The non-volatile memory controller (NVMC) is used for writing and erasing of the internal flash memory and the user information configuration register (UICR).
The NVMC is a split security peripheral. This means that when the NVMC is configured as non-secure, only a subset of the registers is available from the non-secure code. See SPU — System protection unit and Registers for more details.
When the NVMC is configured to be a secure peripheral, only secure code has access.
Before a write can be performed, the NVMC must be enabled for writing in CONFIG.WEN. Similarly, before an erase can be performed, the NVMC must be enabled for erasing in CONFIG.EEN, see CONFIG. The user must make sure that writing and erasing are not enabled at the same time. Failing to do so may result in unpredictable behavior.
When writing is enabled, in CONFIG register for secure region, or in CONFIGNS register for non-secure region, flash is written by writing a full 32-bit word to a word-aligned address in flash.
Secure code has access to both secure and non-secure regions, by using the appropriate configuration of CONFIG and CONFIGNS registers. Non-secure code, in contrast, has access to non-secure regions only. Thus, non-secure code only needs CONFIGNS.
The NVMC is only able to write '0' to erased bits in flash, that is bits set to '1'. It cannot write a bit back to '1'.
As illustrated in Memory, flash is divided into multiple pages. The same address in flash can only be written nWRITE number of times before a page erase must be performed.
Only full 32-bit words can be written to flash using the NVMC interface. To write less than 32 bits to flash, write the data as a word, and set all the bits that should remain unchanged in the word to '1'. Note that the restriction about the number of writes (see above) still applies in this case.
The time it takes to write a word to flash is specified by tWRITE. If CPU executes code from flash while the NVMC is writing to flash, the CPU will be stalled.
Only word-aligned writes are allowed. Byte or half-word-aligned writes will result in a bus fault.
When secure region erase is enabled (in CONFIG register), a flash page can be erased by writing 0xFFFFFFFF into the first 32-bit word in a flash page.
Page erase is only applicable to the code area in the flash and does not work with UICR.
After erasing a flash page, all bits in the page are set to '1'. The time it takes to erase a page is specified by tERASEPAGE. The CPU is stalled if the CPU executes code from the flash while the NVMC performs the erase operation.
See Partial erase of a page in flash for information on splitting the erase time in smaller chunks.
When non-secure region erase is enabled, a non-secure flash page can be erased by writing 0xFFFFFFFF into the first 32-bit word of the flash page.
Page erase is only applicable to the code area in the flash and does not work with UICR.
After erasing a flash page, all bits in the page are set to '1'. The time it takes to erase a page is specified by tERASEPAGE. The CPU is stalled if the CPU executes code from the flash while the NVMC performs the erase operation.
User information configuration registers (UICR) are written in the same way as flash. After UICR has been written, the new UICR configuration only takes effect after a reset.
UICR is only accessible by secure code. Any write from non-secure code will be faulted.
In order to lock the chip after uploading non-secure code, a simple sequence must be followed:
UICR can only be written nWRITE number of times before an erase must be performed using ERASEALL.
The time it takes to write a word to the UICR is specified by tWRITE. The CPU is stalled if the CPU executes code from the flash while the NVMC is writing to the UICR.
When erase is enabled, the whole flash and UICR can be erased in one operation by using the ERASEALL register. ERASEALL does not erase the factory information configuration registers (FICR).
This functionality can be blocked by some configuration of the UICR protection bits, see the table NVMC protection (1 - Enabled, 0 - Disabled, X - Don't care).
The time it takes to perform an ERASEALL command is specified by tERASEALL. The CPU is stalled if the CPU executes code from the flash while the NVMC performs the erase operation.
This chapter describes the different protection mechanisms for the non-volatile memory.
UICR integrity is assured through use of multiple levels of protection. UICR protection bits can be configured to allow or block certain operations.
The table below shows the different statuses of UICR protection bits, and which operations are allowed or blocked.
