4.1.1.4 Mutable Data in Flash

Security Objective: Access Control

Some applications require memory regions to be updatable by the application outside of the context of a firmware update during normal code execution, such as calibration or emulated EEPROM data. Any flash region that can be updated should be considered as a potential attack vector for loading malicious code.

Because these sections can’t be write-locked by the bootloader, like the main mutable code, a separate Flash protection region needs to be used for the data. This section should have execution disabled and have the region locked until Reset to help prevent the code from being loaded into this section and then run.

As shown in Figure 4-7, Region 2 is defined for data that need to be updated while the mutable code is running. Writes are enabled, execution is disabled and the region is locked until Reset to prevent region reconfiguration.