4.1.1.3.2 First Mutable Code in Flash: Authenticity
Verifying the integrity of the mutable code only verifies that the code has not been corrupted or altered from the original in a detectable way. It does not verify the code is from an authentic source, such as the hardware manufacturer.
Authenticity of the mutable code is typically done through signing the code with a digital signature. The signature is generated using a digital signature algorithm (DSA), and the resulting signature is provided with the code, so the authenticity of the code can be verified before allowing the code to run.
Like the prior section on the mutable code integrity, the bootloader has the same responsibilities to prevent code execution before authentication has happened, to authenticate the image and prevent modification of the code after authentication is complete. The same Flash Protection Regions capabilities used to limit code execution and modification for the integrity check should also be used for the authenticity check. The integrity check and authenticity check typically occur at the same image verification stage during the boot process, but there may be different steps depending on the boot loader implementation.
dsPIC33A devices with a Cryptographic Accelerator Module (CAM) have hardware acceleration support for several DSA algorithms that significantly reduce the authentication time. Refer to the device data sheet to see what hardware cryptographic capabilities are available on specific devices.
Key Considerations:
- Disable write and execution permissions for regions with mutable code/data until the integrity/authenticity is verified
- If a region is not allowed to modify itself, set the lock until the reset option for the region before transferring control