Microchip launches SAM L10/L11 MCUs arm Cortex-M23 and On-Chip-Security for IoT applications

The SAML11 is well suited for safety-critical medical applications.

Microchip's new L10/L11 microcontroller family is set to conquer the IoT with unprecedented security and energy efficiency as well as its well-known leading touch technology. This could actually succeed in numerous applications.

The new MCU "family" with two members L10 and L11 differs from other MCU families, whose individual derivatives often only differ more or less in memory size and/or peripherals, in that there is a considerable difference between L10 and L11: While the arm Cortex-M23 CPU of the L11 supports arms TrustZone technology, this is missing in the L10, which makes a significant difference in the security features promoted by Microchip.

To avoid too many redundancies in this article, we refer to our contribution from ARM's TechCon developer conference, where it was unveiled at the end of 2016, for a detailed technical description of the CPU. Regarding the architecture ARMv8-M and its TrustZone technology we refer to another technical article from TechCon 2015.

FaetureCortex-M23optionsImplementation SAML10Implementation SAML11
Memory Protection Unit (MPU)No, 4, 8, 12 or 16 regionsOne MPU, 4 regionsTwo MPUs, 4 regions each (one for non secure memory, one for secure memory protected by TrustZone)
Security Attribute Einheit (SAU)No, 4 or 8 regionsNoNo
Implementation Defined Attribution Unit (DAU)No or implementedNoImplemented (TrustZone available)
SysTick-TimerNo, 1 or 2OneTwo (one for non secure region, one for secure region protected by TrustZone)
Vector Table Offset RegisterNo, 1 or 2OneTwo (one for non secure region, one for secure region protected by TrustZone)
Register ResetYes or NoNoNo
HW MultiplierFast (1 clock cycle) or slow (32 clock cycles)FastFast
HW DividerFast (17 clock cycles) or slow (34 clock cycles)FastFast
Number of external interrupts0-2404345
Instruction Fetch16-bit or 32-bit32-bit32-bit
I/O-Port access time 1 clock cycleYes or NoYesYes
Clock GatingYes or NoYesYes
EndianessLittle Endian or Big EndianLittle-EndianLittle-Endian
Support of Halt DebugYes or NoNoNo
Wake Up Interrupt-Controller (WIC)No or implementedNoNo
Number of Breakpoints0,1, 2, 3 or 444
Number of Watchpoints0, 1, 2, 3 or 422
Cross Trigger Interface (CTI)Yes or NoNoNo
Micro Trace Buffer (MTB)Yes or NoNoNo
Embedded Trace Macrocell (ETM)Yes or NoNoNo
JTAG SW debug protocolSelects between JTAG or Serial-Wire interfaces for the DAPSerial-WireSerial-Wire
Multi-Drop for Serial WireYes or NoNoNo


Table 1: Configuration of the arm Cortex-M23 for the microcontrollers SAM L10 and SAM L11. source: Microchip.

The implementation of the Cortex-M23 in the new Microchips MCUs is shown in Table 1. The decisive difference is the so-called "Defined Attribution Unit (DAU)", which decides whether the TrustZone technology is activated or not. Except for the missing wake-up controller (WIC, is not relevant due to Microchip's PicoPower technology, more about this later) and the missing Security Attribute Unit (SAU) Microchip has almost implemented the maximum configuration –  except for debugging options like ETM for real-time on-chip tracing or MTB for recording trace information in a RAM buffer -, whereby due to the separation into a secure and an unsecure area, the L11 has to keep various properties like MPU or SysTick timer twice.

Positive is the fact that an instruction fetch of 32 bit has been implemented. With the M23, two 16-bit values can be loaded together from the flash memory every two clock cycles via the 32-bit bus, which is of course particularly advantageous for sequential code, since the power-consuming flash memory has to be accessed less frequently. Furthermore, the "access option to I/O" has been implemented, where I/Os can be accessed in one instead of two clock cycles, because an additional port is installed parallel to the AHB-5 bus. GPIOs and registers can then be accessed twice as fast (a LOAD/STORE instruction normally costs 2 clock cycles), but the access port is not suitable for memory access.

Especially important for real-time applications is the also by Microchip implemented possibility to move the interrupt vector table from flash memory to RAM. Since, for example, the erasure of a flash block can take several ms and the controller is "blind" to interrupts during this time because the interrupt vectors are located in the flash memory blocked for this period, it is unusable for various real-time applications. With the M23, as implemented in the L10/L11, the vector table can be moved to RAM so that interrupts can also be processed during a flash write or erase process.

SAM L11 - everything for security

Figure 1 shows the block diagram of the SAM L11, all yellow marked blocks, which are important for extended on-chip security, are missing on the L10. There is 16, 32 or 64 KB flash memory, which is connected to the AHB switching matrix via a single-stage cache, and 4, 8 or 16 KB SRAM available on the chip in addition to the 32 MHz clocked CPU. In the case of the L11, there is also 8 KB boot ROM for a secure boot loader, which is important for firmware upgrades, 2 KB data flash for non-volatile data storage and 256 bytes of TrustRAM as secure memory for customer keys.

Not further from Microchip detailed chip-level anti-tamper measures and a hardware accelerator for encryption complete the security package. To prevent an attacker from illegally retrieving or altering information, the chips are designed so that the information is not accessible via external means and can only be retrieved from the embedded software that contains the appropriate security measures.
If you look at the list of possible attacks - physical attacks of various forms (microprobes, drills, files, solvents, etc.), freezing the device, applying unspecified voltages or overvoltages, applying unusual clock signals, induction of software errors by radiation (e.g. microwaves or ionizing radiation), measuring the exact time and energy requirements of certain processes - it is of course generally difficult to achieve 100% safety.
Tamper-proof chips can be designed to reset their sensitive data (especially cryptographic keys) to zero if they detect the intrusion of their security encapsulation or environmental parameters that do not comply with specifications. A chip can even be classified as "cold zeroisation", i.e. the ability to zero itself, even if its power supply is disturbed. Whether this is the case with the SAM L11, we do not know, but we assume it.

We also do not know which hardware encryption has been implemented on SAM L11, but assume that it is the engine implemented in the PIC, which provides 128/192/256 AES encryption (also in GCM mode), hash-based encryption (SHA-1, SHA-256, MD-5, HMAC) and a random number generator. The encryption engine is not implemented on the L10.

Microchip's patented PicoPower technology with SleepWalking has also been implemented. Specifically, methods such as SRAM back-biasing to reduce leakage currents in sleep mode or sleep modes that not only switch off the clock signal (clock gating) to stop the switching losses, but also remove the current from the subdomains to completely eliminate leakage currents.
Sleep Walking is a technology that allows peripherals to request a clock signal when needed to wake up from sleep mode and perform tasks without switching on CPU, flash memory and other peripherals. In addition, Microchip's proprietary event system allows peripherals to work together to solve complex tasks with a minimum number of gates and as little energy as possible. The capacitive touch-sensing periphery can also be operated in all operating modes and supports waking up on contact.

The 12-bit A/D converter has a sampling rate of 1 MSPS, the 10-bit D/A converter has 350 KSPS.