CodeGuard™ Security: Protecting Intellectual …ww1.microchip.com/downloads/en/DeviceDoc/70179B.pdfCASE STUDY: APPLICABILITY OF CODEGUARD SECURITY TO WASHING MACHINES A washing machine

CodeGuard™ Security: Protecting Intellectual Property in Collaborative System Designs

EXECUTIVE SUMMARYMicrochip’s CodeGuard™ Security enables multipleparties to more securely share resources (memory,interrupts and peripherals) on a single chip. IntellectualProperty (IP) Vendors, Original Design/EquipmentManufacturers (ODM/OEM) and Value-AddedResellers (VAR) now have an opportunity to reap thefollowing benefits using these advanced on-chipsecurity features:

• System cost reduction• Component reduction and associated benefits to

inventory management• Decreased risk of losing IP to unqualified partners• Increased security during program distribution

and Flash memory update

CodeGuard Security is a turnkey solution with basic,intermediate and advanced implementations onMicrochip’s compatible line of 16-bit Flash memory-based PIC24 Microcontrollers (MCU) and dsPIC®

Digital Signal Controllers (DSC).

INTRODUCTIONMicrochip’s CodeGuard Security represents uniqueadvancements in the realm of embedded firmwaresecurity. This white paper describes CodeGuardSecurity and discusses application scenarios that willfind these features beneficial. The description of thesalient features of CodeGuard Security is comple-mented by a discussion on available tools and softwareuseful to the design engineering community.

WHO BENEFITS FROM CodeGuard Security?Software Intellectual Property (IP) vendors, OEMs,Programming Centers and Contract Manufacturers ofembedded systems benefit from CodeGuard Security.If your organization uses a Code Protection featureavailable on MCUs, DSCs or DSPs, CodeGuardSecurity may be useful to you in collaborating with yourdesign partners to reduce your system cost and reducethe risk of IP loss.

WHO SHOULD READ THIS WHITE PAPER?This document provides guidance to design engineers,product development managers, as well as costing,component and procurement specialists. The followingguidelines may prove useful for faster readability. Werecommend:

• Product Development and Operations Managers read Section “Protecting Embedded Intellectual Property (IP)” and Section “Process Flow: From Software Development to Production”

• Costing, Component and Procurement Special-ists read Section “Protecting Embedded Intel-lectual Property (IP)”, Section “CodeGuard Security: Featured Products and Availability” and Section “Process Flow: From Software Development to Production”

• Design Engineers read the entire document

PROTECTING EMBEDDED INTELLECTUAL PROPERTY (IP) Protecting a company’s IP is one of the highestpriorities in a competitive marketplace. In embeddedapplications, OEMs, design houses and softwarevendors face some critical issues in trying to protecttheir IP while collaborating on system designs. Theseissues are listed below:

1. IP protection measures increase system cost forOEMs and VARs

2. Software vendors and design houses risk losingIP to unqualified partners

3. Insufficient on-chip support for secure programdistribution and Flash memory update

We examine each of these issues in detail and describehow CodeGuard Security provides a solution.

Author: Rishi VasukiMicrochip Technology Inc.

© 2006 Microchip Technology Inc. DS70179B-page 1

CodeGuard™ Security
ISSUE: PROTECTING IP INCREASES SYSTEM COSTIn today’s business environment, Original Design/Equipment Manufacturers (ODM/OEM), Software IPVendors and Value Added Resellers (VAR) increas-ingly engage in collaborative supplier-buyer relation-ships while developing new products. Each of theseparties may own Intellectual Property (IP) they wouldwant to protect. This IP is increasingly in the form offirmware or program resident in the Flash memory ofembedded processors such as Microcontrollers(MCU), Digital Signal Processors (DSP) or DigitalSignal Controllers (DSC). Having had their IP stolen inthe past, today’s IP vendors and OEMs often resort tousing on-chip memory or code protection features todisallow competitors from copying their firmware.
Given that each vendor or OEM in the supply chainwould like to protect their own IP, often the final productsold to the end customer may contain two to threeembedded microcontrollers, each protecting the

firmware of one of these parties. Essentially, eachvendor deems their own IP important enough that theyfind a home for it in a dedicated code-protected micro-controller. From a system cost perspective, this endproduct is inefficient. From a component procurement(purchasing) specialist’s perspective, managing inven-tories and lead times of three microprocessors is quitea challenge. From a system designer’s perspective,there is a large opportunity for system integration intoone microcontroller. This is exactly what theCodeGuard Security facilitates.

Figure 1 shows a block diagram describing a genericcollaborative embedded system design model. Deriva-tives of this model are in use today. Figure 1 highlightsthe cost inefficiencies introduced by the lack of anappropriate MCU or DSC solution.

