1.7 Code Protect

Using Code Protect to enable CodeGuard(TM) Security to Protect Bootloader and Enable AIVT

Many of the PIC24/dsPIC devices support CodeGuard(TM) Security which is focused on code protection and security. When enabled, one of its features is the ability to write protect different sections of memory. This allows the bootloader program memory to become 'immutable', meaning it cannot be altered by the application. This is mandatory for a secure bootloader. Another feature of CodeGuard(TM) Security that is used is the ability to enable the Alternate Interrupt Vector Table (AIVT) which allows the bootloader to use one interrupt table and the application to use the other.

The first step of enabling Code Protect is setting the Code Protect Checkbox in the MCC bootloader main configuration screen shown below.

Once enabled, the user will notice that the ability to select interrupts remapping will disappear. This is because with CodeGuard(TM) Security enabled, the bootloader and application each have their own interrupt table and there is no longer a need to direct interrupts to the different modules. This feature may also be the only feature of CodeGuard(TM) Security that the user chooses to use.

MCC will configure all the configuration bits needed to enable and use CodeGuard(TM) Security module. The one feature that MCC does not set is the Write Protect bits on the Bootloader section and the configuration bits. These bits need to be set to prevent the application and the bootloader from overwriting or changing any of the bootloader and configuration bits unless a full chip erase is done. Even the full chip erase can be prevented on some devices to prevent any changes after a bit is set. The reason MCC does not set the write protect bits is doing so will prevent the debugger from being used. Setting these can be done by going to the bootloader project, and in the file mcc_generated_files\system.c, changing the lines of code below and then just recompiling the bootloader.

// FSEC 
#pragma config BWRP = OFF    <<<  CHANGE TO "ON" TO ENABLE WRITE PROTECT FOR THE BOOTLOADER //Boot Segment Write-Protect bit->Boot Segment may be written
#pragma config BSS = DISABLED    //Boot Segment Code-Protect Level bits->No Protection (other than BWRP)
#pragma config BSEN = ON    //Boot Segment Control bit->Boot Segment size determined by FBSLIM
#pragma config GWRP = OFF    //General Segment Write-Protect bit->General Segment may be written
#pragma config GSS = DISABLED    //General Segment Code-Protect Level bits->No Protection (other than GWRP)
#pragma config CWRP = OFF    <<<  CHANGE TO "ON" TO ENABLE WRITE PROTECT FOR THE CONFIGURATION BITS  //Configuration Segment Write-Protect bit->Configuration Segment may be written

Interrupts

When selecting Code Protect, the CodeGuard(TM) Security module is enabled allowing the application to have its own interrupt table. The application will use the alternate interrupt table (AIVT). MCC adds the code to enable the AIVT in the bootloader file boot_process.c and in the function BOOT_StartApplication(). The result is that the interrupts controller will switch prior to calling the code. However, it is imperative that the user adds the code to disable any bootloader enabled devices that could cause interrupts at this point. If this is not done, the interrupt routine that is called will be the one in the application code.

Bootloader Additional Linker Arguments.

When using CodeGuard(TM) Security, the compiler and linker need to be told where to place the code and how the memory should be marked in the linker file. This is a very important step and if not done, the bootloader will not function. The bootloader needs to have an additional set of options added to the linker command line. This is done by adding the commands " --add-flags-code=boot,--add-flags-const=boot,-D__USE_BFA" to the Additional Options in the linker screen as shown below.

Application Additional Linker Arguments.

Likewise the application project also needs its Linker options updated by adding the command line argument "-D__USE_BFA" to the Additional Options in the linker screen as shown below.

Configuration Bit Changes

Enabling the code protect feature will change a few of the devices configuration bits associated with the CodeGuard(TM) Security module. The configuration bits that are changed automatically are:

The Boot Segment Control bit (BSEN) is turned on to enable a boot segment.
The Alternate Interrupt Vector Table Disable bit (AIVTDIS) is set to enable an alternate interrupt table in the general segment. This allows the application to have an interrupt table separate from the bootloader interrupt table.
The Bootloader Flash Segment Flash Page Address Limit (BSLIM) is set based on the bootloader's specified end address field of the user interface. The BSLIM defines the hardware size of the boot segment and the general segment defining the memory ranges each segment will use.

As mentioned above, the Boot Segment Write Protect bit (BWRP) and the Configuration Segment Write Protect bit (CWRP) are not set automatically. Setting these bits make debugging the bootloader project difficult or impossible in some cases. These bits must be manually set by the user before going to production to protect the bootloader once development is complete. The application must be regenerated in MCC to update its configuration bits to match those of the bootloader. In effect, there is only one set of configuration bits and they are controlled by the bootloader at system startup. However, the application's settings must match or unexpected behavior will result. When configuration bits need to change in the project development, they need to be changed in the bootloader first and then imported into the application project again. This is done by opening the MCC window for the application project and re-selecting the bootloader project associated with the project. This will re-load the values stored in the bootloader project into the application project and thus synchronizing the two configuration bit settings.