog post was updated May 18, 2023 to include Renesas DLM Key Injection and User Key support. Other updates include running an application after DLM programming and updated flowchart and images.
PEmicro has added production programming support for the Renesas RA family Device Lifecycle Management (DLM) and TrustZone boundary settings to the Cyclone FX programmer. Device Lifecycle Management and TrustZone boundary settings are used to secure access to the on-chip Flash and RAM both from external debug/bootloader access as well as untrusted code running internal to the device on devices with DLM Technology and TrustZone support (such as Cortex-M33 devices). Configuration and programming of these settings are made simple with PEmicro's stand alone programmers.
Note: Renesas RA MCUs that do not support DLM Technology are securely programmed via the Debug Identification Code mechanism, which is covered in a separate blog post. See PEmicro’s blog post “Securing Renesas RA/Synergy Devices via ID Code Protection”.
Renesas Device Lifecycle Management (DLM) Overview
Several lifecycle states of interest are Secure Software Development (SSD), Non-Secure Software Development (NSECSD) and Deployed (DPL). When the user is developing the secure portion of an application that is not meant to be accessible in the future by non-secure code, the SSD device lifecycle state is used. The user can transition to the NSECSD state to protect the secure portion while developing in the unsecure portions. After development is done, the most common lifecycle state will be Deployed (DPL), where the device will be out in the field and the application in its entirety (SSD and NSECSD regions) will be protected from external access. As long as device initialization is left active, the lifecycle can be reverted to SSD by first initializing (mass erasing) the device. In this way a device can be protected against reading but later fully erased and reprogrammed externally. It is possible to disable the initialization command to prevent erasing the device and also to activate more restrictive lifecycle states that disable debug and bootloader access altogether. In these cases, reprogramming a device would need to be assisted by the application running on the device itself. Refer to Renesas' DLM documentation for more in-depth descriptions of these states.
Programming Renesas Flash Options with Cyclone FX
PEmicro’s Cyclone Image Creation Utility is used to create stand alone programming (SAP) Images for programming Renesas RA devices with Cyclone programmers during manufacturing. In addition to erasing and programming flash, SAP Images have the ability to (A) Initialize the device (mass erase) as well as disable initialization, (B) set the Device Lifecycle, (C) inject a DLM Key, (D) inject a User Key and (E) set the memory boundaries for TrustZone operation for RAM and Flash. When a Renesas RA device with DLM/TrustZone support is selected in the utility, the “Renesas Flash Options” tab will become available. This tab has the options to perform any of the actions (A-E) as described above.
Renesas Flash Options Tab in Cyclone Image Creation
The figure shown above represents a normal setup for a user that is ready to program their application and set the DLM state to the Deployed mode for production. Take note that there are also both SECDBG and NONSECDBG keys programmed during the process in case the user needs to regress to other modes for debugging. Of course, the part can be returned to SSD mode by initializing the device as described later on. As mentioned above, there is a possibility to disable initialization, which would not allow a mass erase for future use. In order to regress back to previous DLM states, the corresponding key codes are required. It is only recommended to always keep the option to initialize the device if necessary.
As can be seen in the following diagram, PEmicro's Cyclone production programmer transitions through four stages during programming:
Stages of Programming Flow
If the "Initialize Device" setting is checked, the Cyclone FX programmer will first put the RA device into bootloader mode and attempt to mass erase the device via the Initialize command. This is useful if the target device has already had its TrustZone boundaries set or is in a secure state (Non-Secure Debug or Deployed state). After the mass erase, the device will once again become reprogrammable. If the device is a blank one, it is not necessary to initialize it.
After this a programming image script will run to program the main flash array via the debug mode of the part. The flash can be programmed with multiple binaries, verified, and tests can be run at an extremely high data rate (75mbits/s). A simple script that erases, programs, and verifies a "Blinky" application that was developed in e2Studio looks like this:
Sample "Blinky" Programming Script
Finally, the bootloader is re-entered if the user specifies that the Device Lifecycle or TrustZone memory boundaries should be set.
The Device Lifecycle is used to protect the device from external debug/bootloader memory read access as well as to restrict access to certain code running inside the device if TrustZone boundaries are set. The Device Lifecycle is commonly set to the Deploy (DPL) state during production as it prevents external access to memory without mass erasing the device first.
