Secure Design Using a Microcontroller (I) http://dev.emcelettronica.

com/print/51825

Your Electronics Open Source

(http://dev.emcelettronica.com)
Home > Blog > allankliu's blog > Content

Secure Design Using a Microcontroller (I)

By allankliu
Created 05/07/2008 - 03:14

BLOG Microcontrollers

System Reset and State Restore

The microcontroller is widely used in many

devices, which works in environment. The
microcontroller has to face the challenges
from EMI, voltage stability, crystal failure
and much other interference. If the
interferences are strong enough to disturb
the operation, the system design should be
secure enough to deal with these matters,
one good practice is to reset and go on
with previous normal operation state .
However, a simple reset is not enough at
all. I will demonstrate the basic principle for
the system reset and state restore. Please
keep in mind that the terminologies used in
this article may come from different
microcontrollers.

A simple project does not put emphasis on state consistency and data integrity. For example, the
consumer does matter if his/her TV is being switched off and switched on again, provided the TV
can recall last selected chanel. But system reset and state restore are very critical for machines
involved in complicated processes and insecure environments. Surgery robot or a missile can
not be simply reset. If these devices were only reset, running the whole process from the very
beginning of the code, would be a disaster. A Mars probe failed to operate because the proper
state could not be restored soon after a remote download and reset.

Additionally, different reset sources may bring the system to extra working modes due to ageing,
manufacturing, maintenance, and firmware upgrade. Usually these modes are stored in user
EEPROM with combinations of reset source register.

After all, the system designer or architect, has to

1. Use the system interrupts and reset vectors carefully to prevent all foreseeable
interferences, or for any extra working modes besides to normal working;

1 din 4 07.07.2008 14:51

Secure Design Using a Microcontroller (I) http://dev.emcelettronica.com/print/51825

2. Make the software track the reset source and try to restore the state/context prior to the
reset, to help the whole system going back to normal state and carry on.

Herein the context is referred to the critical registers, including SP (Stack Pointes), PC (Program
Counters), working registers and application critical memory space. It is a system design
approach, which involves both hardware and software design.

Software Design

Available reset sources are different. In general, the sources are : external, power on, watchdog,
low-voltage brownout, software. Other optional reset sources are illegal instruction op code,
acces to an illegal memory address and UART break character detection. The first two sources
are available in 68HCxx, and last one is in P89LPC9XX. All of these allow more secured devices
if the designer can leverage it properly.

To support this feature, a reset handler is placed prior to the system main loop. In this routine,
the software should read the RSTSRC, restore context or write default value to the critical
variables and registers according to the reset source. And then it jumps to the main loop. The
reset handler design is obviously related to the system requirements. Here are a few samples.

Following reset, the P89LPC9xx will fetch instructions from either address 0000h or the Boot
address. The Boot address is formed by using the Boot Vector as the high byte of the address
and the low byte of the address = 00h. The Boot address will be used if a UART break reset
occurs or the non-volatile Boot Status bit (BOOTSTAT.0) = 1, or the device has been forced into
ISP mode. Otherwise, instructions will be fetched from address 0000H. It is clear that UART
break character detection reset is designed for ISP firmware upgrade. This bit is cleared by
software or power-on reset, which means in a hot reset (not a power-on reset), the reset handler
can read some critical context variables and judge if it is necessary to load them to previous
state.

If the reset source is LVR, low voltage reset, or BOR, brown-out reset, you can run the software
from where it was interrupted if it is not a total power failure. The LVR/BOR usually is bonded to
brown-out interrupt. In the interrupt service routine, you can save the context to EEPROM or a
secured RAM, and then switch the whole system into power down mode. If the system can
recover from power down mode by interrupt, it can restore the context and then jump out after
RETI instruction. If the system got reset, the microcontroller usually will switch on both POR and
LVR/BOR flags, you can simply ignore the LVR/BOR and consider it as power on reset. Because
switching off the system will trigger the brown-out detection anyway, but the difference is that the
brown-out flag will be cleared if the voltage raise to a normal level in a given period, but the
power off will switch off the power supply for whole system. Some microcontrollers can support
low voltage operation even in the BOR range, in that case, brownout should be disabled,
otherwise continuous brownout reset may prevent the device from operating. Attention: In NXP's
P89LPCxxx, there is a very complex combination in power down mode, brown-out interrupt,
brown-out reset, power on reset and voltage operation modes, which means the designer should
read and understand carefully.

