12.3.2.2 Firmware Image Validation – Secured Mode

The following are the main blocks in the process of image validation:

  1. READ_CFG – Read device configuration (Device id, secure boot key, anti-rollback counter, life cycle counter). Secure elements and device id information can be accessed from eFuse memory.
    1. Device id – Device identifier for each device
    2. Secure boot key – Bootstrap code evaluates only images that use the secure boot key.

    3. Anti-rollback counter – This counter is used to keep track of the firmware version. The values are written by firmware in the eFuse region.
    4. Life cycle counter – This counter is used by firmware to track the changes in the life cycle of the device.

  2. LOOKUP_METADATA – Search for valid firmware image metadata with the lowest sequence number.
  3. AUTHENTICATE_IMAGE – Authenticate the image based on the security configuration of the device (eFuse) and as indicated by its metadata. The firmware image header dictates the authentication scheme. Secure boot is done on successful authentication of the firmware.
  4. RUN_APPLICATION – If the valid image is in embedded flash and is available in its destination address space, jump to the DST_ADDR as indicated by its metadata. If the device does not find any valid image it jumps to Secure safe mode.
  5. SECURE_SAFE_MODE – Secure Safe mode is a while (1) loop in the firmware, where the device is waiting for a valid application image to execute using the events like Power-on Reset or a programming tool to put the device into the image Lookup state to validate it.
Figure 12-2. Secure Boot Firmware Validation