Silicon Labs Secure Engine walk-through (Series 2 devices: EFR32xG21/22/23/24/25/27/28)
- 1 I. Upgrade the SE Firmware version on the target MCU
- 2 II. Flash Bootloader Firmware and Application Firmware
- 2.1 Generate bootloader image and application image using Simplicity Studio
- 2.2 Generate keys using FlashPro/GangPro-ARM software
- 2.3 Sign bootloader and application images with private sign key using Simplicity Commander
- 2.4 Load images to device using FlashPro/GangPro-ARM software
- 2.5 Load images to device using FlashPro/GangPro-ARM software - option with external flash connected via SPI
- 3 III. Provision Key, Enable Secure Boot and Enable Debug Lock using FlashPro/GangPro-ARM
- 3.1 Note
- 4 Useful links
I. Upgrade the SE Firmware version on the target MCU
Verify access to device and check current SE firmware version.
Open firmware hex file using Open Code File button.
Select menu Setup → Device Reset.
In Target’s Reset Options window select "Hardware Reset (RST line) and start the application program” option and specify Application Program RUN time for at least 5 seconds. Then press OK button.
Run Auto Program by pressing AUTO PROG. (F8) button in main window. This will load SE firmware to device flash, reset device and run the firmware. Firmware will by updated automatically after a few seconds.
Verify Access to device to check if SE firmware was successfully updated. Check SE FW ver. text output shown below to verify.
II. Flash Bootloader Firmware and Application Firmware
This step will require setup using Simplicity Studio, described below:
Generate bootloader image and application image using Simplicity Studio
Create and build bootloader project (ex. Bluetooth Apploader OTA DFU).
Create application project.
Add to application project Bootloader Application Interface (to include app_properties.c with ApplicationProperties_t struct).
Configure version (in app properties component).
Build application project.
Generate keys using FlashPro/GangPro-ARM software
Command key and Sign key - ECDSA-P256-SHA256 key pairs.
Gecko bootloader (GBL) key - 128-bit AES.
To generate new keys select menu Setup → Secure Engine (SE).
Specify Path to Security Store.
Check Enable load in corresponding key section (Command key, Sign key, GBL Key) and click Generate button.
New keys will be generated and saved in Security Store folder.
After keys generation disable key loading (uncheck Enable Load) and press OK.
Sign bootloader and application images with private sign key using Simplicity Commander
Generate GBL key in text file.
Simplicity Commander:
commander util genkey --type aes-ccm --outfile gbl_key.txt
Open generated file and copy your key into it.
Write the GBL Decryption Key to the Application Properties of the generated GBL image.
Simplicity Commander:
commander convert bootloader-apploader_MG21B010.hex --aeskey gbl_key.txt --outfile bootloader-apploader_BG24B220_aes.hex
Sign bootloader and application images.
Simplicity Commander:
commander convert bootloader-apploader_MG21B010_aes.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bootloader-apploader_MG21B010_signed.hex
commander convert bt_soc_blinky_MG21B010.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bt_soc_blinky_MG21B010_signed.hex
Check images.
Simplicity Commander:
Load images to device using FlashPro/GangPro-ARM software
Before loading images to device clear device memory. Select form menu Setup → Memory Options.
In Memory Erase section select All Memory and click OK.
Open code file with signed bootloader image (bootloader-apploader_MG21B010_signed.hex).
Next append code file with signed application image (bt_soc_blinky_MG21B010_signed.hex). Leave Memory protection unchecked and perform Auto program.
Bootloader and application image are loaded to flash.
Load images to device using FlashPro/GangPro-ARM software - option with external flash connected via SPI
It is recommended to program an external flash before the main flash in case of any bootloader issues.
In main window click Add/Edit external flash (EF) button to configure connected EF.
Configure the type of connected EF, the communication interface, and the address space. Then click OK.
Select form menu Setup → Memory Options. In Memory Options window select Address Range: External Flash only and click OK.
Open code file for external flash. Leave Memory protection unchecked and perform Auto program.
External flash should be programmed.
Now load bootloader and application images to internal flash. Select form menu Setup → Memory Options. In Memory Options window select Address Range: Flash memory only and click OK.
Open code file with signed bootloader image and append code file with signed application image.
Next Perform Auto program. Bootloader and application images should be loaded into internal flash.
III. Provision Key, Enable Secure Boot and Enable Debug Lock using FlashPro/GangPro-ARM
Select menu Setup → Secure Engine (SE).
In the bottom left corner click Read from device to check security state. The figure below presents the state of a new device (not previously provisioned).
Device status is also displayed in main window.
To load keys to device check corresponding “Enable Load“ check-boxes and select the key files.
To load boot-and-tamper configuration check corresponding “Enable Load“ button and select configuration file (*.json). To generate new configuration file click generate.
Open configuration file (*.json) from Security Store and set suitable values. In the following file Secure boot is enabled - only signed firmware will be executed.
At this stage leave debug port open and device erase enable in case of any errors (eg. firmware boot error)
Click OK to save configuration
Secure Engine configuration will be applied after checking “Enable” in Memory Protection section of main window and clicking “Lock Device”. This will program OTP (load keys and boot & tamper configuration). Note: this options are one time programmable - once programmed can not be changed!
Check device status after configuration. Secure boot should be enabled and boot status should have the value 0x00000020 (OK )
Go to Secure Engine (SE) dialog and click Read from device button to get device status with OTP configuration. Implemented public keys are displayed in key implementation state sections.
Extended device status is added to the report in main window.
At the end of programming cycle device can be locked. Go to Secure Engine (SE) dialog, disable Device Erase and lock debug port (Debug Lock and Secure Debug Lock enable). Specify also Debug Restrictions for a TrustZone aware application. This configuration is irreversible and allows debug port to be unlocked with Debug unlock token only.
After locking the debug port, this port can be unlocked by checking Unlock device by token in Secure Debug unlock section. In this section debug unlock token and access certificate generation parameters can also be specified.
As OTP was already programmed, disable keys and OTP configuration loading and click OK to save configuration.
In main window clicking Lock Device to load configuration to device and generate Debug Unlock Token.
This step ends production programming.
Note
If Unlock device by token is enabled, the application will try to unlock debug port using Debug Unlock Token after an unsuccessful attempt to connect to the device. The token should be located in the following path: SecurityStore\device_(SerialNumber)\challenge_(challenge)\ .
Providing private keys and enabling “Generate Token form private keys” will automatically generate token when connecting to the device and use this token to unlock debug port.
If both private keys (command and sign) are not available, token can be generated from access certificate by checking Generate Token form Access certificate. The access certificate should be located in the following path: SecurityStore\device_(SerialNumber)\
Useful links
Elprotronic ST Microelectronics programmer’s page