Injecting SECDBG/NONSECDBG keys during programming provides a mechanism for the user to securely revert the device to a less secure DLM state in the future. For example, when the target device DLM state is set to the Deployed(DPL) state during programming, debug access to the device is disabled. Without special key access, the only way to re-enable debug access to the device would be to Initialize (Erase) it if that function was left active. However, if an encrypted NONSECDBG key was specified (injected) as part of the programming settings, the Authentication Code in the user's NONSECDBG key can be entered into the Renesas RFP utility and the DLM state reverted to NONSECDBG allowing debug in that state without erasing it. Similarly the SECDBG key Authentication Code can be used to securely revert the DLM state to SECDBG without erasing it. If Initialization has been disabled in the settings, these keys are the only way to revert the DLM state to a point where the device would become accessible again via debug.
Boundary settings are set when an application has both secure and non-secure portions. These boundaries specify what sections of code flash, data flash, and SRAM will be accessible to non-secure code running on the part. To make it simple to configure programming the correct TrustZone memory boundaries, there is an "Import Boundaries from RDP File" button on the options page that can import the boundaries from an application developed in e2Studio (by selecting the application's RDP file). Here is an image of the boundaries after importing the .RDP file from the same Blinky example that is being programmed in the script above:
Import Boundary Settings
One of the last parts of the programming process is the option to run the programmed user application seamlessly after programming. There is a checkbox "Start running device after programming" that will enable a reset after the programming process is complete.
User Key Settings provide a options for the user to program "User Keys" during programming (for authenticity, confidentiality, and integrity checking operations). Renesas MCUs provide numerous security engines which can work with these keys.
User Key Example With Image Creation
PEmicro allows users to set multiple user keys to be programmed at different addresses in the "User Key Settings" section of the "Renesas Flash Options" tab. User Keys can be added and removed, however, a user is not allowed to add user keys at the same address.
Confirming DLM State on the Cyclone FX
As part of Cyclone FX programming operations, the most recently programmed DLM/Trustzone state is recorded in the logs. This can be useful when first configuring and testing SAP images to program desired binaries, DLM state, and boundaries. It lets the user confirm that the device's security settings were set as expected (though the Cyclone would yield an error regardless, if they didn't match the image settings). To see the values on the Cyclone touchscreen (or within the Remote Display tab of Cyclone Control GUI) the user would first select the “Menu” button, followed by “Status”, “Show Logs,” and “Show Last DLM State Log” options. The screen should look similar to the figure below, showing the DLM/TrustZone boundary settings that were read directly from the Renesas RA MCU after programming.
DLM State Display Log
The Cyclone FX is an extremely easy-to-use, flexible, and powerful high speed production programmer perfectly suited to programming Renesas RA devices with advanced features such as DLM and TrustZone.
In addition to production programming tools, PEmicro probes can be used with e2Studio during the development process (see "PEMicro Supports Debugging with Renesas' e² studio IDE").
Once the user is satisfied with their Image Script and DLM/TrustZone settings, the user would build a Stand Alone Programming Image (SAP). A single click in the Image Creation Utility generates this stand alone programming image, which is a single file containing all the information necessary to program the device. The SAP image can be fully encrypted (an eSAP Image) so that it can only be used on Cyclone FX programmers that have been provisioned with the appropriate key(s).
Encrypted SAP Image
This Programming Image is what is deployed into manufacturing to be programmed via Cyclone FX programmers. Cyclone FX programmers come with an extensive set of automation software which allows the loading of images to the Cyclone as well as automated control.
In addition to stand-alone Programming Images, the user can also create cloud-connected Programming Jobs. A Programming Job is similar to a Programming Image with the exception that it, through the Cyclone, maintains a connection to the customer's Virtual Factory in the PEcloud during execution. Whenever programming occurs, permission is first requested from the user's Virtual Factory. This allows the user to disable programming of the Job at any time anywhere in the world, restrict the job by programming count or to specific cyclones, and also to see a full log of all programming iterations completed across all Cyclone Programmers. The Programming Jobs can also be automatically delivered to Cyclones anywhere in the world.
Users should feel free to contact PEmicro with any questions regarding Renesas DLM features with PEmicro products.