3.5.2 Secure Boot on PIC32CM LS60 Curiosity Pro Evaluation Kit
Description
This application demonstrates the Secure Boot feature on the PIC32CM LS60 microcontroller (MCU). The application has two projects:
- A Secure Bootloader
- An Application
Following are the steps to demonstrate the secure boot:
Step 1: Secure Boot Configuration | Provisioning | Secure Booting
- The PIC32CM LS60 MCU is configured to run in secure boot mode with ATECC608B-based boot protection verification method and SHA-based NVM boot configuration (BOOTOPT=5).
- Program the Secure Bootloader code using Microchip's Trust Platform Design Suite (TPDS).
- The successful running of the Secure Bootloader is indicated by turning the green LED0 ON.
- Receive the application image over UART from a PC by running a python script. The successful receiving of the application is indicated by toggling the red LED.
- Red LED1 starts toggling indicating secure and successful application booting.
Step 2: Impersonating Bootloader
- Generate a .hex file (say an impersonating bootloader) in MPLAB X IDE.
- Program the hex file using MPLAB X IDE (Ensure the bootloader is programmed at 0x00).
- Since the bootloader image in NVM is an impersonated one, it does not have the digest matching the ATECC608 B-based authentication and integrity checks. The application fails to Boot. Both LED's are OFF state.
Step 3: Restoring the Secure Bootloader and Validation
- Generate the Secure Bootloader .hex file in MPLAB X IDE.
- Use the Private/Public key used in Step 1 in TPDS and create the signed .hex file.
- Program the signed.hex file using the TPDS. The successful running of the Secure Bootloader is indicated by turning the green LED0 ON.
- Receive the application image over UART from a PC by running a python script. The successful receiving of the application is indicated by toggling the red LED.
- Since the Secure Bootloader is restored and the Secure Bootloader and application work as expected. Red LED1 starts toggling indicating secure and successful application booting.
Modules/Technology Used
-
Peripheral Modules
- Secure PORT Pins (All pins by default are secure)
- Secure I2C
- Secure RTC
- Secure EIC
- Secure USART
-
System Modules
- Bootloader (UART)
Hardware Used
Software/Tools Used
This project has been verified to work with the following versions of software tools:
Refer Project Manifest file for Secure Bootloader project present in harmony-manifest-success.yml under the project folder firmware/secure_bootloader/firmware_secure/src/config/pic32cm_ls60_cpro.
Refer Manifest file for the application project under Non Secure parts of the project present in harmony-manifest-success.yml under the folder firmware/test_app/src/config/default.
- Refer the Release Notes to know the MPLAB X IDE and MCC Plugin version.
- Trust Platform Design Suite V2.
- Any Serial Terminal application such as Tera Term terminal application.
- Python - v3 and above.
Because Microchip regularly updates tools, occasionally issue(s) could be discovered while using the newer versions of the tools. If the project does not seem to work and version incompatibility is suspected, it is recommended to double-check and use the same versions that the project was tested with. To download original version of MPLAB Harmony v3 packages, refer to document How to Use the MPLAB Harmony v3 Project Manifest Feature (DS90003305).
Hardware Setup
- The following diagram shows a
detailed picture of the setup.
- The PIC32CM LS60 Curiosity Pro Evaluation Kit allows the Embedded Debugger (EDBG) to be used for debugging.
- Connect the Type-A male to Micro-B USB cable to Micro-B DEBUG USB port (J300) to power and debug the PIC32CM LS60 Curiosity Pro Evaluation Kit.
- Connect the Type-A male to Micro-B USB cable to Target USB port (J200) to perform the provisioning using the TPDS tool on PIC32CM LS60 Curiosity Pro Evaluation Kit.
- Mount MikroElektronika USB UART Click
on microBus connector and connect the Type-A male to Mini-B USB cable to Mini-B
USB-UART Cick onboard to receive the application firmware from the host.
Prerequisites
- Install Trust Platform Design Suite V2 software.
- Generate Application's Unified
Binary. A Unified Binary is a single executable file generated by MPLAB X IDE using
the Secure and NonSecure hex files. This can be used to program both Secure and
Non-Secure regions together.Note: The pre-built application hex and unified binary is kept in the hex folder. Ignore the following steps if the application project have not been modified.
- Open and Build the
Application's NonSecure project in the MPLAB X IDE, i.e.,
reference_apps_pic32cm/apps/pic32cm_ls60_curiosity_pro/pic32cm_ls60_cpro_secure_boot/firmware/test_app/firmware/pic32cm_ls60_cpro.X
- This will also build the mandatory Secure project.
