Peripheral configuration locking
A peripheral configuration is a mapping of peripherals to cores. Azure Sphere chips now have the ability to lock a peripheral configuration in order to provide additional security. All future Azure Sphere chips will also have peripheral configuration locking.
During system startup, the Azure Sphere runtime reads the application manifest to ascertain which peripherals an application is allowed to use and assigns the peripherals to a core by configuring the hardware firewall. When the peripheral configuration is not locked, it might possible for an attacker to reconfigure the core assignments of the peripherals and access arbitrary peripherals. When the peripheral configuration is locked, however, an attacker cannot reassign peripherals even if the code is compromised.
The Azure Sphere runtime locks the peripheral configuration during system startup, after all applications are initialized, if the following two conditions are true:
- The device manufacturing state is set to DeviceComplete.
- The appDevelopment device capability is not present on the device.
Peripheral configuration locking adds another layer of security for defense-in-depth, which is one of the seven properties required for highly secured devices. Once the peripheral configuration is locked, it cannot be revised until the device is rebooted.
An application update that requires a change in the peripheral configuration triggers a device reboot when the peripheral configuration is locked. Once the configuration is locked, the device must reboot before it can revise the peripheral configuration accordingly for the application update.
A change in the peripheral configuration occurs when an application update requires peripherals to be released or acquired. The following are examples of application updates that trigger a device reboot when the peripheral configuration is locked:
- A new application that uses peripherals is installed as part of a cloud update or sideload. In this case, a new core and peripherals must be acquired.
- An updated application requires a different set of peripherals from its previous version. In this case, some peripherals must be released, and other peripherals must be acquired.
- An application that uses peripherals is deleted as part of a cloud update. In this case, all peripherals used by the application must be released.
The following are examples of application updates that do not trigger a device reboot because the peripheral configuration remains unchanged:
- A new application that uses no peripherals is installed as part of a cloud update or sideload.
- An application that uses no peripherals is deleted as part of a cloud update.
- An updated application requires the exact set of peripherals used by its previous version.