STZAN0111EN0100 1

Application

Note

STZAN0111EN0200

Revision 2.00

October 2019

Getting Started with C-Trust and the SAM L11

Introduction This application note describes the use of the security development tool C-Trust, an extension of IAR

Embedded Workbench, with the Microchip® SAM L10 and SAM L11 Xplained Pro evaluation kit. The

Xplained Pro MCU series evaluation kits include an on-board embedded debugger; hence external

tools are not required to program or debug the microcontroller, however, the IAR Systems I-jet™

debugging probe will be used in this note. The Xplained Pro extension kit offers additional peripherals

to extend the features of the board and ease the development of custom security designs.

Target Devices This application note refers to the following Secure Elements :

Microchip ATSAML11E16A-AU microcontrollers

Related Documents SAM L10/L11 Xplained Pro User Guide (available at Microchip website)

Embedded Trust/C-Trust User Guide

STZAN0111EN0100 2

1. Kit Overview The Microchip SAM L11 Xplained Pro Evaluation kit is a hardware platform for the evaluation of the

Microchip SAM L11 device. The Evaluation kit part number is as follows:

• SAM L11 Xplained Pro: DM320205

The kit offers a set of features that enables the user to get started with the microcontroller peripherals

immediately and to obtain an understanding of how to integrate the device in their required design.

This application note is primarily concerned with the SAM L11 device and evaluation kit. Figure 1 shows

the features of the SAM L10 Xplained Pro Evaluation Kit which has similar features to the SAM L11 kit.

Figure 1: SAM L10 Xplained Pro Evaluation kit features

Please refer to the Hardware User Guide (section 4) of the SAM L10/L11 Xplained Pro User Guide (see

Related Documents) for details of the implementation of connectors and headers on the Xplained Kit.

STZAN0111EN0100 3

2. Getting Started Download and install the following :

IAR Embedded Workbench for Arm provided by IAR Systems

C-Trust extension to IAR Embedded Workbench provided by IAR Systems

Refer to the Installation and Licensing Quick Reference Guide available from the IAR Systems website

to determine PC system requirements.

Launch C-Trust in IAR Embedded for Arm. The tool will open as per that shown in Figure 2.

Figure 2: IAR Embedded Workbench for Arm opening screen

Click on Example Projects -> Embedded Trust -> Getting Started -> SAML11 Open Project (see

Figure 3)

Figure 3: Open Getting Started project

An explorer dialog will open requiring the destination folder for the project to be located. Direct the

open dialog box to the folder to be used for the project and click “Select Folder”.

STZAN0111EN0100 4

With the folder selected (and additional folder expansion), the IDE will look like that shown in Figure 4.

Figure 4: IAR Embedded Workbench with Getting Started project loaded

Click on the Project tab and select “Create New Project” in the dropdown menu. The dialog box shown

in Figure 5 will be displayed. We wish to add security to the Getting Started project we have just loaded

so click on Secure Boot Manager in the “Create New Project” dialog box and click “OK”.

Figure 5: Select Secure Boot Manager in Create New Project dialog box

An explorer dialog will open requiring a filename for the Secure Boot Manager project. Enter the

filename to be used into the open dialog box and click “Save”. In this example we have used SBM as

the filename.

The IDE will now load the additional Secure Boot Manager project and look like that shown in Figure

6.

STZAN0111EN0100 5

Figure 6: IDE with Secure Boot Manager project loaded and active

Please read the Readme.txt file that is displayed in the IDE. This file includes important configuration

information for projects that are to have security added i.e. integrated with a Secure Boot Manager.

Please note the optimisation settings required for the SAM L11due to size limitations of the internal

Flash of the device.

2.1 Configuring the Secure Boot Manager The Secure Boot Manager project must now be configured for the SAM L11. The configuration will be

carried out via the Project -> Options… menu provided by the IDE. To access this menu, right click on

the SBM-Debug project and select “Options…” in the dropdown menu (see Figure 7).

Figure 7: Selecting Project -> Options menu

STZAN0111EN0100 6

The menu for Options for node “SBM” will open. Select the “General Options” category and click on

the “Target” tab. Select the Processor Variant device type as “Microchip ATSAML11E16A”. Select

TrustZone with Mode as “Secure”.

Select the “C/C++ Compiler” category and click on the “Optimizations” tab. Select the High -> Size

options.

Select the “Debugger” category and select the “CMSIS DAP” Driver.

Select the “Security” category and click the Enable check box. The C-Trust dialog box shown in Figure

8 should be the resultant display.

