7 Cryptographic Architecture
Explains the secure boot chain, cryptographic algorithms, and TrustZone architecture.
Secure Boot Chain
Algorithms Used
| Purpose | Algorithm |
|---|---|
| Image hashing | SHA-256 |
| FWMD signing | ECDSA with P-256 (secp256r1) |
| Key wrapping | PUF hardware key wrap (device-unique) |
| Key storage | VSS in configuration Flash |
TrustZone Architecture
The device application uses a TrustZone split:
-
Secure world: Contains
vss_keystoremodule (reads VSS Flash), PUF driver, key dump and verification logic. All crypto operations and key material access happen here. -
Non-secure world: LED/switch application. Calls secure-world veneers (
secure_vss_dump_keys,secure_vss_verify_puf_keys). No key material ever crosses the TrustZone boundary.