5.2.3.2 SecureBoot - FullStore (Digest)
In the FullStore Digest mode of the SecureBoot command, the
verified digest will be stored in a slot. This mode improves the IO transfer and overall
computation times associated with the command. To use this mode, the FullCopy validation
Command mode needs to be initially executed and the device will receive both the digest
and the signature and store the digest in the slot specified in the SecureBoot access
policies. Optionally a MAC can be generated with a nonce from the host using the IO
protection secret to prevent tampering with the wire between the host and the ATECC608A-TFLXTLS.
|
Opcode |
Mode |
Param2 |
Data | Description |
|---|---|---|---|---|
| 0x80 | 0x06 | 0x00 00 |
|
|
| 0x86 | 0x00 00 |
|
|
| Name | Mode | Size | Response |
|---|---|---|---|
| Success | 0x06 | 1 byte |
0x00 - Successful |
| MAC | 0x86 | 32 bytes | If successful |
| 1 byte |
0x01 - Computation completed but mismatch in result. |
SecureBoot Stored Digest MAC Calculation
Prior to generating the MAC in this mode, the Nonce
command must be run to insure a valid value is stored in TempKey. The MAC is then
calculated in two steps.
| Step 1: Generate SHA256 digest over the IO protection key and the nonce | ||
| 32 bytes | Content of the IO protection key | |
| 32 bytes | First 32 bytes of nonce stored in TempKey | |
| Step 2: SHA256 digest of the output of step 1 and the additional information shown below: | ||
| 32 bytes | Digest generated in step 1 | |
| 32 bytes | Plaintext Message. Output of step 1 XORed with the input encrypted code digest (first 32 bytes of the input buffer) | |
| 4 bytes | Input parameters (Opcode, Mode, Param2) (0x80, 0x86, 0x00 00) | |