3 Supported Secure Boot Modes
The Secure Boot mode authenticates and deciphers a boot file stored in external NVM before executing it. This boot file can be either bootstrap code or any bare-metal user application. This mode ensures that only authorized code is executed, thus protecting the customer’s intellectual property and providing a Root of Trust in the hardware.
When Secure Boot mode is enabled, the chip allows booting only from an authenticated and ciphered boot file.
There is only one mechanism to decipher boot files. Decryption is done using the customer’s secret CBC key stored in the OTP memory and the AES-CBC algorithm.
| Confidentiality | Secret Key | Initialization Vector | Unit |
|---|---|---|---|
| AES-CBC | 256 | 128 | Bit |
The boot file can be authenticated using one of the following methods:
- AES-CBC-CMAC mode: Authentication is performed using the customer’s private CMAC key stored in the OTP memory and the AES-CMAC algorithm.
- RSA mode: Authentication is performed using the customer’s public key contained in the last X.509 certificate chain stored after the bootstrap.
| Authenticity | Secret Key | Initialization Vector | Private Key | Public Key | SHA | Unit |
|---|---|---|---|---|---|---|
| AES-CBC-CMAC | 256 | 128 | – | – | – | Bit |
| RSA-1024 | – | – | 1024 | 1024 | 256 | |
| RSA-2048 | – | – | 2048 | 2048 | 256 | |
| RSA-4096 | – | – | 4096 | 4096 | 256 |