Home
Login / Signup
 di 

Secure Design Using a Microcontroller (I)

microcontroller lpc arm

System Reset and State Restore

The microcontroller is widely used in many devices, which works in environment. The microcontroller has to face the challenges from EMI, voltage stability, crystal failure and much other interference. If the interferences are strong enough to disturb the operation, the system design should be secure enough to deal with these matters, one good practice is to reset and go on with previous normal operation state . However, a simple reset is not enough at all. I will demonstrate the basic principle for the system reset and state restore. Please keep in mind that the terminologies used in this article may come from different microcontrollers.



A simple project does not put emphasis on state consistency and data integrity. For example, the consumer does matter if his/her TV is being switched off and switched on again, provided the TV can recall last selected chanel. But system reset and state restore are very critical for machines involved in complicated processes and insecure environments. Surgery robot or a missile can not be simply reset. If these devices were only reset, running the whole process from the very beginning of the code, would be a disaster. A Mars probe failed to operate because the proper state could not be restored soon after a remote download and reset.


Additionally, different reset sources may bring the system to extra working modes due to ageing, manufacturing, maintenance, and firmware upgrade. Usually these modes are stored in user EEPROM with combinations of reset source register.


After all, the system designer or architect, has to

  1. Use the system interrupts and reset vectors carefully to prevent all foreseeable interferences, or for any extra working modes besides to normal working;
  2. Make the software track the reset source and try to restore the state/context prior to the reset, to help the whole system going back to normal state and carry on.



Herein the context is referred to the critical registers, including SP (Stack Pointes), PC (Program Counters), working registers and application critical memory space. It is a system design approach, which involves both hardware and software design.


Software Design


Available reset sources are different. In general, the sources are : external, power on, watchdog, low-voltage brownout, software. Other optional reset sources are illegal instruction op code, acces to an illegal memory address and UART break character detection. The first two sources are available in 68HCxx, and last one is in P89LPC9XX. All of these allow more secured devices if the designer can leverage it properly.


To support this feature, a reset handler is placed prior to the system main loop. In this routine, the software should read the RSTSRC, restore context or write default value to the critical variables and registers according to the reset source. And then it jumps to the main loop. The reset handler design is obviously related to the system requirements. Here are a few samples.


Following reset, the P89LPC9xx will fetch instructions from either address 0000h or the Boot address. The Boot address is formed by using the Boot Vector as the high byte of the address and the low byte of the address = 00h. The Boot address will be used if a UART break reset occurs or the non-volatile Boot Status bit (BOOTSTAT.0) = 1, or the device has been forced into ISP mode. Otherwise, instructions will be fetched from address 0000H. It is clear that UART break character detection reset is designed for ISP firmware upgrade. This bit is cleared by software or power-on reset, which means in a hot reset (not a power-on reset), the reset handler can read some critical context variables and judge if it is necessary to load them to previous state.


If the reset source is LVR, low voltage reset, or BOR, brown-out reset, you can run the software from where it was interrupted if it is not a total power failure. The LVR/BOR usually is bonded to brown-out interrupt. In the interrupt service routine, you can save the context to EEPROM or a secured RAM, and then switch the whole system into power down mode. If the system can recover from power down mode by interrupt, it can restore the context and then jump out after RETI instruction. If the system got reset, the microcontroller usually will switch on both POR and LVR/BOR flags, you can simply ignore the LVR/BOR and consider it as power on reset. Because switching off the system will trigger the brown-out detection anyway, but the difference is that the brown-out flag will be cleared if the voltage raise to a normal level in a given period, but the power off will switch off the power supply for whole system. Some microcontrollers can support low voltage operation even in the BOR range, in that case, brownout should be disabled, otherwise continuous brownout reset may prevent the device from operating. Attention: In NXP's P89LPCxxx, there is a very complex combination in power down mode, brown-out interrupt, brown-out reset, power on reset and voltage operation modes, which means the designer should read and understand carefully.


The watchdog timer subsystem protects the system from incorrect code execution by causing a system reset when it underflows as a result of a failure of software to feed the timer prior to the timer reaching its terminal count. In general watchdog timer reset means the designer should review its software design for invalid instruction and hardware design for crystal failure and strong EMC/EMI issues. Sometimes the watchdog timer can be used as a general timer, the designer can use this feature to setup a countdown timer reset/interrupt for the application specific purposes.


