After reviewing the security features i have one question if someone can answer and has experience with.
As i understand the application is secure especially when you disable debug interface. So no one can steal app or access credentials to your cloud. They can only wipe the firmware and app, and upload their own.
Is there a way to protect from reprogramming the board? so that it cannot be used for something else
You want to completely disable updates? What is the concern?
Not just updates, the whole board if it gets stolen or accessed in the field.
The current G30 devices i have installed are crap, anyone who has an USB cable and TinyCLR Config can take my app, or reprogram the device to do something else.
With sitcore i know they now cannot take the app, they can only reflash the firmware and reprogram to do something else. Id like to fix this part as well.
why not connect
st link utility and make it fuse bit protection (but you will not be able to restore/program on it more)
Correction. They are amazing devices but they are not secure like SITCore is.
You can do that but I believe we have that builtin feature but hidden because it is very risky.
Encase the board in epoxy such that removing the covering destroys the chip.
And scratch off the labels on the chips… I think that is an ugly way of protecting IP. I am sure we can come up with a more elegant solution. At least I hope we can 
A feature in the bootloader where you would need the same key as needed for IFU to upload to upload a program through visual studio would solve this, I think.
Especially if you make sure not to expose STs SWD pins on your board so no fella with a ST-link and STM32Cube can reprogram over the bootloader.
This feature would be able to be toggled in TinyCLR config, so if you program your device you can turn it on and send it to the field. You can then use IFU with they key or connect the cable and “unlock” the bootloader so you can reprogram it through VS.
TL;DR: make it possible to only program the MCU when you have the key, even if you are plugged in over USB
as far I understood @Darko maybe I am wrong.
he want to make mcu readonly workable without using it more.
Except for what is on work/use and to protect his work on this way (for those small/cheap boards and it make sense)
I’m taking the other point of view on this one. Given that boards are property, preventing someone from repurposing their property if they have purchased it from you is generally a no-no.
So let’s put into perspective, a stolen phone can get unlocked and reused buy the thief. How much more security should an embedded device, such as SitCore, have? Expect reasonable losses.
It doesn’t work like that. If you enable the “all lock out feature” no hacker and not you will be able to ever update, access, or erase the device. Which is why we have hidden this feature.
I understand. That’s why what I am sketching isnt a “all lock out feature”. It’s a “all lock out feature unless you have the hex key to unlock me”.
This would work without the STs fuses, it would be implemented in GHIs TinyCLR bootloader.
What about TPM chips, how does that work?
Who says its their property? Its something like its yours but your not allowed to use it in any other way.
Similar to ISP router, its yours but if you cancel subscription its not yours anymore. Or if you buy a 5 axis CNC, its yours but your still not allowed to make guns with it.
I’m considering the wide world of possibilities. If the contract states that the device belongs to the service provider then fine. But if a person buys a 5axis cnc router and moves it to a place where there is no restriction on being able to manufacture guns, then there is nothing the cnc maker can do about that.
What if you manufacture say a medical device where the software is approved by likes of the FDA. You make such a good hornsnogglescope that every hospital buys 1000 of them and your competitors sales collapse. So many $s at stake.
Now if somebody could reprogram a handful of your new wonder machines to appear like they are operating but such that they malfunctioned and caused harm you would be in a world of hurt and your competitors would be back in favour.
Not a likely scenario but one to be considered.
I think the ability to be able to secure a system from unauthorised reprogramming has merit. Granted you are only reducing the possibility of unauthorised reprogramming not eliminating.
I would imagine this feature would have appeal to manufacturers of medical or defence equipment.
describe the threat you’re trying to protect against please, and what benefit it really brings. Because what you describe is not addressing a threat that SITCore doesn’t address already, in my view. You have essentially “lost” the device (the person no longer considers it’s original purpose required, that’s why they were going to reprogram it), or a bad guy has already stolen the device and wanted to reprogram it, or worse a competitor has stolen it and dived deep into what they can get out of it (which SITCore protected you from). So why now make another “protection” that means your brick can’t be used? If you price the product correctly then you are not “losing money” if you lose the device; all you do is create more waste in the world. IMHO if you’re that worried, it’s the losing physical access to the device that caused this issue.
simple to avoid. Anti-tamper switch inside the enclosure, that’s recorded. And anti-tamper evidentiary stickers or similar inside the unit. Manufacturers of computers and other electronics do this today in their thousands, and use this to protect their IP as well as against rogue operations trying to appear like them.
If someone is that desperate to take over a product they could always remove the processor and replace it with their own. Even grinding off part numbers wouldn’t stop a dedicated person. It might take a while but based on pin usage (which pins are used for power, clock crystal, etc.), it wouldn’t take someone too long to find which processor is being used.