PREVENTING CODE MODIFICATION AFTER BOOT

摘要

The subject disclosure is directed towards protecting code in memory from being modified after boot, such as code used in a dedicated microprocessor or microcontroller. Hardware, such as in logic or in a memory protection unit, allows a range of memory to be made non-writeable after being loaded, e.g., via a secure boot load operation. Further, startup code that is used to configure the hardware/memory may be made non-executable after having run once, so that no further execution may occur in that space, e.g., as a result of an attack. A function in the runtime code may allow for a limited, attack-protected reconfiguration of sub-regions of memory regions during the runtime execution.

主权项

1. A method comprising:
running secure boot code to load executable instructions into a memory space as loaded executable instructions; protecting selected executable instructions by preventing further modification of the memory space that contains the selected executable instructions, including changing hardware logic to a state that prevents writing to any of the memory space that that contains the selected executable instructions; and executing at least some of the executable instructions.