4.1.1.3.1 First Mutable Code in Flash: Integrity

Before mutable code is allowed to run on a system, it must be verified that it has not been modified or tampered with. The system should attempt to prevent code from running before the integrity is checked, verify the code integrity and then prevent and/or detect any modifications while the code is running. The dsPIC33A hardware helps accomplish all three of these requirements.

On boot, the dsPIC33A hardware can use the Flash Protection Regions feature of the device to configure the mutable code regions to have execution permissions disabled. This reduces the possibility of code being able to execute that has not been checked first. Any code flow that jumps to regions before execution permissions are enabled results in an exception.

Many dsPIC33A device families include hardware cryptographic acceleration for rapid code integrity verification. For device families without cryptographic hash acceleration, software libraries are available for hashing the mutable code being verified. See dsPIC Security Solutions for additional information about the cryptographic libraries, both hardware drivers and software implementations. 

Once the mutable code has been verified and authenticated, the Flash Protection Regions feature sets the mutable code region to executable, write-protected and locked until the next Reset. This prevents the code from self-writing either accidentally or maliciously.

Key Considerations:

• Disable write and execution permissions for regions with mutable code until the integrity/authenticity is verified.
• If a region is not allowed to modify itself, set the lock until the reset option for the region before transferring control.