FIGURE 1: INCREASED SYSTEM COST DUE TO IP PROTECTION IN COLLABORATIVE DESIGNS

Final product typically consists of multiple code-protected processors (located in one or more boards) – protecting individual Intellectual Properties adds to system cost, inventory, board space.

ODM/ OEM

OEM/ VAR Software IP

Vendor

Semiconductor Manufacturer 1

MCU, DSC, DSP MCU, DSC, DSP



MCU, DSC, DSP

DS70179B-page 2 © 2006 Microchip Technology Inc.

SOLUTION: SYSTEM COST REDUCTION USING CodeGuard Security
FIGURE 2: COST DECREASE DUE TO CodeGuard™ Security

Microchip’s CodeGuard Security offers a system costreduction by enabling multiple parties (softwarevendors, OEMs and their partners) to securely sharea single chip’s resources as shown in Figure 2. Thus,multiple processors may be integrated into a single16-bit MCU or DSC. Final products may then beoffered to customers at more attractive costs whiledecreasing component count and associated risks ofmanaging an inventory of multiple microcontrollers.An example implementation is described in “CaseStudy: Applicability of CodeGuard Security to Wash-ing Machines”. For definitions of the on-chip Boot,Secure and General Segments, see “CodeGuardSecurity: Definition and Features”.

On-chip Flash memory,

SRAM &

EEPROM

OEM/VAR

General Segment Store Peripheral drivers & ISR,

Large look-up tables, I/O interface code, own IP, etc.

ODM/OEM

Secure Segment Store special algorithm code, restricted third-party IP, small

look-up tables, secure ISR

PIC24H or dsPIC® DSC Single-Chip Solution

Software/ IP Vendor

Microchip

Boot Segment Store Secure Bootloader, Boot

ISR, Authentication/ Encryption/Decryption

Utilities, Keys, etc.

Lowest Privileges

Configurable Memory Segment Size options for each Code-Protected Segment

Highest Privileges

On-chip Flash memory


ISSUE: SOFTWARE VENDORS FACE INCREASED RISK OF LOSING IPIn today’s global business environment, softwarevendors increasingly license their IP to unfamiliarparties. Once the IP has been licensed, the buyingentity has free access to either source or object codeprovided by the software vendor. Using the simplestintegrated development environments available today,the buying entity can easily translate object code backto source program. While the buyer may never violatethe license agreement, there is always the risk of thebuyer building their domain expertise by gaining expe-rience using the vendor’s IP. In some cases there is arisk that buyers may use their newly gained experiencein other projects and need not license the vendor’s IPever again.
SOLUTION: USING CodeGuard Security TO DECREASE RISK OF IP LOSSCodeGuard Security provides a new method to enablesoftware vendors to decrease the risk associated withloss of IP. Traditionally, software vendors haveprovided their customers with object files, software pro-tocol stacks or software libraries. These files or librariesare not secure and the underlying source program canbe easily exposed using disassembly viewers within anIntegrated Development Environment (IDE). UsingCodeGuard Security (as shown in Figure 2), softwarevendors may now program a segment of Flashmemory, enable code protection for that segment aloneand provide the device to their customer, who cancustomize the application by adding firmware to adifferent segment of Flash memory. Software vendorswho do not normally provide programmed MCUs orDSCs to their customers can use Microchip or otherprogramming centers or Microchip’s Quick-TurnProgramming (QTP) process to program devices priorto providing to their customers. Alternately, vendorsmay use device programmers such as MPLAB® PM3and MPLAB® ICD 2 to program a segment of memorythemselves. Further, software vendors may also pro-vide their customers with any updates to their firmwarein the form of encrypted object files. The encryptedobject files may be programmed by on-chip bootload-ers capable of authentication and decryption. In thiscase, the advantage provided by CodeGuard Securityis that the encrypted hex file can be decrypted withinthe segment to be re-programmed.

Let us now turn to a simple case that highlights bothissues and demonstrates how CodeGuard Securitymay be used to protect IP.

CASE STUDY: APPLICABILITY OF CODEGUARD SECURITY TO WASHING MACHINESA washing machine unit comprises a drum unit thatincludes a Brushless DC motor, a motor controllerboard with a serial RS-232 interface; and a user-inter-face board with keypad, LCD, temperature sensorsand an RS-232 unit. The user-interface board commu-nicates desired wash load, rinse speed, etc. to themotor controller board via commands over the RS-232link. Depending on the commands received over theRS-232 link, the motor controller board changes motorspeed and torque.

