2.4.4 Factory Secure Boot
(Ask a Question)In this mode, the System Controller reads the Secure Boot Image Certificate (SBIC) from eNVM and validates the SBIC. On successful validation, System Controller copies the factory secure boot code from its private, secure memory area and loads it into the DTIM of the E51 Monitor core. The default secure boot performs a signature check on the eNVM image using SBIC which is stored in eNVM. If no errors are reported, reset is released to the MSS Core Complex. If errors are reported, the MSS Core Complex is placed in reset and the BOOT_FAIL tamper flag is raised. Then, the System Controller activates a tamper flag which asserts a signal to the FPGA fabric for user action. This mode is implemented using the U_MSS_BOOTMODE=3 boot option.
The SBIC contains the address, size, hash, and Elliptic Curve Digital Signature Algorithm (ECDSA) signature of the protected binary blob. ECDSA offers a variant of the DSA, which uses elliptic curve cryptography. It also contains the reset vector for each Hardware thread/core/processor core (Hart) in the system.
| Offset | Size (bytes) | Value | Description |
|---|---|---|---|
| 0 | 4 | IMAGEADDR | Address of UBL in MSS memory map |
| 4 | 4 | IMAGELEN | Size of UBL in bytes |
| 8 | 4 | BOOTVEC0 | Boot vector in UBL for E51 |
| 12 | 4 | BOOTVEC1 | Boot vector in UBL for U540 |
| 16 | 4 | BOOTVEC2 | Boot vector in UBL for U541 |
| 20 | 4 | BOOTVEC3 | Boot vector in UBL for U542 |
| 24 | 4 | BOOTVEC4 | Boot vector in UBL for U543 |
| 28 | 1 | OPTIONS[7:0] | SBIC options |
| 28 | 3 | RESERVED |
— |
| 32 | 8 | VERSION | SBIC/Image version |
| 40 | 16 | DSN | Optional DSN binding |
| 56 | 48 | H | UBL image SHA-384 hash |
| 104 | 104 | CODESIG | DER-encoded ECDSA signature |
| Total | 208 | Bytes |
— |
- DSN
- If the DSN field is non-zero, it is compared against the device's own serial number. If the comparison fails, then the boot_fail tamper flag is set and authentication is aborted.
- VERSION
- If SBIC revocation is enabled by U_MSS_REVOCATION_ENABLE, the SBIC is rejected unless the value of VERSION is greater than or equal to the revocation threshold.
- SBIC REVOCATION OPTION
- If SBIC revocation is enabled by U_MSS_REVOCATION_ENABLE and OPTIONS[0] is ‘1’,
all the SBIC versions less than VERSION are revoked upon complete authentication
of the SBIC. The revocation threshold remains at the new value until it
increments again by a future SBIC with OPTIONS[0] = ‘1’ and a higher VERSION
field. The revocation threshold may only be incremented using this mechanism and
can only be reset by a bitstream.
When the revocation threshold is updated dynamically, the threshold is stored using the redundant storage scheme used for passcodes such that a power failure during device boot does not cause a subsequent device boot to fail. If the update of revocation threshold fails, it is guaranteed that the threshold value is either the new value or the previous one.
| Offset (bytes) | Size (bytes) | Name | Description |
|---|---|---|---|
| 0 | 4 | U_MSS_SBIC_ADDR | Address of SBIC in MSS address space |
| 4 | 4 | U_MSS_REVOCATION_ENABLE | Enable SBIC revocation if non-zero |
The following figure shows the factory secure boot flow.