How to Protect RA (Arm Cortex-M33) MCU Flash Memory against Reading

Introduction

During the production of an electronic product, it is desirable to protect the memory against reading after the firmware (binary) has been flashed to the microcontroller. This ensures that the firmware is not accessible to competitors and/or malicious hackers.

To protect the memory of the RA family from Renesas of microcontrollers, specifically those with an Arm Cortex-M33 core, it is necessary to use the Device Lifecycle Management (DLM). Both the debug capability and the serial programming interface depend on its configurations [1]. You can verify the Device Lifecycle states below [2]:

The transitions from one state to another are described below:

Note that it is possible to make reverse transitions, such as going from the DPL (Deployed) state of memory protected against reading, back to the SSD (Secure Software Development) state with memory reading access, via a key authentication process [3] [4]. If you have not performed the key authentication process, it is still possible to recover write and read access (reversing the transition), but all MCU memory will be erased, thus protecting the program content.

Example

See below a step-by-step guide on how to write an example firmware and protect the memory without key injection. To do this, we will use Renesas Flash Programmer to:

• Flash the example firmware
• Verify that it is possible to read the flashed firmware
• Make the transition from SSD to NSECSD and then to DPL
• Verify memory protection
• Revert to the SSD state and verify that the memory has been erased

Flash the example firmware

Follow the steps in the article Getting Started with Renesas Flash Programmer to write the example firmware that flashes the LEDs on the EK-RA4M2 evaluation kit for RA4M2 MCUs.

Verify that it is possible to read the flashed firmware

Follow the steps in the article How to Read Microcontroller Memory with Renesas Flash Programmer to read the flashed firmware.

Make the transition from SSD to NSECSD and then to DPL

Go to Target Device » Read Device Information, and verify that the microcontroller is in the initial state SSD (or CM).

Go to Target Device » DLM Transition..., and choose NSECSD.

See now with Read Device Information that the device is in NSECSD state:

Following the same process, go to Target Device » DLM Transition..., and now choose DPL. And also verify with Read Device Information:

Verify Memory Protection

Although it is possible to read general device information with Read Device Information, it is no longer possible to read the flashed firmware. Like before, go to Target Device » Read Memory... and try to read the first 8KB (0x2000) of the Code Flash. And as expected, it is not possible to read the flashed firmware:

Error(E100000E): A protection error occurred in the device. (Command: 15, Response: D5) Operation failed

Revert to the SSD state and verify that the memory was erased

Since we did not set up the key authentication process, to return to the initial SSD state, it is necessary to go to Target Device » Initialize Device:

After this process, the LEDs stop flashing, indicating that the device memory has been erased. And, by doing a final Read Device Information, we verify that the device has returned to the SSD state and can be programmed again.

References

• [1]: RA4 Quick Design Guide
• [2]: Renesas RA Securing Data at Rest Using the Arm® TrustZone®
• [3]: Renesas RA Family Device Lifecycle Management Key Installation
• [4]: How to Generate and Program DLM Keys for RA With SCE9