If this application was redesigned for reducing systemcost, the MCU in the motor controller board could beintegrated with the MCU in the user interface board.However, this is not considered a practical approachbecause the motor controller board was provided bythe entity who manufactures the BLDC motor, whereasthe user-interface board is designed in-house by thewashing machine manufacturer. Further, the motormanufacturer actually received licensed firmware forthe main controller chip of the motor controller boardfrom another software IP vendor. In order to protect hisIP, the software IP vendor also insists on code-protect-ing the MCU on the motor controller board. The BLDCmotor manufacturer provides the motor controller MCUto not only the washing machine manufacturer but alsoto another OEM. In the end, two MCUs are used to fullyimplement the washing machine product. CodeGuardSecurity offers a cost-effective, yet secure solution tothis problem. Figure 3 illustrates the cost-ineffective-ness issue discussed earlier, as applicable to thewashing machine product development. Figure 4demonstrates how the use of CodeGuard Security cansignificantly lower system cost, as well as streamlinethe product development.


FIGURE 3: EXAMPLE: EXISTING WASHING MACHINE DESIGN FLOW
FIGURE 4: WASHING MACHINE REDESIGNED TO INCORPORATE CodeGuard™ Security

ODM/OEM BLDC Motor & Controller Board Manufacturer

OEM/Value Added Reseller Washing Machine Manufacturer

Software Vendor* Sensorless Field Oriented Control Firmware IP Vendor

End Customer Washing Machine Appliance Buyer


MCU/DSP/DSC

Software IP


MCU/DSP/DSC

Microchip Technology Inc. MCU/DSC Vendor offering QTP services

ODM/ OEM* BLDC Motor & Controller Board manufacturer

OEM/Value Added Reseller* Washing Machine Manufacturer

Software Vendor* Sensorless Field Oriented Control firmware IP Vendor

End Customer Washing Machine Appliance Buyer

MCU/DSC programmed with Software IP

Note 1: * Indicates parties who may use code protection features on MCUs, DSPs and DSCs to securetheir Intellectual Property (IP).

2: Using CodeGuard™ Security, each party’s program may reside in a separate segment of on-chipFlash memory, for instance – OEM bootloader program resides in Boot Segment, softwarevendor program resides in Secure Segment and VAR program resides in General Segment.

3: This figure shows one of many collaborative design models supported by CodeGuard Security.


Similar examples exist in other applications that involvemotors, power conversion, speech, audio, lighting etc.Some examples of the end-applications include auto-mobile air conditioners, HVAC, treadmills, dishwash-ers, power meters, hands-free phone kits,teleconference equipment, etc.
ISSUE: INSECURE PROGRAM DISTRIBUTION AND FLASH UPDATEIn an increasingly connected world, the need toachieve secure firmware updates or secure data com-munication is becoming critical. Field-upgradeableFlash microcontrollers are used in many applications inthe automotive, consumer and industrial segments.Firmware update of Flash memory in a microcontrolleris achieved in many different ways. Whatever themethod of update, it is relatively simple to capture boththe protocol used to interface with the microcontrollerduring a Flash update as well as the actual programbeing updated. For specific examples see “SecureProgram Distribution Basics”. A number of MCU andDSC platforms offered by different semiconductor man-ufacturers are now supported by secure bootloadersthat offer the capability to perform secure remote or on-site Flash memory updates. However, these solutionssuffer from a few drawbacks:

1. Flash memory updates can be slow and addinga layer of security by attempting to program anencrypted object/hex file makes the processeven slower.

2. MCU solutions that offer on-chip hardwareencryption are closely tied to specific encryptionalgorithms or standards and do not support avariety of encryption algorithms.

3. Most MCU solutions do not offer a separateblock of Flash memory to store privileged infor-mation such as keys associated with encryptionand decryption.

4. For the case where software vendors and OEMhave collaborated to produce on-chip firmware,no MCU or DSC solutions enable performing anindividual secure update of each party’sfirmware.

SECURE PROGRAM DISTRIBUTION BASICSIf you are not completely certain about whether yourapplication needs to secure firmware updates of Flashmemory, consider the two examples below:

1. A binary/hex file is transmitted to the embeddedtarget using a simple handshake protocol over aserial communication peripheral such as CAN,SPI or RS-232. Logic analyzers probing theserial communication or programming interfacepins can provide details on the handshakeprotocol commands in use as well as the binarypattern contained in the hex file. Thereafter, anunauthorized user can recreate the hex file,modify it using a disassembler, recreate the

protocol commands and update the Flash with adifferent hex file.

2. A binary/hex file is transmitted to the embeddedtarget using a combination of complex protocolsand hardware such as TCP/IP and a Modemover a phone line or TCP/IP over an Ethernetlink. During the firmware upgrade process, it isfairly simple for a ‘snooping device’ to ‘listen’ tothe activity on the communication line andtamper with the embedded application. In thescenario outlined here, the application could bemodified without ever having to manuallydisassemble the hex file or de-solder theembedded target. Steps are provided below:

A packet analyzer available off-the-shelf can beused to capture CAN messages or TCP/IP pack-ets sent to the embedded target.

If enough messages or the packets arecaptured, the protocol governing the program/Flash update is easily deciphered.