- Open and Build the
Application's NonSecure project in the MPLAB X IDE, i.e.,
- Steps to generate the PIC32CM LS60
User Row Configurations (Fuse Configurations) for Application project.
- The pre-generated files will be
generated in scripts folder present in project directory.
application_user_configurations_out.txt configuration file will be used
by the btl_host.py script to update the fuse configurations while
programming the application.Note: The following steps shows how the application_user_configurations_out.txt file was generated based on the device and project configurations. Ignore the following steps if the project configurations have not been modified.
- If modified then the input file application_user_configurations_in.txt needs to be generated based on the new device and project configuration and then passed to btl_dev_cfg_gen.py script file to generate the output file application_user_configurations_out.txt.
- The application_user_configurations_in.txt file consists of only the User Row Fuse configurations for the Non-Secure application project i.e., pic32cm_ls60_cpro project and it is generated by looking at the applications device and project configurations.
- To know how this file is
generated, open the above pic32cm_ls60_cpro project in MCC and check
the Device and Project Configuration under System module. For
example, the Memory Configurations of the application can be seen as
below.
- For more information on application_user_configurations_in.txt generation check the Bootloader Device Input Configuration section in MPLAB Harmony Bootloader Library.
- Go to the scripts
folder and execute the following command show help menu for the script.
python btl_dev_cfg_gen.py --help
- The syntax for generating
the device configuration output file
is:
python btl_dev_cfg_gen.py -v -f <device_config_input_file.txt> -o <device_config_output_file.txt>
To know more about btl_dev_cfg_gen.py, refer to Device Configuration Generation Script Help section in MPLAB Harmony UART Bootloader Library.
- To generate the CRC for the
fuse settings, execute the following command:
python btl_dev_cfg_gen.py -v -f application_user_configurations_in.txt -o application_user_configurations_out.txt
- The application_user_configurations_out.txt configuration file will be used later by the btl_host.py to update the fuse configurations while programming the application using Secure Bootloader.
- The pre-generated files will be
generated in scripts folder present in project directory.
application_user_configurations_out.txt configuration file will be used
by the btl_host.py script to update the fuse configurations while
programming the application.
Running the Demo
- Perform Hardware Setup steps mentioned above, if not done already.
- Perform Prerequisites steps mentioned above, if not done already.
Step1: Secure Boot Configuration | Provisioning | Secure Booting
- PIC32CM LS60 MCU is configured to run
in secure boot mode with ATECC608B-based boot protection verification method and
SHA-based NVM boot configuration (BOOTOPT=5).
- Open and Build the Secure
Bootloader project in the MPLAB X IDE, i.e.,
reference_apps_pic32cm/apps/pic32cm_ls60_curiosity_pro/pic32cm_ls60_cpro_secure_boot/firmware/secure_bootloader/firmware_secure/pic32cm_ls60_cpro_secure.X
- Open and Build the Secure
Bootloader project in the MPLAB X IDE, i.e.,
- Program the Secure Bootloader code
using Mirochip's Trust Platform Design Suite (TPDS).
- Open the TPDS application and
select the TrustFlex usecase, i.e., Secure Boot-PIC32CMLS60.
- This usecase will sign an
application hex file to support secure boot in combination with the ATECC608
embedded into the PIC32CM LS60. The application that is to be signed must be
generated as per the current data sheet for secure boot.
- This usecase will sign an
application hex file to support secure boot in combination with the ATECC608
embedded into the PIC32CM LS60. The application that is to be signed must be
generated as per the current data sheet for secure boot.
- And click on Option 1 to Generate Private/Public key pair to perform the factory programming of default binary and wait for the response OK.
- Press the reset button on the PIC32CM LS60 Curiosity Pro Evaluation Kit to sync with TPDS.
- Again press Option 1 to
Generate Private/Public key. In this step, the public key required to verify the
SecureBoot is stored in Slot 15. This time a pop-up appears to Generate
Private/Public key, as shown below.
- After successful execution of
Option 1, a green tick mark appears in the Option 1 as shown below
and check the log window for message Executed Step1 Successfully.
- Select Option 2 to
Generate the IOPROT Key.
- The communication between the PIC32CM LS60 microcontroller and the ATECC608B is encrypted using an I/O Protection Key (IOPROTKEY). This unique key is initially provisioned in both the ATECC608B Slot 6 and the microcontroller BOCOR NVM Configuration Row (IOPROTKEY).