Figure 8: C-Trust dialog box

We will now create a Security Context for the Secure Boot Manager project. Please refer to the

application note Using C-Trust to Configure the Security Context (STZAN0105EN0100) for details of

the options available during the configuration of the Security Context.

STZAN0111EN0100 7

2.2 Configuring the Security Context In the Options for node “SBM” -> C-Trust dialog box (see Figure 8) click “New”. The dialog box for

“Create New Security Context” will open (see Figure 9).

Figure 9: Basic Setup of Security Context dialog box

There is only one secure template option available to the C-Trust user. Click on the Production Control

and IP protection only template. The dialog box for the Basic Setup will open (see Figure 10).

Populate the values, in free text, with the secure context name and context location. Note that the

Security Configuration information for Production Control and IP protection only is not required for

this template selection. Figure 10 is an example of a completed Basic Setup configuration. Once the

correct information has been entered, click “Next”.

Figure 10: Security Settings of Security Context dialog box

STZAN0111EN0100 8

The Security Settings configuration dialog box will now be displayed (see Figure 11). There is only

one option that requires configuration, whether to enable the reading of the device ID.

Figure 11: Security Settings of Security Context dialog box

The device ID refers to the silicon unique ID that is available from secure microcontrollers. This is a

unique number which semiconductor manufacturers burn into the silicon during manufacture. The

number is guaranteed to be unique. This number is used by C-Trust to protect the secret provisioned

data that is programmed into the device during the provisioning process. This unique number can be

used as part of the hash for the provisioned data ensuring that the data cannot be transferred to another

microcontroller. It is recommended that the option Enable device read is selected to enable protection

of the provisioned data. Once the option is set click “Next”

The Secure Boot Manager Settings dialog box will now be displayed (see Figure 12). For maximum

security it is recommended to select Full encryption as the update mechanism. This ensures that your

application is fully cryptographically encrypted and signed prior to sending to the target device for

software update. The alternative option of Basic signature checking does not encrypt the application

but simply HASHes the image for checking by the Secure Boot Manager for in-transit modification. The

disadvantage of no encryption is offset by improved boot up time (no decryption process needed).

Please refer to the application note Using C-Trust to Configure the Security Context

(STZAN0105EN0100) for details of the future options available for the Security Context.

STZAN0111EN0100 9

Figure 12: Secure Boot Manager Settings dialog box

Click “Create” to allow C-Trust to create the Security Context. A dialog box will open to confirm the use

of the profile that has just been created, click “Yes”. The dialog box shown in Figure 13 is an example

of the final Security Context created, showing the newly created security context profile (in this

example My Security Context_profile-default).

Figure 13: Completed Security Context example

Click “OK” on the dialog box shown in Figure 13.

The IDE will now return to the screen similar to that as shown in Figure 6 but with the addition of SBM

source and Output folders. Please review the Secure Boot Manager source files. These files are open

source and can be modified by the user. If the user is required to make major modifications to the

Secure Boot Manager source code, it is recommended that the changes be reviewed by Secure Thingz

to ensure security is not compromised.

STZAN0111EN0100 10

2.3 Connecting the SAM L11 Xplained Pro Kit Figure 14 shows the connections available on the SAM L11 Xplained Pro Evaluation Kit. Please connect

the Xplained Pro Kit to the PC that is running the C-Trust software via the Debug USB connector shown

in Figure 14.

Figure 14: Connections of Xplained Pro Kit

2.3.1 Embedded Debugger The Xplained Pro contains the Microchip Embedded Debugger (EDBG) for on-board debugging. The

EDBG is a complex USB device with three interfaces, such as a debugger, virtual COM port, and a data

gateway interface (DGI). Together with C-Trust, the EDBG debugger interface can program and debug

the microcontroller. On the SAM L11 Xplained Pro, the SWD interface is connected between the EDBG

and the microcontroller. The virtual COM Port is connected to a UART on the microcontroller and

provides a straightforward way to communicate with the target application through terminal software. It

offers variable baud rate, parity, and stop bit settings. Note that the settings on the microcontroller must

match the settings given in the terminal software.

STZAN0111EN0100 11

2.4 Provisioning Once the Xplained Pro Kit is connected to the PC that is running C-Trust, click on the Security tab and

select “Provision” (see Figure 15).

Figure 15: Provisioning the SAM L11

C-Trust will now build the Secure Boot Manager project. Once built, the provisioning process will begin.

During the process the device serial number will be read from the SAM L11 that is fitted to the Xplained

Kit. The serial number will then be used as part of the hash for the provisioned data block, if enabled

(see section 2.2). During provisioning the user will witness the reading of the silicon ID with the display

of an activity dialog box that will open temporarily.

