2.9.3.4 Double Step Verification

In Double-Step mode, an additional check is done after image decryption. Instead of random data in the header padding field, an AES-CMAC tag with the customer key set is used to verify the plain text bootstrap image.

The following figure shows a tagged bootstrap image format.

Figure 2-29. Secure Mode Image Format (Tagged Version)

In this mode Auth. Data value is as follows:


Mode	RFU	Additional Data Size
`0x12` or `0x13`	`0x00`	`0x0000`

Mode is encrypted, tagged, double-step. There is no additional data for this mode.

When DSS mode is used, image format is shown in the figure below.

Figure 2-30. Secure Mode Image Format (DSS Version)

Auth. Data field is as follows:


Mode	RFU	Additional Data Size
`0x14,0x15`	`0x00`	`0xyyyy`

Mode is encrypted, signed with DSS, double-step. A security blob is added following the bootstrap image. Security data size specifies the size in bytes of this security chain used to certify the image.