www.ti.

com

Application Brief
Understanding Security Features for C2000 Real-Time
Control MCUs

Device and Family Description Table 2. Latest Security Enablers

C2000™ MCU Security
The TI C2000™ F28x family of microcontrollers Series Enablers Detailed Security Features
is designed for real-time control applications in
F28P55x Additional JTAGLOCK: Ability to block
both industrial and automotive spaces. All F28x Debug Security debugger access to the
F28P65x
microcontrollers feature 32-bit C28x CPUs, with device; unlockable with
F280015x
speeds from 40MHz to 200MHz, often paired with password.
F280013x
accelerator cores such as the Control Law Accelerator Secure Boot Option to enable AES-128
F28003x
(CLA). With tightly coupled analog peripherals such Cipher-based Message
F2838x Authentication Code (CMAC)
as analog-to-digital converters (ADCs), comparators,
to pre-authenticate the first
and sophisticated digital actuation peripherals, such 16KB of flash prior to
as high resolution PWM modules, there are many transferring code execution.
compelling reasons to use C2000 microcontrollers in F28P55x Cryptographic Hardware Advanced
embedded real-time control applications. F28P65x Acceleration Encryption Standard (AES
128-, 192-, 256 bit) engine to
F28003x boost performance.
TI Embedded Security Portfolio F2838x
Table 1. Common Security Enablers F28P55x Flash write and Option to permanently lock
C2000™ MCU Security erase protection sections of Flash, making
Series Enablers Detailed Security Features the contents immutable. This
Device Unique Identification (UID) can be used to extend
F28P55x+
identification Number: Ability for user secure boot capabilities
F28P65x+ by implementing additional
to enable mechanisms
F280015x+ for device identification in cryptographic functions in
F280013x+ communications, seed for software for code and data
data integrity algorithms, authentication.
F28003x+
F28002x+ initialization vector for
authentication and encryption
F2838x+ or decryption, or to protect
F28004x+ against code cloning. Security Problem Targeted: Typical Threats,
F2837xD+ Security Measures
Software IP Code Security Module (CSM):
F2837xS+ protection Ability for user to block In the design of real-time control systems, a good
F2807x+ unauthorized access or
programming of firmware
portion of the research and development investment
F2806x goes into embedded firmware development. As such,
stored in on-chip memories.
F2805x Devices marked with (+) intellectual property housed in the firmware of a
F2803x feature a Dual Code Security product can provide key competitive advantages for
F2802x Module (DCSM), with two
independent security zones.
users, and can be vulnerable to theft. Performing a
F2833x, F2823x visual component tear-down of a system is relatively
F28M3x Debug security Emulation Code Security
Logic (ECSL) using CSM:
easy for the purpose of replicating the end product,
Ability for user to enable but effective protection of the firmware running on the
full debug access to memory MCU prevents full duplication of the working system.
using a password.
Another scenario that is increasingly common is co-
development of the firmware. In these cases, certain
portions of system firmware are developed outside the
core engineering team, and perhaps by a third party
vendor. In these situations, one party can opt to keep
the firmware private, while still allowing the second
party to develop and test a portion of the application

SWPB019E – APRIL 2017 – REVISED AUGUST 2024 Understanding Security Features for C2000 Real-Time Control MCUs 1
Submit Document Feedback
Copyright © 2024 Texas Instruments Incorporated
 www.ti.com

6. Unique Identification Number (UID):

on the same system. Such scenarios are typically not
covered by traditional runtime software protections, By using a UID number provided on each device,
and require hardware protection mechanisms while techniques can be implemented to further allow
the MCU is being accessed by a debugger. software to only run on known devices. For
more information, see C2000™ Unique Device
This scenario is especially common in automotive
Number .
applications, where there can be multiple companies
7. JTAGLOCK:
involved in producing and debugging firmware in a
highly connected system. These types of threats can The JTAG (emulator) interface can be disabled
be addressed by the security enablers available on and protected with a user-chosen password. This
C2000 devices. helps make sure only authorized individuals can
view and debug the application.
Security Implementation 8. AES acceleration:

