6.2 Generating Root CA Certificate Hash

For RSA Signature mode, the root CA 256-bit hash must be provisioned on the device. Based on this information, the ROM code will check the integrity of the public certificate appended to the end of the bootstrap image. If the certificate’s 256-bit hash matches the provisioned hash, the ROM code confirms the certificate's authenticity and uses its public key to verify the boot image’s signature. If not, the ROM code rejects the boot image.

The secure_sam-ba_cipher tools suite helps generate a 256-bit hash for a self-signed root CA in DER (Distinguished Encoding Rules) binary format. The resulting digest is also signed and ciphered with secret ROM code symmetric keys.