1.3 Secure Boot Mode

The Secure Boot mode extends the boot process of the ROM code to add security features and create a root of trust in the boot chain. Once the Secure Boot mode is enabled, the ROM code expects the user application in the external NVM to be ciphered and signed.

The user application is ciphered with the AES-256-CBC algorithm and signed with either AES-256-CMAC or RSA algorithm, using Secure SAM-BA Cipher to guarantee its integrity and authenticity.

The customer key is a shared secret between the customer and the microprocessor, and is written once in the OTP memory with the help of the SAM-BA tool.

The ROM code requires this customer key to decipher the user application. In the case of AES-256-CMAC, the customer key is also used to verify the signature.

Once the user application is authenticated and deciphered in the internal SRAM and before executing it, the ROM code forbids any further access to the customer key until the next Reset. This way the customer key cannot be extracted by any software running in the SoC.

To prepare the provisioning of the customer key during manufacturing, this key must be ciphered and signed with the secure SAM-BA cipher tool by the customer. Next, both the ciphered/signed user application and customer key are sent to the 3rd party manufacturer responsible for the production of the microprocessor-based design.

Then the programming of the customer boards is done by the third party manufacturer with the help of the SAM-BA tool. Only the ROM code is able to decrypt and authenticate the customer key received from the SAM-BA tool. Thus the third party manufacturer, or any other party having access to the ciphered customer key, cannot extract the plain customer key, upon which the security model relies.