Security Concept

The AVR® LA family of MCUs are general purpose microcontrollers that offer fundamental security features to enable secure firmware upgrades and authenticate the application firmware. When these security features are used correctly, they protect against remote attacks and certain PCB-level attacks in which the application code is modified to change the product’s functionality.

The cornerstone of the security features is the Program and Debug Interface Disable (PDID), a mechanism that prevents access to the device’s reprogrammable Flash memory over the Unified Program and Debug Interface (UPDI). After activating PDID, as described in the Memories chapter, UPDI is prevented from making any changes to the device. However, UPDI can still read the device information and CRC status.

The only way to program the device after activating PDID is by using software stored in the Boot Code section of Flash to update the software in the Application Code section. This application-specific software must be able to receive new data and program the Application Code section. It is impossible to alter the code stored in the Boot Code section using this mechanism, as it is accessible only through the UPDI.

In addition, there is a separate storage space accessible only by code in the Boot Code section, which can hold data intended to be accessed exclusively from the Boot Code section. One example is a cryptographic key used to validate data sent to a bootloader for updating the application software on the device.

This creates a two-layer security system: The device is prevented from being erased or reprogrammed over UPDI, and the code in the Boot Code section is protected. Additionally, the code in the Boot Code section can use a cryptographic key (accessible only by code in this section of Flash) to verify that any new application code received for a device software update is authentic.

Using the Program and Debug Interface Disable (PDID) feature in software requires cryptographic expertise to ensure compliance with cybersecurity standards such as ISO/SAE DIS 21434.