4.1.1.3.3 First Mutable Code in Flash: Availability
The availability of valid first mutable code is important for the devices' intended operation. A couple of questions need to be answered to address the availability of the first mutable code:
- How can an installed code image be protected from corruption/modification?
- How can a device recover from a situation where the existing code image is corrupted/modified?
The Flash Protection Regions feature can be used to help protect the existing installed code from corruption and modification. On Reset, every memory section should power up with writes disabled. This helps reduce the risk of accidental or malicious writes to a memory region. Write permission should only be enabled for a memory region when a change is needed. This will be discussed in more detail in Secure Firmware Update. When handing control over to a mutable code section, the region can be locked until Reset so that the code does not have the option to change the region’s permissions itself.
If corruption does occur, the system needs a mechanism to recover. This could be done through a variety of means, each warranting their own sections. The sections that describe Factory Reset (Immutable Recovery Image) and Secure Firmware Update are two mechanisms in which a recovery could be realized.
Key Considerations:
- Disable write and execution permissions for regions with mutable code on Reset to reduce risk of image corruption. Unlock write permissions only when an update is eminent and disable again when the update is complete
- Set the lock until Reset before running the first mutable code to prevent updates outside of the boot code
- Consider recovery mechanisms, like a Factory Reset, in the case of the corruption of mutable code/data