- After successful execution of
Option 2, a green tick mark appears in the Option 2 as shown below
and check the log window for message Executed Step2 Successfully.
- Copy the
pic32cm_ls60_cpro_Secure.X.production.hex file from
reference_apps_pic32cm/apps/pic32cm_ls60_curiosity_pro/pic32cm_ls60_cpro_secure_boot/hex/secure_bootloader/pic32cm_ls60_cpro_Secure.X.production.hex
to<user_path>/.trustplatform/pic32cmls60_secure_boot
to load hex file, calculate digest, and signature. - Select Option 3 to load
the Secure Bootloader hex file from the TPDS trustplatform folder i.e.,
<user_path>/.trustplatform/pic32cmls60_secure_boot
to calculate the digest and signature. In this step, the digest and signature will be generated for the loaded Secure Bootloader hex file. - After successful execution of
Option 3, a green tick mark appears in the Option 3 as shown below and
check the log window for message Executed Step3 Successfully.
- Select Option 4 to save the new application hex. i.e, the TPDS generates a new hex file with the name signed.hex which has the digest and the Elliptic Curve Digital Signature Algorithm (ECDSA) signature stored at the end of the BOOT region Secure Bootloader hex file.
- After successful execution of
Option 4, a green tick mark appears in the Option 4 as shown below
and check the log window for message Executed Step-4 Successfully.
- Select Option 5 to program the signed.hex on to PIC32CM LS60 Curiosity Pro Evaluation Kit. In this step, the Host MCU calculates the SHA-256 digest and sends the encrypted digest and signatures to be verified through ECDSA. Then Secure Boot execution will authenticate the application code.
- After successful execution of
Option 5, a green tick mark appears in the Option 5 as shown below
and check the log window for message Executed Step-5 Successfully.
- This completes the usecase execution. i.e., the provisioning flow of PIC32CM LS60 MCU.
- Reset or power cycle the device.
- Open the TPDS application and
select the TrustFlex usecase, i.e., Secure Boot-PIC32CMLS60.
- The successful running of the Secure
bootloader is indicated by turning the green LED (LED0) ON.
- A green LED (LED0) on the PIC32CM LS60 Curiosity Pro Evaluation Kit turns ON when the Secure Bootloader is running.
- Open MPLAB X IDE and check the Configuration Bits by going to Window->Target Memory Views->Configuration Bits in the MPLAB X IDE
- The Secure Bootloader fuse
configuration bits are stored in the secure_bootloader_with_tpds.c file
present in scripts folder of the project directory.
- Here, the user can see that the BOOTROM_BOOTOPT value is set to 0x5, which enables the secure boot.
- Also, check the BOOTKEY which is set by the user and IOPROTKEY which is stored by the TPDS.
- Receive the application image over
UART from a PC by running a python script. The successful receiving of the application
is indicated by toggling the red LED.
- Open the Virtual Debug COM port and set the baud rate to 115200.
- Connect the Type-A male to Mini-B USB cable to Mini-B USB-UART Cick onboard to receive the application firmware from the Host-PC.
- Go to the scripts folder
in the project directory , and open Command prompt to run the bootloader host
script btl_host.py and device fuse configuration bits generation script
btl_dev_cfg_gen.py.
- btl_host.py - Sends
the Application's Unified (Secure and NonSecure) binary from Host-PC to Target
device over
UART.
reference_apps_pic32cm/apps/pic32cm_ls60_curiosity_pro/pic32cm_ls60_cpro_secure_boot/scripts
and execute the following command. Change the COM port number based on its enumeration in the Host-PC. - btl_dev_cfg_gen.py - Generates the device fuse configuration bits.
- To show help menu for the
script enter
btl_host.py --help
in the command prompt.
- btl_host.py - Sends
the Application's Unified (Secure and NonSecure) binary from Host-PC to Target
device over
UART.
- The following command sends the
Application's Unified binary from Host-PC to the PIC32CM LS60 Curiosity Pro
Evaluation Kit and updates the User row fuse configurations bits. See the
following output on the command
prompt.
python btl_host.py -v -u even -i COM27 -d PIC32CM -a 0x1000 -f ../hex/test_app/pic32cm_ls60_cpro.X.production.unified.bin -c application_user_configurations_out.txt
Observe the LED1 (Red-LED) blinking while receiving the application. - After receiving the application's unified binary and update of device configuration bits, remove the Mini-USB from the USB-UART Click board and reset the device.
- Red LED1 starts toggling indicating
secure and successful application booting.