The watchdog timer subsystem protects the system from incorrect code execution by causing a
system reset when it underflows as a result of a failure of software to feed the timer prior to the
timer reaching its terminal count. In general watchdog timer reset means the designer should
review its software design for invalid instruction and hardware design for crystal failure and
strong EMC/EMI issues. Sometimes the watchdog timer can be used as a general timer, the
designer can use this feature to setup a countdown timer reset/interrupt for the application

2 din 4 07.07.2008 14:51

Secure Design Using a Microcontroller (I) http://dev.emcelettronica.com/print/51825

specific purposes.

The software reset is set by software, resets the whole chip as if a hardware reset occurs. As
software reset equals to a hardware reset influencing only different flags, which can be used to
judge whether the reset is a hot reset or a cold reset. The software can use this flag to judge if
some critical external ICs and devices should be reset or not. The software reset can also be
used in software trap to capture the illegal instruction op code or illegal memory address access
in the code.

Sometimes interrupt and reset sources could be confusing. Actually it is quite simple to consider
reset as a special interrupt, which will restore some registers including PC, SP and SFR with
default values, and with a special 'interrupt handler vector' on 0x0000. Of course, the designer
must read the user manual carefully to configure the chip either to an interrupt or a reset
accordingly.

Hardware Consideration

In order to let the system to have enough

response time to store the context to a
memory module, especially in low voltage
brownout reset, the circuit should offer
enough power during this critical period.
The simplest way is adding a big capacitor
to the Vcc of the microcontroller, and
connecting a protection diode between
power supply and Vcc to make sure the
capacitor only offer power for the
microcontroller and memory module. The
sample circuit is shown as attached
diagram. The power from the capacitor is
enough for a microcontroller to store the
context.

If the reset sources are software reset, watchdog reset, memory address access and instruction
reset, or external reset (usually reset by users), it is better to load the context from a permanent
storage module, valid the data and work on. Additionally, it is better to track the reset record to
analyze the occurrence of every type of reset to find the root cause of the reset and remove it.
For example, watchdog reset means the oscillator part of system requires improvement or
software structure optimization; illegal memory address access and illegal opcode reset mean
too much EMI issues in PCB design or a fault error in software design. All of these analyses are
based upon specific microcontroller, hardware and software design requirement. The state
restore is a protective solution, the system designer should implement it into system while
reducing the reset occurrence.

It is good to use new parts in new design. However it is possible to use this circuit to emulate a
reset register for a legacy 80C51, which offers limited reset source judgment. The basic
implementation is triggering external reset pins by all other reset sources and storing the reset
sources in a byte in a DATA area. Since power on reset will clear all internal DATA area, while
external reset does not, we can use this feature to tell power on reset from external reset (and all
other sources) and a software reset. We may cover this topic in detail in a later blog if any reader
happens to be interested in it.

3 din 4 07.07.2008 14:51

Secure Design Using a Microcontroller (I) http://dev.emcelettronica.com/print/51825

References

These pages of Frequently Asked Questions contain information

on approaches to achieve functional safety. Much of the material
relates to IEC 61508, Functional safety of
electrical/electronic/programmable electronic safety-related
systems. IEC 61508 is an international standard, it will not cover
in detail for system reset, but it is good to know and enforce the
safety design in all the safety critical electronics device projects.
[1]

NXP's P89LPC954 is a member of its 8051 based Low Pin Count

microcontroller. It is a highly configurable flash microcontroller.
The user manual is here [3].

[2]

Trademarks

Source URL: http://dev.emcelettronica.com/secure-design-using-microcontroller-i

Links:
[1] http://www2.theiet.org/oncomms/pn/functionalsafety/61508faq_mainupdate.cfm
[2] http://www.standardics.nxp.com/support/documents/microcontrollers/all/?scope=P89LPC954&type=user
[3]
http://www.standardics.nxp.com/support/documents/microcontrollers/pdf/user.manual.p89lpc952.p89lpc954.pdf

4 din 4 07.07.2008 14:51