11.4.4 Immutable Root of Trust (IRT)

Device security functions including secure boot, secure debug and device attestation require a root of trust. The root of trust executes at boot time and may include multiple stages forming a chain of trust. The chain of trust operates by having each stage authenticate the next stage before transferring control to the next stage. The first stage in the chain of trust is inherently trusted and must have immutable firmware. This first and possibly only root of trust stage is referred to as the Immutable Root of Trust (IRT).

In Mission mode, IRT firmware is the first firmware to execute after a Reset. The root of trust consisting of one or more stages with immutable and optionally updatable firmware components may provide any number of security services including secure boot, secure debug, secure programming, over-the-air (OTA) firmware update and device attestation.