The snooping device can now use the informa-tion to send its own messages to the embeddedtarget to tamper with the application. Once againoff-the-shelf solutions are available to transmitCAN or TCP/IP messages to the embeddedtarget.

The examples above highlight two security issues:

• Flash memory-based embedded applications are not tamper-resistant

• There is no way to distinguish whether the tamper-ing entity was an authorized or an unauthorized user.

Increasing security against tampering becomes signifi-cant to mission-critical systems, such as automotiveengine control units or heavy machinery powered byelectronically controlled motors. In these applications,mission failures may cause loss of life. The case foradding layers of security in automotive electronics isstrong because these systems are already built tosupport a host of diagnostic utilities and field upgrades.

SOLUTION: USING CodeGuard Security TO SECURE FLASH UPDATEThe four issues with securing program distributionidentified in Section “Issue: Insecure ProgramDistribution and Flash Update” are solved using16-bit MCUs and DSCs featuring CodeGuardSecurity. Figure 5 shows a potential secure programupdate model supported by coupling the CodeGuardSecurity with Microchip’s software encryption librar-ies. The key items to note are that the CodeGuardSecurity enables:

1. All decryption and programming firmware canreside within the protected segment

2. Segment Erase options enable faster erase ofthe on-chip Flash memory, thus speeding up thewrite/erase time


FIGURE 5: SECURE PROGRAM UPDATE OF ON-CHIP FLASH MEMORY USING CodeGuard™
Security

CodeGuard Security: DEFINITION AND FEATURESThe CodeGuard Security provides an advanced codeprotection scheme to help multiple parties securelyshare on-chip resources. The features are listed belowand discussed later in this section:

• Memory segmentation & access privileges to enable multiple parties to share on-chip resources

• Segment erase/programming options for support-ing secure bootloaders/kernels

• Secure interrupt handling• Secure development and debugging

On-chip communication interface such as ECAN, SPI or UART

Remote or On-site Field Upgrade/ Program Update Agent Protected

Application Program

Secure Segment in Flash may be used to store proprietary application

program as well as decryption program to

decrypt vendor code in an in-place manner

Secure Kernel Boot Segment stores Secure Bootloader, Authentication,

Encryption, Decryption utilities, Keys, etc.

On-Chip Flash Memory

Step 1: Secure Kernel authenticates firmware update agent Step 2: Agent provides encrypted hex file to Secure Kernel Step 3: Secure Kernel Decrypts hex file using key information and programs Flash memory OR Protected Application program decrypts its own hex file and programs the secure segment in Flash memory


MEMORY SEGMENTATION FEATURES
FIGURE 6: CodeGuard™ Security – ADVANCED FLASH/RAM/EEPROM MEMORY SEGMENTATION

As shown in Figure 6, the Program Flash memory,RAM and EEPROM in a device featuring CodeGuardSecurity may be optionally segmented into three pro-tected segments of Flash memory:

• Boot Segment

The Boot Segment in Flash memory has the highestaccess privileges of the three segments. The BootSegment can be configured to be one of many sizeoptions. It can be small, allowing a simple yet highlysecure bootloader, or large to hold a more sophisti-cated secure operating system. The Boot Segmentcan be optionally given the privilege to read from,write to (Flash update), call a routine in or jump toany other segment, code-protected or not. The BootSegment can also rewrite its own locations, thusallowing the ability to store and update cryptographickeys. On the other hand, if spurious writes are aconcern, all Flash writes to the Boot Segment can becompletely disabled.

Access to the Boot Segment from other segmentscan be limited severely. In the most restricted form(High Security), one can jump to or call a routine inthe first few instruction locations of the BootSegment. In a less restricted setup (StandardSecurity), subroutine calls and program jumps are

allowed from the Secure Segment and the GeneralSegment. Boot Segment can secure portions of on-chip RAM to which access from all other segmentsare restricted. Boot Segment can also secureportions of on-chip data Flash to which access fromall other segments are inhibited.

• Secure Segment

The Secure Segment is ideal for storing proprietaryalgorithm routines, such as special motor controlsoftware, acoustic noise suppression software, etc.The Secure Segment in Flash memory may beconfigured for one of many size options. Access tothe Secure Segment from the General and BootSegments can be restricted. Secure Segment cansecure portions of on-chip RAM to which access fromall other segments is restricted. Program in theSecure Segment of Flash memory can also secureportions of on-chip Data EEPROM to which accessfrom all other segments is restricted. The BootSegment can be given unrestricted access to theSecure Segment when the Secure Segment isconfigured for “Standard Security”, but the SecureSegment has identical privileges like the BootSegment when the segment is configured for “HighSecurity”.

General Segment Store Peripheral drivers & ISR, Large look-up tables, I/O interface code, own IP,

etc.

Secure Segment

Store special algorithm program, restricted third-party IP, small look-up

tables, secure ISR

Boot Segment Store Secure Bootloader, Boot ISR, Authentication/

Crypto Utilities, Keys, Special algorithms, etc.

