4.1.1.1.1 Boot/Root of Trust Code: Immutability

The integrity of the boot/root of trust code is critical. Any modification or tampering with this code could compromise the security of the system. The root of trust in devices might be hardware-based, firmware-based or a combination. While NIST 800-193 section 3.3 discusses the possibility of an updatable root of trust, immutability is often used to ensure the trustworthiness of the root of trust. The dsPIC33A hardware supports multiple IRT sections with different permissions. This can allow an immutable root of trust as a foundation for the boot but also allow part of the root of trust to be updatable (mutable). This section covers the case where there is a single immutable IRT section or the first immutable stage in a multiple IRT scheme.

The dsPIC33A Flash Protection Regions feature supports having an immutable root of trust by using the Immutable Root of Trust (IRT) region type. When fully enabled and configuration its locked, an IRT section with write permissions disabled cannot be updated by internal or external programming sources. This includes programmers or debuggers.