4.3 Mutable Code/Data Recovery

In the case of image corruption, some applications may provide a means to recover from a prior known image. This corruption could be the result of tampering, memory corruption or failed firmware updates. This typically involves an image of the application firmware and configuration data that are stored away from the main executable image that can then be used to write over the executable image and configuration data. This could be a limited version of firmware meant to allow the system to initiate an application update to return to a Functional State. Initiation of this process should only be available to authorized personnel. NIST SP 800-193 Sections 4.4.1 and 4.4.2 provide more detailed guidelines on recovery of mutable code and recovery of critical data.

Recovery plans should also consider key considerations if key rotation and/or key revocation are used. A recovery image may be signed by a key that is later removed from the system through the key rotation or key revocation mechanisms.