UICR protection bit status | NVMC protection | |||
---|---|---|---|---|
SECUREAPPROTECT | APPROTECT | ERASEPROTECT | CTRL-AP ERASEALL | NVMC ERASEALL |
0 | 0 | 0 | Available | Available |
1 | X | 0 | Available | Blocked |
X | 1 | 0 | Available | Blocked |
X | X | 1 | Blocked | Blocked |
Non-secure code can program non-secure flash regions. In order to perform these operations, the NVMC has the following non-secure registers: CONFIGNS, READY and READYNEXT.
Register CONFIGNS works as the CONFIG register but it is used only for non-secure transactions. Both page erase and writing to flash require a write transaction (see Erasing a secure page in flash or Erasing a non-secure page in flash). The SPU — System protection unit prevents non-secure code from writing to a secure page since the transaction will never reach the NVMC controller.NVMC power failure protection is possible using a power-fail comparator which monitors the power supply. If the power-fail comparator is enabled, and the power supply voltage is below VPOF threshold, the comparator prevents the NVMC from performing erase or write operations in non-volatile memory (NVM).
If a power failure warning is present at the start of an NVM write or erase operation, the NVMC blocks the operation and a bus error is signaled.
If the power failure warning occurs during an ongoing NVM write operation, the NVMC will try to finish the operation. However, if the power failure warning persists, consecutive NVM write operations are blocked by the NVMC, and a bus error is signaled.
If a power failure warning occurs during an NVM erase operation, the operation is aborted and a bus error is signaled.
An instruction cache (I-Cache) can be enabled for the ICODE bus in the NVMC.
See Memory map for the location of flash.
A cache hit is an instruction fetch from the cache, and it has a 0 wait-state delay. The number of wait-states for a cache miss, where the instruction is not available in the cache and needs to be fetched from flash, depends on the processor frequency, see CPU parameter W_FLASHCACHE.
Enabling the cache can increase the CPU performance and reduce power consumption, by reducing the number of wait cycles and the number of flash accesses. This depends on the cache hit rate. Cache draws current when enabled. If the reduction in average current due to reduced flash accesses is larger than the cache power requirement, the average current to execute the program code is reduced.
When disabled, the cache does not draw current and its content is not retained.
It is possible to enable cache profiling to analyze the performance of the cache for your program using the register ICACHECNF. When profiling is enabled, registers IHIT and IMISS are incremented for every instruction cache hit or miss respectively.
Instance | Base address | TrustZone | Split access | Description | ||
---|---|---|---|---|---|---|
Map | Att | DMA | ||||
NVMC : S |
0x50039000 |
HF | NS | NA | Yes |
Non-volatile memory controller |
Register | Offset | TZ | Description |
---|---|---|---|
READY | 0x400 | NS |
Ready flag |
READYNEXT | 0x408 | NS |
Ready flag |
CONFIG | 0x504 | S |
Configuration register |
ERASEALL | 0x50C | S |
Register for erasing all non-volatile user memory |
ERASEPAGEPARTIALCFG | 0x51C | S |
Register for partial erase configuration |
ICACHECNF | 0x540 | S |
I-code cache configuration register |
IHIT | 0x548 | S |
I-code cache hit counter |
IMISS | 0x54C | S |
I-code cache miss counter |
CONFIGNS | 0x584 | NS | |
WRITEUICRNS | 0x588 | NS |
Non-secure APPROTECT enable register |
Address offset: 0x400
Ready flag
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | |||||||||||||||||||||||||||||||||||
Reset 0x00000001 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
R |
READY |
NVMC is ready or busy |
|||||||||||||||||||||||||||||||||
Busy |
0 |
NVMC is busy (on-going write or erase operation) |
||||||||||||||||||||||||||||||||||
Ready |
1 |
NVMC is ready |
Address offset: 0x408
Ready flag
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | |||||||||||||||||||||||||||||||||||
Reset 0x00000001 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
R |
READYNEXT |
NVMC can accept a new write operation |
|||||||||||||||||||||||||||||||||
Busy |
0 |
NVMC cannot accept any write operation |
||||||||||||||||||||||||||||||||||
Ready |
1 |
NVMC is ready |
Address offset: 0x504
Configuration register
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | A | A | |||||||||||||||||||||||||||||||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
