14.3.3 Public Key Signature for Authentication (AUTH_TYPE = 1)

The signature of 128-bit aligned user application is appended to the 128-bit aligned user application itself and stored in the internal Flash. The size of this signature depends on the signature algorithm (RSA or ECDSA) and its parameters.

A chain of X.509 version 3 certificates in DER format is stored in the internal Flash, immediately after the user application signature. The 1st certificate of this chain (lowest address in internal Flash) is called the root certificate. The root certificate is self-signed. A SHA-512 digest of the whole root certificate is stored in PUBLIC_KEY_DIGEST inside page 1 of the User Block Signature 0 in SEFC0.

The ROM code computes the SHA-512 digest of the root-certificate stored in internal Flash then compares the computed digest with the digest stored in PUBLIC_KEY_DIGEST in page 1 of USB0.

If the two digests do not match, then the ROM code rejects the root certificate and fails to authenticate the user application. If the two digests match, then the ROM code continues it authentication process.

Once the root certificate passes the SHA-512 digest test, the ROM code iterates on each X.509 certificate next in the chain and verifies its signature with the public key of the previous X.509 certificate in the chain. If the ROM code fails to verify the signature of any certificate in the chain, it fails to authenticate the certificate chain, therefore fails to authenticate the user application.

When the whole certificate chain is authenticated, the public key of the last X.509 certificate in the chain (highest address in internal Flash) is used to verify the signature of the user application. If this final signature verification is passed, then the user application is authenticated and is executed. Otherwise, the ROM code fails to authenticate the user application.

In this security model, the root of trust is established by the root certificate and its SHA-512 digest stored in page 1 of USB0.

The 8th and 9th vectors in the exception table of ARM Cortex-M4 are used to store

  1. the 32-bit size in bytes of the 128-bit aligned user application plus the size of its signature
  2. the 31-bit size in bytes of the chain of X.509 certificates

X.509 certificates are appended in the chain without padding or any alignment consideration.

Bit 31 in the 9th vector tells whether the ROM code can skip the signature verification of the self-signed root certificate:

0: The signature of the self-signed root certificate if verified before the SHA-512 digest verification

1: The ROM code skips the verification of signature of the self-signed root certificate; only the SHA-512 digest verification is done to authenticate the root certificate.
Restriction: The ROM code has a known limitation when parsing X.509 certificates. Therefore, it is not fully compliant with https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.2, as serial numbers, which MUST be positive numbers, are limited to 18 bytes instead of 20 bytes.