SLAAE29A January   2023  – December 2025 MSPM0C1105 , MSPM0C1106 , MSPM0G1105 , MSPM0G1106 , MSPM0G1107 , MSPM0G1505 , MSPM0G1506 , MSPM0G1507 , MSPM0G1518 , MSPM0G1519 , MSPM0G3105 , MSPM0G3106 , MSPM0G3106-Q1 , MSPM0G3107 , MSPM0G3107-Q1 , MSPM0G3505 , MSPM0G3506 , MSPM0G3506-Q1 , MSPM0G3507 , MSPM0G3507-Q1 , MSPM0G3518 , MSPM0G3518-Q1 , MSPM0G3519 , MSPM0G3519-Q1 , MSPM0L1105 , MSPM0L1106 , MSPM0L1227 , MSPM0L1227-Q1 , MSPM0L1228 , MSPM0L1228-Q1 , MSPM0L1303 , MSPM0L1304 , MSPM0L1304-Q1 , MSPM0L1305 , MSPM0L1305-Q1 , MSPM0L1306 , MSPM0L1306-Q1 , MSPM0L1343 , MSPM0L1344 , MSPM0L1345 , MSPM0L1346 , MSPM0L2227 , MSPM0L2227-Q1 , MSPM0L2228 , MSPM0L2228-Q1

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Key Concepts
    2. 1.2 Goals of Cybersecurity
    3. 1.3 Platform Security Enablers
  5. 2Device Security Model
    1. 2.1 Device Identity
    2. 2.2 Initial Conditions at Boot
    3. 2.3 Boot Configuration Routine (BCR)
    4. 2.4 Bootstrap Loader (BSL)
    5. 2.5 Boot Flow
    6. 2.6 User-Specified Security Policies
      1. 2.6.1 Boot Configuration Routine (BCR) Policies
        1. 2.6.1.1 Serial Wire Debug Related Policies
          1. 2.6.1.1.1 SWD Security Level 0
          2. 2.6.1.1.2 SWD Security Level 1
          3. 2.6.1.1.3 SWD Security Level 2
        2. 2.6.1.2 Bootstrap Loader (BSL) Enable/Disable Policy
        3. 2.6.1.3 Flash Memory Protection and Integrity Related Policies
          1. 2.6.1.3.1 Locking the Application (MAIN) Flash Memory
          2. 2.6.1.3.2 Locking the Configuration (NONMAIN) Flash Memory
          3. 2.6.1.3.3 Verifying Integrity of Application (MAIN) Flash Memory
        4. 2.6.1.4 Bootstrap Loader (BSL) Security Policies
          1. 2.6.1.4.1 BSL Access Password
          2. 2.6.1.4.2 BSL Read-out Policy
          3. 2.6.1.4.3 BSL Security Alert Policy
      2. 2.6.2 Customer Secure Code (CSC) Security Policies
        1. 2.6.2.1 CSC Enforced Bankswap
        2. 2.6.2.2 CSC Enforced Firewalls
        3. 2.6.2.3 CSC Key Write to KEYSTORE
      3. 2.6.3 Configuration Data Error Resistance
        1. 2.6.3.1 CRC-Backed Configuration Data
        2. 2.6.3.2 16-bit Pattern Match for Critical Fields
  6. 3Secure Boot
    1. 3.1 Secure Processing Environment Isolation
    2. 3.2 Customer Secure Code (CSC)
      1. 3.2.1 Secure Boot Flow
      2. 3.2.2 Flash Memory Map
      3. 3.2.3 Features
        1. 3.2.3.1 CMAC Acceleration
        2. 3.2.3.2 Asymmetric Verification
        3. 3.2.3.3 KEYSTORE and Firewall
        4. 3.2.3.4 CSC Performance
      4. 3.2.4 Quick Start Guide
        1. 3.2.4.1 Environment Setup
        2. 3.2.4.2 Step by Step Guidance
        3. 3.2.4.3 CSC NONMAIN Configuration
        4. 3.2.4.4 Customize Changes on CSC Example
    3. 3.3 Boot Image Manager (BIM)
      1. 3.3.1 Secure Boot Flow
      2. 3.3.2 Flash Memory Map
      3. 3.3.3 Quick Start Guide
  7. 4Secure Storage
    1. 4.1 Flash Write Protection
    2. 4.2 Flash Read-Execute Protection
    3. 4.3 Flash IP Protection
    4. 4.4 Data Bank Protection
    5. 4.5 Secure Key Storage
    6. 4.6 SRAM Protection
    7. 4.7 Hardware Monotonic Counter
  8. 5Cryptographic Acceleration
    1. 5.1 Hardware AES Acceleration
      1. 5.1.1 AES
      2. 5.1.2 AESADV
    2. 5.2 Hardware True Random Number Generator (TRNG)
  9. 6FAQ
  10. 7Summary
  11. 8References
  12. 9Revision History

3.2 Customer Secure Code (CSC)

Customer Secure Code (CSC) is a secure boot solution for MSPM0 devices with hardware isolation mechanism (INITDONE). Figure 3-1illustrates the CSC boot and startup sequence. At BOOTRST, TI ROM boot-code execution commences. After successful boot, boot code issues BOOTDONE. At this point, SYSCTL issues a SYSRST to the device to trigger execution from MAIN flash memory. A MAIN flash program always starts from physical address 0x0004 vector (Reset Handler) after boot code is finished. Depending on the CSCEXISTS configuration in NONMAIN flash BCR, there are two execution flow after BOOTDONE:

  • CSCEXISTS set: a CSC boot sequence is enabled and MAIN flash program starts with INITDONE in clear state. Users need to place the CSC firmware(MSPM0 SDK CSC example) into MAIN flash 0x0000 address in this case. The CSC firmware need to be static write protected by NONMAIN BCR configuration.
  • CSCEXISTS clear: CSC boot sequence is not allowed and MAIN flash program starts with INITDONE in set state. Any security related policy is not configurable and users need to place the application firmware into MAIN flash 0x0000 address in this case.
Note:

A MAIN flash program always starts from physical address 0x0004 after BOOTDONE. As bank swap policy is reset during BOOTRST, so the MAIN flash program always starts without bank swap after BOOTDONE. Bank swap only takes effects after INITDONE when both CSCEXISTS and FLASHBANKSWAPPOLICY enabled in NONMAIN configuration.

For the CSC existing case, CSC is responsible for determining execution bank, memory region protections, secure key initialization into the KEYSTORE, take application program integrity and authenticity verification etc. The device is working in a privileged state with permission configuring those security policies. The INITDONE is issued (by writing to SYSCTL.SECCFG.INITDONE, see device specific technical reference manual for the register definition) at the end of CSC, then SYSCTL issues a second SYSRST and all the security policies listed below take effect during INITDONE and cab not be modified until next BOOTRST:

  • Firewall protection policy
  • Bank swap policy
  • Keystore protection

After INITDONE, the device becomes in unprivileged state, and starts execution from address 0x0004 of MAIN flash again, and the CSC executes a second time. This time, the CSC finds that INITDONE has already been issued previously (this is determined by reading the SYSCTL.SECCFG.SECSTATUS.INITDONE bit) and directly jumps to the main application. See Figure 3-2 for the CSC execution flow in privileged state (pre-INITDONE) and unprivileged state (post-INITDONE).

For more details on boot and startup sequence, see SECURITY chapter of MSPM0 G-Series 80-MHz Microcontrollers Technical Reference Manual (Rev. C).


CSC Boot and Startup Sequence

Figure 3-1 CSC Boot and Startup Sequence

CSC Execution Overview

Figure 3-2 CSC Execution Overview