Configurable Copy/Write-protected Memory Segments with Size options

Optional Segment

Optional Segment

Lowest Privileges

Highest Privileges


• General Segment
This segment is ideal for storing the user applicationprogram such as peripheral drivers, Interrupt ServiceRoutines, large look-up tables, etc. The GeneralSegment starts immediately following the SecureSegment. Its size is essentially the on-chip Flashmemory less the Boot and Secure Segments. If thereare no Boot or Secure Segments then the GeneralSegment starts where interrupt vectors end and maybe as large as 256KB.

SEGMENT ERASE, PROGRAMMING AND WRITE PROTECTIONThe General Segment in Program Flash memory maybe individually erased. Erasing the Secure Segment inFlash also causes the Secure Segment in DataEEPROM as well as the General Segment in Flash andData EEPROM to be erased. Erasing the BootSegment in Flash also causes all three segments inFlash and Data EEPROM to be erased. Segments inData EEPROM may be individually erased. Erasing asegment also causes associated Configuration regis-ters for that segment to be erased. During applicationrun-time, the segment erase/programming featuresfacilitate services such as a Secure Bootloader/Kernelthat are housed in the Boot Segment. During applica-tion development, this feature enables a designengineer to develop program on one segment of thedevice while another protected segment of the deviceis already populated with another party’s program.Designers also have the option to write-protect eachsegment of Flash memory to disable any spurious Run-Time Self Programming (RTSP) operations thatoriginate from firmware within the segment.

INTERRUPT HANDLINGIn scenarios where two parties share memoryresources on a single chip, it is conceivable that pro-gram in one protected segment (belonging to one of thetwo parties) may use peripheral interrupts as a mecha-nism to interrupt program execution in another pro-tected segment. Even in scenarios where all theprogram in Flash belongs to the same party, a hackingentity may repeatedly cause external interrupt eventsto view RAM locations. In all such cases, the hackingentity may be interested in examining temporary regis-ters and RAM locations to establish and even modifythe nature of operations being performed by firmwarein another protected segment.

CodeGuard™ Security provides special interruptsupport to annul such issues. If an interrupt occurswhile program executes in one protected segment, theprocessor vectors to a special interrupt vector withinthat protected segment. This provides the program anopportunity to save or clear its scratch registers. Oncethe registers are saved or cleared, the program canexamine the pending interrupt request flag and executea safe branch instruction to the interrupt service routine

of the pending interrupt source. By design, theCodeGuard Security provides special interrupt supportto protect against data-dumping routines (often termed“Trojan horses”). Further, all 16-bit Microchip MCUsand DSCs support two interrupt vector tables – primaryand alternate interrupt vector tables. This featureenables multiple parties to write interrupt serviceroutines for the same peripheral but located in differentsegments. The ISR to be used can be switched at runtime by the application program.

CodeGuard Security: FEATURED PRODUCTS AND AVAILABILITYCodeGuard Security offers on-chip memory segmenta-tion capabilities in three distinct forms. Devicessupporting CodeGuard Security offer one or more ofthese three forms of memory segmentation. The threeforms are described below:

• Basic Form

In the Basic Form, all on-chip Flash memory isconsidered one segment (i.e., no segmentation). Inthis form all of Flash memory is referred to as theGeneral Segment. The application program in theGeneral Segment may be read and write-protected.The Basic Form of segmentation is available on all16-bit MCU and DSC devices.

• Intermediate Form

In the Intermediate Form, on-chip Flash memory maybe divided into two segments – Boot Segment andGeneral Segment. Programs in each segment maybe individually read and write-protected. The Inter-mediate Form of segmentation is available typicallyon devices with less Flash memory (48KB or lesser).The Intermediate Form inherently supports the BasicForm through the use of Configuration registers. TheIntermediate Form is ideal for low-memory applica-tions in need of secure firmware update features.

• Advanced Form

In the Advanced Form, on-chip Flash memory, DataEEPROM and Data SRAM may each be optionallydivided into three segments – Boot Segment, SecureSegment and General Segment. Each segment maybe individually read and write-protected. Further,each segment in Flash may optionally secure a por-tion of Data EEPROM for its own use. Each segmentmay also secure or release a portion of SRAM whilethe application is running. If a segment in Flashmemory secures a portion of RAM or EEPROM,other segments do not have access to this RAM orEEPROM. The Advanced Form of segmentation isavailable typically on devices with Flash memorygreater than 48 KB. The Advanced Form inherentlysupports the Basic and Intermediate Forms by theuse of Configuration registers.


CodeGuard Security is available now on all 16-bit prod-ucts from Microchip. The table below identifies 16-bitMicrochip MCUs and DSCs that implement Intermedi-ate and Advanced Forms of CodeGuard Security. Italso identifies the largest size that individual memory
segments may be configured for. All 16-bit MCUs andDSCs implement the Basic Form of CodeGuardSecurity, which configures only a single segment inFlash memory.