The software reset is set by software, resets the whole chip as if a hardware reset occurs. As software reset equals to a hardware reset influencing only different flags, which can be used to judge whether the reset is a hot reset or a cold reset. The software can use this flag to judge if some critical external ICs and devices should be reset or not. The software reset can also be used in software trap to capture the illegal instruction op code or illegal memory address access in the code.


Sometimes interrupt and reset sources could be confusing. Actually it is quite simple to consider reset as a special interrupt, which will restore some registers including PC, SP and SFR with default values, and with a special 'interrupt handler vector' on 0x0000. Of course, the designer must read the user manual carefully to configure the chip either to an interrupt or a reset accordingly.


Hardware Consideration

reset of 8051In order to let the system to have enough response time to store the context to a memory module, especially in low voltage brownout reset, the circuit should offer enough power during this critical period. The simplest way is adding a big capacitor to the Vcc of the microcontroller, and connecting a protection diode between power supply and Vcc to make sure the capacitor only offer power for the microcontroller and memory module. The sample circuit is shown as attached diagram. The power from the capacitor is enough for a microcontroller to store the context.


If the reset sources are software reset, watchdog reset, memory address access and instruction reset, or external reset (usually reset by users), it is better to load the context from a permanent storage module, valid the data and work on. Additionally, it is better to track the reset record to analyze the occurrence of every type of reset to find the root cause of the reset and remove it. For example, watchdog reset means the oscillator part of system requires improvement or software structure optimization; illegal memory address access and illegal opcode reset mean too much EMI issues in PCB design or a fault error in software design. All of these analyses are based upon specific microcontroller, hardware and software design requirement. The state restore is a protective solution, the system designer should implement it into system while reducing the reset occurrence.


It is good to use new parts in new design. However it is possible to use this circuit to emulate a reset register for a legacy 80C51, which offers limited reset source judgment. The basic implementation is triggering external reset pins by all other reset sources and storing the reset sources in a byte in a DATA area. Since power on reset will clear all internal DATA area, while external reset does not, we can use this feature to tell power on reset from external reset (and all other sources) and a software reset. We may cover this topic in detail in a later blog if any reader happens to be interested in it.

References




These pages of Frequently Asked Questions contain information on approaches to achieve functional safety. Much of the material relates to IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems. IEC 61508 is an international standard, it will not cover in detail for system reset, but it is good to know and enforce the safety design in all the safety critical electronics device projects.

 

 



NXP's P89LPC954 is a member of its 8051 based Low Pin Count microcontroller. It is a highly configurable flash microcontroller. The user manual is here.

 

 

 

 


Secure Design Using a Microcontroller (II)

Secure Design Using a Microcontroller (III)

Microcontroller

Hello,

I had some trouble handling the MCs. Later i started using Cypress products, which eased my tensions. I could not only learn how to do it, but am also slowly trying to master it. We can even get documents, softwares, Kits...

Give it a try n solve many of ur problems. Find it at http://www.cypress.com/

Totally committed to cypress?

Are U totally committed to cypress ? Or are U open to other sources......

You are right! CYPRESS

You are right!

CYPRESS PERFORMS

Cypress is a good product anyway

The blog is entitled as secure microcontroller design. I tried to emphasis on the methods to make sure more secured and more safe design. I have a Cypress kit. It is really an easy entry level tool which reduces the learning curve for a new microcontroller. I don't want to switch between too many different microcontrollers. But Cypress' kit gains my attention anyway.

The advantages of Cypress are its development environment. It is a fully visualized IDE. The developer can drag component and reduce the coding effort. And its crossbar design also very flexible. It is a very secured design. It is very hard to break and steal the code. However the safety critical application still relies on the system design, rather than the microcontroller architecture.

Cypress is a good product

Cypress is a good product but the visualized IDEs are the problem. I use PSOC express and I think that working with an ide is very easy but this may compromise security. This is not happening in assembler. The assembler is the only language that allows the full control of the machine.

I agree. Each language

I agree. Each language different from assembler can create problems with security of code. We must never forget that between Programmers and Microcontrollers there's a third part, which often we don't know in depth.

Who's online

There are currently 0 users and 16 guests online.

Recent comments