Public keys are associated with the ECC private keys. Every ECC private key will have
its own unique public key. A couple of slots have been set aside to store public keys
for validation purposes. These are often used as secure storage of root-of-trust public
keys. The slots for these keys can be operated in two different modes:
- Permanent Public Key - In this
mode the required public key should be written to the slot labeled Parent Public
Key and the slot locked to make it permanent. The Validated Public Key slot is
not used in this mode.
- Securely Updatable Public Key -
Here, a parent public key should be written and locked in the Parent Public Key
slot. The public key to be validated must then be written to the Validated
Public Key slot. Finally, the private key counterpart to the parent public key
(off chip) needs to be used to validate the public key to enable its use and
prevent unauthorized changes. See Section Validated Public Key for more details on this process.
Parent Public Key
The parent public key is a primary system key generated from an ECC
private key that is stored off chip.
Validated Public Key
A validated public key requires that a key be validated before use or
invalidated before being updated. Validation and invalidation are done using the
Verify
command in Validate/Invalidate mode.