[STM32L1][bootloader] Memory protection

Flash code protection

The STM32 microcontroller family is provided with the following code protection features:

1. Global Read-out Protection (RDP)

2. Write protection

3. Proprietary Code Read Out Protection (PCROP)

1. Global Read Out Protection (RDP)

The user area of the Flash memory module (data and program) can be protected against read operations. Three read protection levels are defined:

• Level 0: no read protection

When the read protection level is set to Level 0 by writing 0xAA to the read protection option byte, RDP, all read/write operations (if no write protection is set) from/to the Flash memory module or the backup SRAM are possible in all boot configurations (debug, boot from ram or system memory selected).

Level 1: memory read protection enabled

This is the default read protection level after option byte erase. Read protection Level 1 is activated by writing any value (except for 0xAA and 0xCC used to set Level 0 and level 2, respectively) to the RDP option byte. 

When read protection Level 1 is set:

– No Flash memory module access (read, erase, program) is performed while the debug features are connected or boot from RAM or system memory is selected. A bus error (Cortex®-M3 hardfault or Busfault) is generated in case of a Flash memory read request. All operations are possible when Flash user boot is used.

– Programming the protection option byte to lower protection causes the Flash

memory module and the backup registers (in RTC) to be mass-erased. That is, the user code contents are cleared before the read protection is removed.

Note:When Level 1 is active and Level 0 is requested, the following steps are executed:

– Mass Erase is generated (RDP byte is erased (0x0) and Level 1 is still active and no more code could be executed)".

– If the OBL Launch is set or Power On Reset (POR) is generated the new RDP byte is loaded (0xAA) and Level 0 is active.

Level 2: memory read protection enabled and all debug features disabled

When RDP protection is set to Level 1, debug tools still can be connected and access all the volatile resources of the MCU (RAM and registers). These tools are used to check the part and/or system, by loading some test code to the RAM.

Also, Level 1 protection allows to recover a programmed part by erasing the entire Flash content. This is done by re-programming the RDP option byte from Level 1 to Level 0 (see Figure 1).

On the other hand, Level 2 protection is irreversible (fuse). Once the RDP is set to Level 2, the RDP option byte and all the other option bytes are frozen and can non longer be modified.

Flash memory module protection according to RDP and its complement 

2. Write protection

The Write protection, applied by a Flash area (sector), protects the content of the specified sectors against code update or erase.

One option bit is used to activate the write protection for each Flash sector. When the Write protection is set for sector i (option bit nWRPi = 0), this sector cannot be erased or programmed.

3. Proprietary Code Read Out Protection

The Proprietary Code Read Out Protection (PCROP) is an alternative protection which is applied also by sector, allowing the protection of specific code (intellectual property) against attacks.

The PCROP sector is selected by using the same option bytes as the Write protection. As a result, these 2 options are exclusive each other. However, the sectors protected against reading (PCROP) are also protected against writing/erasing. Therefore, the PCROP may be considered as a superset of the sector write protection.

In order to activate the PCROP (change the function of the nWRP option bits), the SPRMOD option bit must be activated. This operation is irreversible.

Also in PCROP mode, a sector which was set to be read-protected cannot be reset to the unprotected state. As a result, new sectors may be added to the read protected area (when RDP is set to Level 0 or 1), but the protected ones cannot be unprotected, either erased or modified.

* en.CD00240193(RM0038-ReferenceManual).pdf

* en.DM00075930(Proprietary Code Read Out Protection).pdf