The FullCopy mode of the SecureBoot
command will copy either
the signature or verified digest to the target slot. The target slot is defined as part
of the access policies for SecureBoot and is not part of the command. This mode of the
SecureBoot
command must be run before the command can be run in
FullStore Digest or Signature mode. Optionally a MAC can be generated with a nonce from
the host using the IO protection secret to prevent tampering with the wire between the
host and the ATECC608A-TFLXTLS.
For the ATECC608A-TFLXTLS device, the digest will be copied to Slot 7 upon successful completion of this command.
Opcode |
Mode |
Param2 |
Data |
Description |
---|---|---|---|---|
0x80 | 0x07 | 0x00 00 |
|
|
0x87 | 0x00 00 |
|
|
Name | Mode | Size | Response |
---|---|---|---|
Success | 0x07 | 1 byte |
|
MAC | 0x87 | 32 bytes | If successful |
1 byte |
|
Nonce
command must be run to insure a valid value is stored in TempKey. The MAC is then
calculated in two steps.
Step 1: Generate SHA256 digest over the IO protection key and the nonce | ||
32 bytes | Content of the IO protection key | |
32 bytes | First 32 bytes of nonce stored in TempKey | |
Step 2: SHA256 digest of the following | ||
32 bytes | Digest generated in step 1 | |
32 bytes | Plaintext Message. Output of step 1 XORed with the input encrypted code digest (first 32 bytes of the input buffer) | |
64 bytes | Signature as passed from the input | |
4 bytes | Input parameters (Opcode, Mode, Param2) (0x80, 0x86, 0x00 00) |