NOR Flash Memory Security Features

In addition to the Krypto® Security Technologies offered, the following security features are available in a broad range of NOR products in our portfolio:

One-Time Programming (OTP)
The One-Time Programming (OTP) feature allows designers to permanently lock blocks of a flash device so they can no longer be erased or written. This feature is widely used to protect initialization or boot code in a system so that it cannot be corrupted. Device OTP is typically implemented by having OTP bits in a device mapped to each individual block. When a bit is programmed to a ‘0' its associated block is permanently locked. Krypto® Password Access technology adds password authentication to this feature, which helps deter OTP bits from being inadvertently set.

Password Protect
In this protection mode, the user can protect the entire array or select blocks in the main array from inadvertent program and erase operations. This protection mode requires a 64-bit password to be entered and the device non-volatile protection lock bit (NVPB) to be set to ‘0’. The NVPB lock bit is set at ‘0’ after power-up and reset to maintain the device in password protection mode. Successful execution of the password unlock command by entering the correct password clears the NVPB lock bit, allowing for block NVPBs to be modified. If the password provided is not correct, the NVPB Lock bit remains locked and the state of the NVPBs cannot be modified.

OTP Space
System-level security schemes can be implemented using the OTP (One-Time Programming) space. This is a special space whose bits can only be programmed from a ‘1’ to a ‘0‘. OTP bits cannot be erased from ‘0’ back to ‘1’. This feature makes the OTP space particularly useful for implementing system security schemes and for permanently storing data or system parameters. The bits of the OTP space are divided into two segments. One of the segments is programmed at the factory with a unique unchangeable number. The other segment is left blank for customer designers to program as desired. Once the customer segment is programmed, it can be locked to prevent reprogramming. This lock cannot be reversed.

Non-Volatile Block Locking
This protection mode is for non-volatile memory. It will remain set even after sequencing the power or hardware reset. A Non-Volatile Protection Bit (NVPB) is assigned to each block. When a NVPB is set to ‘0’, the associated block is protected, preventing any program or erase operations in this block. The NVPBs cannot be cleared individually; they can only be cleared all at the same time by issuing a command to clear all non-volatile protection bits. The NVPBs can be protected all at one time by setting a volatile bit, the NVPB lock bit. Attempting to erase or program in a locked lock will result in a failed operation, with the appropriate bits being set in the status register.

Volatile Block Locking
Volatile protection allows software to protect blocks against inadvertent changes. This protection can be disabled when modifications to the array are necessary. The main memory array blocks are mapped to bits in a volatile array and each bit can be individually modified. The bits in the volatile array are called Volatile Protection Bits (VPBs). VPBs can only protect blocks that are not locked with non-volatile array bits. The VPBs can be set or cleared as often as needed. When the parts are first shipped, or after a power-up or hardware reset, the VPBs can be at the set or cleared state, depending on the ordering option chosen.

Hardware Protection
Hardware protection of flash requires a certain voltage to be applied to a pin on a device. This voltage will not allow modification of a block of the device, or the entire device itself.

• Hardware Write Protection: Hardware write protection VPP or VPEN is used for complete hardware protection against program or erase on the entire array. When a valid voltage is present on VPP or VPEN, the blocks in the main array can be modified. By grounding VPP or VPEN, the blocks in the main array cannot be programmed or erased. Attempts to program or erase when VPP or VPEN is grounded will fail, resulting in the setting of the appropriate status register fail bit.
• VPP/WP (Write Protect) protection: This hardware method protects the highest or lowest block(s) against program and erase operations. With VPP/WP = VIL, the highest or lowest block(s) is protected. With VPP/WP = VIH, the memory reverts back to the previous