WEN |
Program memory access mode. It is strongly recommended to only activate erase and write modes when they are actively used. Enabling write or erase will invalidate the cache and keep it invalidated. |
|||||||||||||||||||||||||||||||||
Ren |
0 |
Read only access |
||||||||||||||||||||||||||||||||||
Wen |
1 |
Write enabled |
||||||||||||||||||||||||||||||||||
Een |
2 |
Erase enabled |
||||||||||||||||||||||||||||||||||
PEen |
4 |
Partial erase enabled |
Address offset: 0x50C
Register for erasing all non-volatile user memory
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | |||||||||||||||||||||||||||||||||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
W |
ERASEALL |
Erase all non-volatile memory including UICR registers. Note that erasing must be enabled by setting CONFIG.WEN = Een before the non-volatile memory can be erased. |
|||||||||||||||||||||||||||||||||
NoOperation |
0 |
No operation |
||||||||||||||||||||||||||||||||||
Erase |
1 |
Start chip erase |
Address offset: 0x51C
Register for partial erase configuration
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | A | A | A | A | A | A | |||||||||||||||||||||||||||||
Reset 0x0000000A | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 | 1 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
DURATION |
Duration of the partial erase in milliseconds The user must ensure that the total erase time is long enough for a complete erase of the flash page |
Address offset: 0x540
I-code cache configuration register
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | B | A | ||||||||||||||||||||||||||||||||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
CACHEEN |
Cache enable |
|||||||||||||||||||||||||||||||||
Disabled |
0 |
Disable cache. Invalidates all cache entries. |
||||||||||||||||||||||||||||||||||
Enabled |
1 |
Enable cache |
||||||||||||||||||||||||||||||||||
B |
RW |
CACHEPROFEN |
Cache profiling enable |
|||||||||||||||||||||||||||||||||
Disabled |
0 |
Disable cache profiling |
||||||||||||||||||||||||||||||||||
Enabled |
1 |
Enable cache profiling |
Address offset: 0x548
I-code cache hit counter
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | ||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
HITS |
Number of cache hits Write zero to clear |
Address offset: 0x54C
I-code cache miss counter
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | A | ||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
MISSES |
Number of cache misses Write zero to clear |
Address offset: 0x584
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | A | A | ||||||||||||||||||||||||||||||||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
RW |
WEN |
Program memory access mode. It is strongly recommended to only activate erase and write modes when they are actively used. Enabling write or erase will invalidate the cache and keep it invalidated. |
|||||||||||||||||||||||||||||||||
Ren |
0 |
Read only access |
||||||||||||||||||||||||||||||||||
Wen |
1 |
Write enabled |
||||||||||||||||||||||||||||||||||
Een |
2 |
Erase enabled |
Address offset: 0x588
Non-secure APPROTECT enable register
Bit number | 31 | 30 | 29 | 28 | 27 | 26 | 25 | 24 | 23 | 22 | 21 | 20 | 19 | 18 | 17 | 16 | 15 | 14 | 13 | 12 | 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 | ||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ID | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | B | A | |||||||
Reset 0x00000000 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | ||||
ID | R/W | TZ | Field | Value ID | Value | Description | ||||||||||||||||||||||||||||||
A |
W |
SET |
Allow non-secure code to set APPROTECT |
|||||||||||||||||||||||||||||||||
Set |
1 |
Set value |
||||||||||||||||||||||||||||||||||
B |
W |
KEY |
Key to write in order to validate the write operation |
|||||||||||||||||||||||||||||||||
Keyvalid |
0xAFBE5A7 |
Key value |
Symbol | Description | Min. | Typ. | Max. | Units |
---|---|---|---|---|---|
nWRITE |
Number of times a 32-bit word can be written before erase |
2 | |||
nENDURANCE |
Erase cycles per page |
10,000 | |||
tWRITE |
Time to write one 32-bit word |
43 | µs | ||
tERASEPAGE |
Time to erase one page |
87 | ms | ||
tERASEALL |
Time to erase all flash |
173 | ms | ||
tERASEPAGEPARTIAL,setup |
Setup time for one partial erase |
1.08 | ms |
Symbol | Description | Min. | Typ. | Max. | Units |
---|---|---|---|---|---|
SizeICODE |
I-Code cache size |
2048 | Bytes |