Peripheral configuration locking

Important

This is the Azure Sphere (Legacy) documentation. Azure Sphere (Legacy) is retiring on 27 September 2027, and users must migrate to Azure Sphere (Integrated) by this time. Use the Version selector located above the TOC to view the Azure Sphere (Integrated) documentation.

A peripheral configuration is a mapping of peripherals to cores. Azure Sphere chips now have the ability to lock a peripheral configuration in order to provide additional security. All future Azure Sphere chips will also have peripheral configuration locking.

During system startup, the Azure Sphere runtime reads the application manifest to ascertain which peripherals an application is allowed to use and assigns the peripherals to a core by configuring the hardware firewall. When the peripheral configuration is not locked, it might possible for an attacker to reconfigure the core assignments of the peripherals and access arbitrary peripherals. When the peripheral configuration is locked, however, an attacker cannot reassign peripherals even if the code is compromised.

When the peripheral configuration is locked

The Azure Sphere runtime locks the peripheral configuration during system startup, after all applications are initialized, if the following two conditions are true:

Peripheral configuration locking adds another layer of security for defense-in-depth, which is one of the seven properties required for highly secured devices. Once the peripheral configuration is locked, it cannot be revised until the device is rebooted.

Application updates and device reboot

An application update that requires a change in the peripheral configuration triggers a device reboot when the peripheral configuration is locked. Once the configuration is locked, the device must reboot before it can revise the peripheral configuration accordingly for the application update.

A change in the peripheral configuration occurs when an application update requires peripherals to be released or acquired. The following are examples of application updates that trigger a device reboot when the peripheral configuration is locked:

  • A new application that uses peripherals is installed as part of a cloud update or sideload. In this case, a new core and peripherals must be acquired.
  • An updated application requires a different set of peripherals from its previous version. In this case, some peripherals must be released, and other peripherals must be acquired.
  • An application that uses peripherals is deleted as part of a cloud update. In this case, all peripherals used by the application must be released.

The following are examples of application updates that do not trigger a device reboot because the peripheral configuration remains unchanged:

  • A new application that uses no peripherals is installed as part of a cloud update or sideload.
  • An application that uses no peripherals is deleted as part of a cloud update.
  • An updated application requires the exact set of peripherals used by its previous version.