Skip to Content

dsPIC33A Security Module Peripheral

Last modified by Microchip on 2025/09/19 13:42

Overview

The security module protects the operation of the device and intellectual property from unauthorized access, use, and modification.

Features

  • Secure boot
  • Immutable Root of Trust (IRT)
  • Code Access Protect (Read/Write/Execute/CRC)
  • In-Circuit Serial Programming™ (ICSP™) program/erase disable (Entire Flash OTP by ICSP Write Inhibit)
  • Firmware IP protection
  • Flash write protection
  • Flash OTP
  • Flash code partitioning
High-Level Block Diagram

High-Level Block Diagram

Back to Top

Peripheral Architecture

Types of Protection Regions

The security module allows dividing the Flash memory into up to eight protection regions. Each region can be set to a wide number of protection options, restricting different types of access.

  • Each region can be configured to the following types:
    • Firmware configurable region
    • One-Time Programmable (OTP) region
    • Immutable Root of Trust (IRT) region
  • The type of region is selected in configuration bits only
  • Start and end addresses of the regions are aligned by 4 KB

Firmware Configurable Region

The firmware type is selected in configuration bits only and cannot be changed. All other options (start and end addresses and enabling of the region, access restrictions) are selected in both configuration Special Function Registers (SFRs) and bits. After all region configurations are finished in the SFRs, these SFRs can be locked. After that, the region options cannot be modified.

One-Time Programmable (OTP) Region

When this firmware type is selected in the configuration bits, the erase access is disabled automatically. Flash memory is protected by an ECC checksum. Any OTP region word must not be programmed more than once because it may corrupt the ECC checksum. The ECC trap or interrupt may be generated for the read access of the location with a corrupted checksum.

Immutable Root of Trust (IRT) Region

IRT is set up in the configuration memory only. IRT is a region where any access (read, write, execute or CRC) can be restricted by firmware located in IRT-assigned memory. 

Access is disabled when the DONE bit is set in the Immutable Root of Trust (IRT) control (IRTCTRL) SFR AND when an instruction is executed outside the IRT region memory.

IRT can have some access restrictions defined in the configuration bits when it is not locked.

Code Protection for UCA Flash

The User Configuration A (UCA) Flash space is used for storage device configuration bits, which include code-protect and background debugger enable bits. UCA Configuration Words are loaded at Reset. Data read and CRC access to UCA space are permitted in all modes. Execution from UCA space is not permitted. Write permissions are restricted in Mission mode and Debug mode by the UCA Write-Protect WPUCA (UCPROT[2]) bit and/or by the UCA Write-Protect Configuration WPUCA[1:0] (FCP[3:2]) bits.

Subject to other access restrictions, a UCA space may be erased and then programmed in ICSP Programming mode even if the write-protect in configuration bits WFUCA[1:0] (FCP[3:2]) is enabled. The write access to UCA spaces is not allowed if code-protect and/or Entire Flash OTP by ICSP Write Inhibit is enabled. Row programming is not allowed for UCA space. Programming of the write-protect configuration bits, WPUCA[1:0] (FCP[3:2]), prevents UCA updates in Mission mode and Debug mode. In this case, UCA can only be updated in an ICSP Programming mode. The WPUCA (UCPROT[2]) bit may also be programmed by application firmware to enable write protection after the next Reset. UCA is always erased on a chip erase, even when write-protected. A chip erase disables UCA write protection and code protection.

Code Protection for UCB Flash

The User Configuration B (UCB) Flash space stores security and boot configuration bits, including the Flash protection region descriptor configurations. UCB data read and CRC access are permitted in all modes. Execution from UCB space is not permitted. Write permission is restricted in all modes by the UCB Write Protect WPUCB bit (UCPROT[1]). The UCB write protection is enabled after Reset if the FWPUCB Configuration Word is programmed with a value of 0x5B9B12E4. Also, the UCB area can be erase-protected by the EPUCB bit (UCPROT[0]).

The UCB erase protection is enabled after Reset if the FEPUCB Configuration Word is programmed with a value of 0x84C1F396. Write protection disables both programming and erase. Erase protection only disables erase. The UCB write and erase-protect Configuration Words (FWPUCB and FEPUCB) are 32-bit OTP Flash locations that can only be programmed to their specified values (0x5B9B12E4 and 0x84C1F396). Row programming is not allowed for UCB. UCB is erased on a chip erase unless it is either erase-protected when EPUCB (UCPROT[0]) = ‘1’ or write-protected when WPUCB (UCPROT[1]) = ‘1’. If the UCB erase protection Configuration Word is programmed, all programmed UCB Configuration Words are protected from modification. This allows multiple parties to program firmware and data into user program Flash and permanently protect it from modification using IRT or OTP regions.

An aspect of this capability is UCB overwrite protection. UCB overwrite protection ensures Flash Configuration Words in UCB are only programmed once after each UCB page erase. Once any valid Configuration bit in a UCB 128-bit Flash word is programmed to ‘0’, further programming is not allowed for that Flash word without a page erase. UCB overwrite protection is only provided for a word that has been programmed after the next Reset because the overwrite protection is based on the configuration values loaded at Reset.

Once all protection region descriptors and other UCB Configuration Words are programmed, UCB can be permanently write-protected by programming the UCB write-protect FWPUCB Configuration Word. Typically, the UCB write-protect configuration bit should be programmed before a device is deployed in a system design. The UCB Write-Protect bit must be programmed to enable the Entire Flash OTP by ICSP Write Inhibit feature and/or the secure debug. During development or the system production process, the EPUCB (UCPROT[0]) and WPUCB (UCPROT[1]) bits can be set by firmware to provide UCB protection without programming the UCB write or erase-protect Configuration Words.

Back to Top