DEVELOPMENT AND DEBUGGING CONSIDERATIONS

DEBUGGINGIn the past, numerous hackers have used “processortest modes” or “debug modes” as a back-door tobreak code protection features. Devices featuringCodeGuard Security have been designed so thatprogram or data in protected segments of Flash,Data EEPROM or RAM are not exposed bydisassembly viewers, debug windows, watchwindows or test modes.

As previously suggested in this paper, an OEM mayprocure from a vendor a device with a program residentin the Boot or Secure Segment, with the objective ofdeveloping the remainder of the application program inthe General Segment. In such cases, in order to aiddebugging during the application development phase,the OEM may choose not to enable code protection inthe General Segment until the program has beentested and finalized. Thus, CodeGuard Securitysupports normal debugging of program in unprotectedmemory segments while rendering invisible theprogram in the protected memory segments.

Device Family


Implementation Type

Maximum Memory Segment Size (Bytes)

Boot Segment Secure Segment General Segment

All PIC24F devices Basic — — All on-chip Flash memory

PIC24H devices with 64KB on-chip Flash memory

Advanced 24K 48K 64K

PIC24H devices with 128KB on-chip Flash memory


PIC24H devices with 256KB Flash memory


dsPIC30F5011/5013 Advanced 12K 48K 66KdsPIC30F6010/dsPIC30F6015 Advanced 12K 48K 144KdsPIC30F6011A/12A Advanced 12K 48K 132KdsPIC30F6013A/14A Advanced 12K 48K 144KdsPIC30F1010 Intermediate 1.5K — 6KdsPIC30F2020/2023 Intermediate 6K — 12KAll other dsPIC30F devices Basic — — All on-chip Flash

memorydsPIC33F devices with 64KB on-chip Flash memory


dsPIC33F devices with 128KB on-chip Flash memory


dsPIC33F devices with 256KB on-chip Flash memory



DEVELOPMENT TOOLS AND INTEGRATED DEVELOPMENT ENVIRONMENTMicrochip’s MPLAB® IDE (v7.41 or later), MPLAB®
C30 Compiler Tool suite (v2.03 or later) and MPLABICD 2 Debugger support application development ondevices featuring CodeGuard Security. MPLAB IDEv7.41 and MPLAB C30 v2.03 are the first releases ofthe development tools that aid development using theCodeGuard Security. These versions of the develop-ment tools support programming of new Configurationregisters that protect Boot, Secure and GeneralSegments in Flash memory, Data EEPROM and RAM.Software designers should also note that device-spe-cific linker scripts may need to be further customized toachieve the best results in using CodeGuard Securitywith these initial versions of the development tools.Future versions of these tools will continue to enhancesupport for CodeGuard Security.

SECURE FIRMWARE DISTRIBUTION AND FLASH UPDATE SOFTWAREIn order to develop secure kernels secure bootloaders,software design engineers can use Microchip’s suite ofSymmetric Key (Part Number: SW300050-EVAL) andAsymmetric Key (Part Number: SW300055-EVAL)Embedded Encryption libraries. While the SymmetricKey library supports functions such as Triple DES and128-bit AES, the Asymmetric Key library supports 1024or 2048-bit RSA, DSA and Diffie-Hellman. Both librar-ies feature hash routines such as SHA-1, MD5, and aDeterministic Random Bit Generator. In addition,Microchip also provides Bootloader software freely onthe web at http://www.microchip.com.

PROCESS FLOW: FROM SOFTWARE DEVELOPMENT TO PRODUCTIONSince multiple parties may securely share resources ona single chip using CodeGuard Security, some newchallenges may arise. These challenges have beenidentified below and an approach to development hasbeen recommended:

• Which party should program their firmware into the target device first?

The party which is responsible for programming thesegment with the highest privileges (Boot or SecureSegment) should program their firmware into theprivileged segment of the device first. In typicalcases, this may be the software IP vendor or designhouse.

• How does one party hand-off the code-protected device to another party?

When one party programs a higher privilegedsegment of Flash memory, it can provide the device tothe party developing the program for the next highestprivileged segment. The device would need to beaccompanied by an interface specification that helpsthe receiving party understand how to call or interfaceto the code-protected routines. The receiving partyalso needs the linker script used by the originatingparty.

• How is programming achieved on the production line when multiple parties own IP that needs to be programmed into the same chip?

