 Firmware Integrity. Integrity means ensure the firmware is not corrupted. Why a firmware could be corrupted? It could be because of a softer bug involving flash write at the wrong place. It could be caused by electrical shock leading to flash bit flip, or it could be even caused by a attacker wanting to change the behavior of the firmware. What that means to check the integrity of a firmware? A very common way is to use a checksum, but a more robust way is to use hash. The principle is to compute the hash of the firmware and add this hash to the firmware binary. On firmware execution, the same computation will be performed and the result will be compared to the one written on the flash. If the data is different, then we know that the firmware is corrupted. Checking firmware integrity with CRC. I think we all know that CRC stands for Cyclic Redundancy Check. Computation can be done either by software or by using hardware dedicated peripheral. CRC is usually used to secure data transmission. CRC is not secure in a way that this is easy to forge data to obtain a specific CRC value. On the other hand, CRC computation is faster. This is an integrity check flow example using SHA256. So after you get the binary of the firmware, do a computation of SHA256 digest on PC and get the digest value. Then this digest could be attached to the firmware and compose a full binary, including both firmware and the reference digest value. Then this full binary will be programmed to the board. After the firmware running, the first thing the firmware should do is also to compute the SHA256 digest of the full firmware binary and then do a comparison of the computed digest with the reference digest value. Further actions could be taken depending on the comparison result. Protection of the integrity check. We know that integrity check relies on the digest value, so this value should be protected. Basic protection could be WRP or adding a MAC of the data. If firmware content is also secret, RDP should also be activated for the purpose of confidentiality. But now the digest computation might have a side effect. The whole firmware is read as input to CRC or hash algorithm. RDP level 1 does not protect the RAM, so it could be possible to read the firmware just by connect to the device on the reset at successive timing and the read content of the RAM. Of course, assumption here is that the whole flash content needs to be read to RAM for digest computation. If that's not the case, then there is no such kind of risk. But if it is the case, then RDP level 2 or secure memory is mandatory. Now it's time to have a hands-on for firmware integrity. The goal of this hands-on is to show the different steps to develop the code and create the firmware binary, compute a hash, concatenate the firmware and the hash in a single binary, program the binary, run the device, and check the firmware digest checking works fine. And check also the impact of modification of one bit in the firmware, and then at the end add a protection such as RDP and WRP on G0. Thank you for watching.