12.3.1 Boot ROM Flow

Figure 12-1. Boot ROM Flow

When the device comes out of reset, Boot ROM firmware starts with system initialization. After the completion of system initialization, the bootstrap code checks for a valid firmware image and executes. If the device does not find any valid image, it jumps to Secure Safe mode. For validating the firmware image, the bootstrap code uses the security library depending on the firmware images authentication scheme specified for that firmware.

Firmware programming is handled by Device Firmware Update (DFU). DSU supports the Debug mode. Also, it implements a CoreSight Debug ROM that provides device identification, as well as identification of other debug components within the system. See Device Service Unit (DSU) from Related Links.

The following options are valid images for a secured and unsecured PIC32CX-BZ3 device:
  • An image with valid structure (defined in 12.3.2.1 Firmware Image Format ) and without using any authentication scheme
  • An image with a valid structure (defined in 12.3.2.1 Firmware Image Format ) with an authentication scheme supported by the device. For supporting the authentication scheme using the public key cryptography, EFUSE must have a valid SECURE_BOOT_KEY.
  • If the device is unsecured (and SECURE_BOOT_KEY), is invalid and the device's secured state is not set, the bootstrap code will look for valid images (valid sequence number, header and so on). Root of trust may not be possible in this scenario.
  • If the device is secured (with SECURE_BOOT_KEY! = 0), the valid image must always use the ECDSA p384 + SHA 384 or ECDSA p256 + SHA 256 for authentication and execute only trusted code.