Once the provisioning process is complete, it is recommended that the user review both the Debug Log

and Build console displays. In order to display all messages, please right-click within the console

screens and select “All”.

Figure 16: Build messages

Figure 16 shows the build messages for the example Secure Boot Manager provisioning process.

Please note the warning given which highlights the fact that all the private keys used in the provisioning

process are stored on the hard drive of the PC and unprotected. When the application is ready for fully

secure production programming the export function (Security -> Export For Production option – see

Figure 15) will be used and secure keys will be generated by the production system security appliance

prior to programming.

STZAN0111EN0100 12

Now that the Secure Boot Manager has been provisioned into the SAM L11 Xplained Kit, we can now

create a mastered image for the GettingStarted application and install into the kit.

2.5 Master the User Application The focus must now be directed towards the GettingStarted application. Please click the

GettingStarted tab at the bottom of the workspace window on the left of the IDE.

Right-click on the GettingStarted filename and select “Options…” in the dropdown menu (see Figure

17)

Figure 17: GettingStarted project Options

The “Options for node “GettingStarted” dialog box will open (see Figure 18).

Select the “Security” category. This will open the C-Trust configuration dialog box.

We now must add the Security Context that we created in section 2.2 to the GettingStarted user

application. To do this click “Add” (see Figure 18). An explorer window will open. Select the My Security

Context_profile-default file and click “Open”.

As we are about to master a new software image it is important to enter a version number. Enter a

version number in the format xx.xx.xx and then click “OK” (see Figure 18). (Note that 1.0 or 1 is also a

valid input for the version number).

Figure 18: Adding the profile and version number

STZAN0111EN0100 13

We are now ready to master the new software image. Click on the “Security” tab and select “Master”

(see Figure 19). The GettingStarted application will be built and encrypted ready for delivery to the

SAM L11 Xplained Kit.

Figure 19: Mastering the image

Figure 20 shows an example build log during the mastering process. Please note the name of the new

encrypted mastered image that is ready for delivery to the device.

Figure 20: Mastering process build message example

2.6 Updating the software With the software built and mastered we can now download to the SAML11 Xplained kit. To do this

simply click on the “Download and Debug” button. The software image will be downloaded to the

SAML11 into the software update memory slot. Once this has been flashed into memory the SAML11

will be reset, the Secure Boot Manager will follow its immutable boot process, check the update slot for

any new software, will see the new image, verify its version number against the Security Context policy

and if all is well will decrypt the software and Flash it into user memory. The debugger will then halt at

“main”. Figure 21 shows an example of the IDE after this process has completed.

STZAN0111EN0100 14

Figure 21: Mastering image downloaded and booted

2.7 Running the GettingStarted application In order to see the output of the application, open a terminal emulator and connect to the Xplained

Evaluation Kit COM port, it will be named EDBG Virtual COM Port (COMxx). Terminal settings are :

Baud : 115200, 8-bit, no parity, no flow control. Once the terminal emulator program is up and running,

click on the “Go” icon in the IDE to start the GettingStarted application. With the terminal emulator

running type “H” for help. The output should be as shown in Figure 22.

Figure 22: COM port output for GettingStarted application

STZAN0111EN0100 15

To verify that the SAM L11 has been correctly provisioned, press “A”. This will display the status of the

application (Getting Started) that has been successfully programmed into the device. Figure 23 shows

the output for the example entered for this application note.

Figure 23: COM port output for Getting Started application (“A”)

For further information, press “U”. This will display more details about the Getting Started application

(see Figure 24).

Figure 24: COM port output for application status (“U”)

Please note that not all the commands shown on the Help menu are supported due to the type of

security context option selected (IP Protection only).

The GettingStarted User Guide gives more detail of the functions provided in the help menu.

STZAN0111EN0100 16

Appendix A: SAM L11 Memory Map

The diagram shown in Figure A-1 shows the default memory map for the SAM L11 after provisioning

of the device has taken place (see Section 2.4).

Figure A-1: SAM L11 Memory Map

Memory Map details

The SBM reserves the first 1MB of Flash for itself and the application firmware's executable image. Of

this first 1MB block, SBM occupies the first 256KB, while the remainder contains the application.

The top 1MB of Flash, minus the last 256KB, is used for SBM's update slot, where encrypted firmware

updates are stored.

SBM also requires 2KB of RAM, carved out from the top of the DTCM RAM region based at

0x20000000. The address of the reserved RAM is, therefore, 0x2001F800. Application code must not

write to or otherwise corrupt the contents of this region.