Customers have many options to overcome thischallenge. Software IP vendors may use a program-ming center to program devices with their proprietaryalgorithm into the Secure Segment (or sometimesBoot Segment). Many programming centers alsoprovide secure bootloaders or kernels that can assistin programming encrypted firmware. Once the IPvendor’s firmware is programmed, the programmingcenter can transfer the devices to the OEM’s produc-tion line or manufacturing center. The OEMs thenneeds to only program their own firmware into theGeneral Segment (or sometimes Secure Segment)of the device. Once again the OEM may also use theservices of a programming center. Microchipprovides two kinds of programming services via themicrochipDirect Programming Center and the QTPprocess. For more information on these services,visit our web site at http://www.microchip.com.

SUMMARYCodeGuard Security available on Microchip TechnologyInc.’s 16-bit PIC24 Microcontrollers and dsPIC DigitalSignal Controllers adds a unique dimension to thecapabilities of the Flash memory based product portfolio.The CodeGuard Security leads a new wave of embed-ded applications that have come to expect increasedsecurity. Coupled with Microchip’s software encryptionlibraries designers can use CodeGuard Security to addvaluable features to safeguard their Intellectual Property.For further information on development tools andcollateral documentation, please visit our web site at http://www.microchip.com/CodeGuard.


www.microchip.com

www.microchip.com

www.microchip.com

www.microchip.com

www.microchip.com/CodeGuard

NOTES:

Note the following details of the code protection feature on Microchip devices:• Microchip products meet the specification contained in their particular Microchip Data Sheet.

• Microchip believes that its family of products is one of the most secure families of its kind on the market today, when used in the intended manner and under normal conditions.

• There are dishonest and possibly illegal methods used to breach the code protection feature. All of these methods, to our knowledge, require using the Microchip products in a manner outside the operating specifications contained in Microchip’s Data Sheets. Most likely, the person doing so is engaged in theft of intellectual property.

• Microchip is willing to work with the customer who is concerned about the integrity of their code.

• Neither Microchip nor any other semiconductor manufacturer can guarantee the security of their code. Code protection does not mean that we are guaranteeing the product as “unbreakable.”

Code protection is constantly evolving. We at Microchip are committed to continuously improving the code protection features of ourproducts. Attempts to break Microchip’s code protection feature may be a violation of the Digital Millennium Copyright Act. If such actsallow unauthorized access to your software or other copyrighted work, you may have a right to sue for relief under that Act.

Information contained in this publication regarding deviceapplications and the like is provided only for your convenienceand may be superseded by updates. It is your responsibility toensure that your application meets with your specifications.MICROCHIP MAKES NO REPRESENTATIONS ORWARRANTIES OF ANY KIND WHETHER EXPRESS ORIMPLIED, WRITTEN OR ORAL, STATUTORY OROTHERWISE, RELATED TO THE INFORMATION,INCLUDING BUT NOT LIMITED TO ITS CONDITION,QUALITY, PERFORMANCE, MERCHANTABILITY ORFITNESS FOR PURPOSE. Microchip disclaims all liabilityarising from this information and its use. Use of Microchipdevices in life support and/or safety applications is entirely atthe buyer’s risk, and the buyer agrees to defend, indemnify andhold harmless Microchip from any and all damages, claims,suits, or expenses resulting from such use. No licenses areconveyed, implicitly or otherwise, under any Microchipintellectual property rights.

© 2006 Microchip Technology Inc.

Trademarks

The Microchip name and logo, the Microchip logo, Accuron, dsPIC, KEELOQ, microID, MPLAB, PIC, PICmicro, PICSTART, PRO MATE, PowerSmart, rfPIC, and SmartShunt are registered trademarks of Microchip Technology Incorporated in the U.S.A. and other countries.

AmpLab, FilterLab, Migratable Memory, MXDEV, MXLAB, SEEVAL, SmartSensor and The Embedded Control Solutions Company are registered trademarks of Microchip Technology Incorporated in the U.S.A.

Analog-for-the-Digital Age, Application Maestro, CodeGuard, dsPICDEM, dsPICDEM.net, dsPICworks, ECAN, ECONOMONITOR, FanSense, FlexROM, fuzzyLAB, In-Circuit Serial Programming, ICSP, ICEPIC, Linear Active Thermistor, Mindi, MiWi, MPASM, MPLIB, MPLINK, PICkit, PICDEM, PICDEM.net, PICLAB, PICtail, PowerCal, PowerInfo, PowerMate, PowerTool, REAL ICE, rfLAB, rfPICDEM, Select Mode, Smart Serial, SmartTel, Total Endurance, UNI/O, WiperLock and ZENA are trademarks of Microchip Technology Incorporated in the U.S.A. and other countries.

SQTP is a service mark of Microchip Technology Incorporated in the U.S.A.

All other trademarks mentioned herein are property of their respective companies.

© 2006, Microchip Technology Incorporated, Printed in the U.S.A., All Rights Reserved.

Printed on recycled paper.

