Our customer requires adding an external read-protection mechanism for the code flash area.
I only see flash write protection in the TRM manual.
How should read protection be implemented?
Implementing read protection for the code storage area can be achieved by combining hardware-level mechanisms with encryption technology. Taking the STM32 series as an example, it can be done by setting the Read Protection (RDP) level in the option bytes. For instance:
-
RDP Level 1: Disables the debug interface (JTAG/SWD), prevents access to Flash when booting from SRAM or system memory, and only allows the chip’s own program to read.
-
RDP Level 2: Further fuses the debug interface, completely prohibits any external access, and is irreversible.
At the same time, fuse bits (such as the SPIEN bit in AVR) can be used to disable the programming interface, preventing Flash from being read via ISP. If higher security is required, a hardware encryption module (such as HSM) can be integrated, and the Flash content can be encrypted using AES/SM4 algorithms, with the key stored in an external secure chip.
For external read-protection requirements, the following approaches can be used:
- Physical-level protection: Permanently disable the debug interface by blowing fuses (e.g., Nordic nRF52 permanent read protection); erasing the chip requires physical destruction.
- Dynamic encryption verification: At boot, generate a checksum with a random number + DES algorithm, combine it with a HASH operation (e.g., SHA-256) to verify code integrity; three failures trigger a self-destruct mechanism that erases critical data.
- Secure Boot: Establish a chain of trust with a Hardware Security Module (HSM) to verify firmware signatures step by step. For example, Infineon TC3xx series decrypts boot code with the HSM’s built-in key and, after verification, releases control to the main CPU.
- Hardware crypto engine: Choose an MCU with an embedded crypto module (e.g., NXP S32K’s CSEc or Xinbida IM94xx’s HSM) to encrypt Flash content at the hardware level, preventing direct reads.
Combine the above methods according to the specific MCU model and security requirements, and consult the security chapters in the vendor’s TRM (e.g., STM32 Option Bytes configuration procedure).