- The LED1 (Red-LED) toggles and
prints a message in the Virtual COM as shown below, indicating the application is
loaded from Secure bootloader.
- Press and Hold the Switch SW0 key
to trigger the Secure Bootloader to program the application once again or with the
new application.
- Notice that the green LED0 turns
ON when the Secure Bootloader is triggered.
- Open MPLAB X IDE and to check the Device Fuse Configuration Bits after programming the application. Go to Window->Target Memory Views->Configuration Bits in the MPLAB X IDE. The configuration bits are saved in the secure_bootloader_with_tpds_and_application.c file present in scripts folder of the project directory.
- In this file, notice only User Row configurations (i.e., USER WORD) are updated based on the application's configuration, whereas the Boot Configuration Row (i.e., BOCOR WORD) are not modified.
- Check the diff of the secure_bootloader_with_tpds.c and secure_bootloader_with_tpds_and_application.c present in the scripts folder to see which user configuration bitfields are updated by the Bootloader script based on the application's project configuration.
- The LED1 (Red-LED) toggles and
prints a message in the Virtual COM as shown below, indicating the application is
loaded from Secure bootloader.
Step2: Impersonating Bootloader
- Open and Build the Secure Bootloader
project in the MPLAB X IDE, i.e.,
reference_apps_pic32cm/apps/pic32cm_ls60_curiosity_pro/pic32cm_ls60_cpro_secure_boot/firmware/secure_bootloader/firmware_secure/pic32cm_ls60_cpro_secure.X
- Program the hex file using MPLAB X IDE.
- Since the Secure Bootloader image does not have the signature appended at the end of the Bootloader image when flashing using the MPLAB X IDE, the ATECC608 B-based authentication and integrity checks fails.
- The Secure Bootloader application fails to Boot. LEDs will go to the OFF state.
Step3: Restoring the Secure Bootloader and Validation
- Perform Hardware Setup steps mentioned above to restore the Secure Bootloader.
- Generate the Secure Bootloader .hex file in MPLAB X IDE as mentioned in the Step 1.1.
- Use the Private/Public key used in Step 1.2 in TPDS and create the signed .hex file.
- Follow the Step 1.3 to program the signed.hex file using the TPDS. Then press the Reset button and observe that the green LED0 is turned ON. This indicates the successful running of the Secure Bootloader.
- Follow the Step 1.4 to receive the application image over UART from a PC by running a python script. The successful receiving of the application is indicated by toggling the red LED.
- Since the Secure Bootloader is restored and the Secure Bootloader and application work as expected. Red LED1 starts toggling indicating secure and successful application booting.
- Modifying the security configurations by (re)-programming the different NVM Configuration rows (using the NVMCTRL peripheral) is possible but the changes done on these NVM Configuration rows will always be applied only after a new reset sequence happens (through a new Boot ROM execution).
- The Security Configuration Lock bit
i.e., SECCFGLOCK is set to 1 by default. This means, after exiting the
Boot ROM:
- The security configurations are locked so that no code (even secure) can change them before next reset sequence.
- The only way to update the security configurations is to (re)-program the NVM Configuration rows then reset the device.
- For more information, check the PIC32CM LS00/LS60 Specific Security Features section of PIC32CM LE00/LS00/LS60 Family Data Sheet (DS60001615).
Comments
- Getting Started with the PIC32CM LE00/LS60/LS60 Curiosity Pro Board (DS00004511).
- Trust Platform Design Suite v2.
- PIC32CM LS00/LS60 Security Reference Guide (DS00003992).
- Dual Developer Application Development Use Case with
TrustZone on SAM L11 Using MPLAB Harmony v3 (DS90003306).Note: Though this technical brief is on SAM L11 MCUs, the TrustZone concepts it describes also applies to PIC32CM MC LS60 MCUs.
- This application demo builds and
works out of box by following the instructions above in Running the Demo
section. If the user needs to enhance/customize this application demo, should use the
MPLAB Harmony v3 Software framework. Refer links below to setup and build the
applications using MPLAB Harmony.
- How to Setup MPLAB Harmony v3 Software Development Framework (DS90003232).
- How to Build an Application by Adding a New PLIB, Driver, or Middleware to an Existing MPLAB Harmony v3 Project (DS90003253).
- Video - How to Set up the Tools Required to Get Started with MPLAB® Harmony v3 and MCC
- Create a new MPLAB Harmony v3 project using MCC
- Update and Configure an Existing MHC-based MPLAB Harmony v3 Project to MCC-based Project