When a new device is shipped from TI, the device The widely used AES symmetric cipher is known
arrives in a completely unlocked state. After security for speed and simplicity. Even given that, a
protocols are enabled by the user, any locked memory software implementation of the AES algorithm in
zone is only accessible by code that also exists an embedded microcontroller is relatively slow
in the same zone. Dedicated unlocked memory is to the demands of a real-time control system.
available so that data can be transferred between The hardware AES accelerator vastly improves
zones if needed. In addition to this fundamental processing time for cryptographic messages,
building block, there are other options or layers that while freeing up the CPU bandwidth in the
can be selectively enabled: process. Several different operational modes and
key sizes are available.
1. Selection of memory blocks to be protected: 9. Secure Boot:
In many cases, not all the memory, either volatile To maintain the integrity of firmware stored in
or nonvolatile, needs to be locked. This case the device, secure boot can be enabled to verify
can be true for certain pieces of firmware shared code stored in Flash memory before transferring
across different sub-systems, or that contain non- execution to the stored code. Along with the
proprietary IP. firmware programming protections built into the
2. Zone ownership (DCSM only): security logic, this helps make sure the code that
In addition to protecting various blocks of runs on the device is authentic. The algorithm
memory, there are two zones in each DCSM used is an AES-128 CMAC algorithm. Tools are
implementation. Once the memories are allocated available to embed the required MAC value into
for protection, the next step is deciding which the final code image. For more information, see
of these zones has control over the selected Secure Boot on C2000 Device .
memories. However, if there is no need for 10. Flash Write and Erase Protection:
code protection between developers on the same In certain cases, users can opt to extend
device, a single-zone configuration can be used. secure boot functionality by implementing other
3. Execute-only protection (DCSM only): cryptographic authentication algorithms, including
If a region is used only for execution, rather than elliptic curve-based functions such as ECDSA.
internal data storage, the programmer can enable In devices with Flash write and erase protection,
execute-only protection to block any read access these functions can be placed in Flash regions at
(even from the same region or zone), for added the entry point of code, and made immutable (that
security. is, permanently unchangeable and unmodifiable).
4. CPU protection (DCSM only): This feature enables stronger cryptographic
capabilities, and can also be used to enable
Debug access to the core processing unit (CPU) secure firmware update functions.
registers is also blocked if the DCSM detects
code executing from any locked region.
5. Emulation Code Security Logic (ECSL):
Even with the above measures, users can restrict
an emulation connection if the MCU is executing
from a locked region. This security feature can be
temporarily disabled during a debug session using
a password.

2 Understanding Security Features for C2000 Real-Time Control MCUs SWPB019E – APRIL 2017 – REVISED AUGUST 2024
Submit Document Feedback
Copyright © 2024 Texas Instruments Incorporated
www.ti.com Trademarks

Additional Resources
While security risks can take many forms across end
applications, firmware intellectual property protection
is a threat common to most systems. C2000
microcontrollers enable users to address these
concerns through flexible features for multiuser
development environments. For more information
on C2000 microcontrollers, see TI.com/C2000. For
specific information on the security features present
in each C2000 device, see the product data sheet and
technical reference manual available on the TI.COM™
product page.

Note
Security is hard. TI makes cybersecurity easier.
For more information about TI’s Embedded Security Designs, visit TI.com/security.

Trademarks
C2000™ and TI.COM™ are trademarks of Texas Instruments.
All trademarks are the property of their respective owners.

SWPB019E – APRIL 2017 – REVISED AUGUST 2024 Understanding Security Features for C2000 Real-Time Control MCUs 3
Submit Document Feedback
Copyright © 2024 Texas Instruments Incorporated
 IMPORTANT NOTICE AND DISCLAIMER
TI PROVIDES TECHNICAL AND RELIABILITY DATA (INCLUDING DATA SHEETS), DESIGN RESOURCES (INCLUDING REFERENCE
DESIGNS), APPLICATION OR OTHER DESIGN ADVICE, WEB TOOLS, SAFETY INFORMATION, AND OTHER RESOURCES “AS IS”
AND WITH ALL FAULTS, AND DISCLAIMS ALL WARRANTIES, EXPRESS AND IMPLIED, INCLUDING WITHOUT LIMITATION ANY
IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT OF THIRD
PARTY INTELLECTUAL PROPERTY RIGHTS.
These resources are intended for skilled developers designing with TI products. You are solely responsible for (1) selecting the appropriate
TI products for your application, (2) designing, validating and testing your application, and (3) ensuring your application meets applicable
standards, and any other safety, security, regulatory or other requirements.
These resources are subject to change without notice. TI grants you permission to use these resources only for development of an
application that uses the TI products described in the resource. Other reproduction and display of these resources is prohibited. No license
is granted to any other TI intellectual property right or to any third party intellectual property right. TI disclaims responsibility for, and you
will fully indemnify TI and its representatives against, any claims, damages, costs, losses, and liabilities arising out of your use of these
resources.
TI’s products are provided subject to TI’s Terms of Sale or other applicable terms available either on ti.com or provided in conjunction with
such TI products. TI’s provision of these resources does not expand or otherwise alter TI’s applicable warranties or warranty disclaimers for
TI products.
TI objects to and rejects any additional or different terms you may have proposed. IMPORTANT NOTICE

Mailing Address: Texas Instruments, Post Office Box 655303, Dallas, Texas 75265
Copyright © 2024, Texas Instruments Incorporated