2 Security Concept

The AVR SD devices are general purpose microcontrollers that offer fundamental security features to implement secure firmware upgrades and authenticate the application firmware. When using the security features correctly, they protect against remote attacks and some PCB-level attacks where the application code is attempted modified to change the product functionality.

The cornerstone of the security features is the Program and Debug Interface Disable (PDID), a mechanism preventing access to the device's reprogrammable Flash memory over the programming interface (UPDI). After the PDID is activated and the device is locked, the programming interface (UPDI) is prevented from making any changes to the device. The programming interface (UPDI) can still read out the device information and CRC status.

The only way to program the device after activating the PDID is by using software stored in the Boot Code section of the Flash to update the Application Code section software. This application-specific software must be able to receive new data and program the Application Code section. It is impossible to alter code stored in the Boot Code section using this mechanism, as the Boot Code section is only accessible using the programming interface (UPDI).

In addition, there is a separate storage space accessible only by code in the Boot Code section, which can hold any data that is intended to be accessible only from the Boot Code section. One example of this is a cryptographic key to be used to validate data that are sent to a bootloader to update the application software on the device.

This creates a two-layer security: The device is prevented from being erased or reprogrammed over the programming interface (UPDI), and by that, the code in the Boot Code section is protected. Secondly, the code in the Boot Code section can use a cryptographic key (that is only accessible by code in this section of Flash) to verify that any new application code that is received for the device software update is authentic.