DS70179B-page 13

Microchip received ISO/TS-16949:2002 certification for its worldwide headquarters, design and wafer fabrication facilities in Chandler and Tempe, Arizona, Gresham, Oregon and Mountain View, California. The Company’s quality system processes and procedures are for its PICmicro® 8-bit MCUs, KEELOQ® code hopping devices, Serial EEPROMs, microperipherals, nonvolatile memory and analog products. In addition, Microchip’s quality system for the design and manufacture of development systems is ISO 9001:2000 certified.


AMERICASCorporate Office2355 West Chandler Blvd.Chandler, AZ 85224-6199Tel: 480-792-7200 Fax: 480-792-7277Technical Support: http://support.microchip.comWeb Address: www.microchip.comAtlantaAlpharetta, GA Tel: 770-640-0034 Fax: 770-640-0307BostonWestborough, MA Tel: 774-760-0087 Fax: 774-760-0088ChicagoItasca, IL Tel: 630-285-0071 Fax: 630-285-0075DallasAddison, TX Tel: 972-818-7423 Fax: 972-818-2924DetroitFarmington Hills, MI Tel: 248-538-2250Fax: 248-538-2260KokomoKokomo, IN Tel: 765-864-8360Fax: 765-864-8387Los AngelesMission Viejo, CA Tel: 949-462-9523 Fax: 949-462-9608Santa ClaraSanta Clara, CA Tel: 408-961-6444Fax: 408-961-6445TorontoMississauga, Ontario, CanadaTel: 905-673-0699 Fax: 905-673-6509

ASIA/PACIFICAsia Pacific OfficeSuites 3707-14, 37th FloorTower 6, The GatewayHabour City, KowloonHong KongTel: 852-2401-1200Fax: 852-2401-3431Australia - SydneyTel: 61-2-9868-6733Fax: 61-2-9868-6755China - BeijingTel: 86-10-8528-2100 Fax: 86-10-8528-2104China - ChengduTel: 86-28-8676-6200 Fax: 86-28-8676-6599China - FuzhouTel: 86-591-8750-3506 Fax: 86-591-8750-3521China - Hong Kong SARTel: 852-2401-1200 Fax: 852-2401-3431China - QingdaoTel: 86-532-8502-7355Fax: 86-532-8502-7205China - ShanghaiTel: 86-21-5407-5533 Fax: 86-21-5407-5066China - ShenyangTel: 86-24-2334-2829Fax: 86-24-2334-2393China - ShenzhenTel: 86-755-8203-2660 Fax: 86-755-8203-1760China - ShundeTel: 86-757-2839-5507 Fax: 86-757-2839-5571China - WuhanTel: 86-27-5980-5300Fax: 86-27-5980-5118China - XianTel: 86-29-8833-7250Fax: 86-29-8833-7256

ASIA/PACIFICIndia - BangaloreTel: 91-80-4182-8400 Fax: 91-80-4182-8422India - New DelhiTel: 91-11-4160-8631Fax: 91-11-4160-8632India - PuneTel: 91-20-2566-1512Fax: 91-20-2566-1513Japan - YokohamaTel: 81-45-471- 6166 Fax: 81-45-471-6122Korea - GumiTel: 82-54-473-4301Fax: 82-54-473-4302Korea - SeoulTel: 82-2-554-7200Fax: 82-2-558-5932 or 82-2-558-5934Malaysia - PenangTel: 60-4-646-8870Fax: 60-4-646-5086Philippines - ManilaTel: 63-2-634-9065Fax: 63-2-634-9069SingaporeTel: 65-6334-8870Fax: 65-6334-8850Taiwan - Hsin ChuTel: 886-3-572-9526Fax: 886-3-572-6459Taiwan - KaohsiungTel: 886-7-536-4818Fax: 886-7-536-4803Taiwan - TaipeiTel: 886-2-2500-6610 Fax: 886-2-2508-0102Thailand - BangkokTel: 66-2-694-1351Fax: 66-2-694-1350

EUROPEAustria - WelsTel: 43-7242-2244-3910Fax: 43-7242-2244-393Denmark - CopenhagenTel: 45-4450-2828 Fax: 45-4485-2829France - ParisTel: 33-1-69-53-63-20 Fax: 33-1-69-30-90-79Germany - MunichTel: 49-89-627-144-0 Fax: 49-89-627-144-44Italy - Milan Tel: 39-0331-742611 Fax: 39-0331-466781Netherlands - DrunenTel: 31-416-690399 Fax: 31-416-690340Spain - MadridTel: 34-91-708-08-90Fax: 34-91-708-08-91UK - WokinghamTel: 44-118-921-5869Fax: 44-118-921-5820

WORLDWIDE SALES AND SERVICE

07/21/06

Documents

CodeGuard™ Security: Protecting Intellectual …ww1.microchip.com/downloads/en/DeviceDoc/70179B.pdfCASE STUDY: APPLICABILITY OF CODEGUARD SECURITY TO WASHING MACHINES A washing machine