The SecureBoot command has been enabled for the ATECC608A-TFLXTLS. This allows the system to cryptographically
validate its firmware via a boot loader before performing a full boot. This
functionality can also be used to validate new firmware images before they're
loaded.
The secure boot feature requires establishing a P-256 firmware signing key before it can be used. The private key will be held by the firmware developers for signing the firmware image. The public key needs to be written to the secure boot public key slot and the slot locked to make it permanent.
For the ATECC608A-TFLXTLS it also possible to force the Primary Private key to require a valid secure boot prior to being authorized for use. See section Secure Boot Option on how to enable this capability.
See Section SecureBoot Command for full details.
To implement the SecureBoot, several data slots are required.
The Secure Boot Digest is a 32 byte SHA256 digest calculated over the firmware application code. This digest needs to be updated every time the firmware is updated. For the ATECC608A-TFLXTLS, the digest is stored in Slot #7.
The Secure Boot public key is used to do a verify function to validate the Secure Boot Digest and signature. The Secure Boot public key is stored in Slot #15.