I. Upgrade the SE Firmware version on the target MCU

1. Verify access to device and check current SE firmware version.

Open

2. Open firmware hex file using Open Code File button.

Open

3. Select menu Setup → Device Reset.

4. In Target’s Reset Options window select "Hardware Reset (RST line) and start the application program” option and specify Application Program RUN time for at least 5 seconds. Then press OK button.

5. Run Auto Program by pressing AUTO PROG. (F8) button in main window. This will load SE firmware to device flash, reset device and run the firmware. Firmware will by updated automatically after a few seconds.

6. Verify Access to device to check if SE firmware was successfully updated. Check SE FW ver. text output shown below to verify.

II. Flash Bootloader Firmware and Application Firmware

This step will require setup using Simplicity Studio, described below:

Generate bootloader image and application image using Simplicity Studio

1. Create and build bootloader project (ex. Bluetooth Apploader OTA DFU).

2. Create application project.

3. Add to application project Bootloader Application Interface (to include app_properties.c with ApplicationProperties_t struct).

4. Configure version (in app properties component).

5. Build application project.

Generate keys using FlashPro/GangPro-ARM software

Command key and Sign key - ECDSA-P256-SHA256 key pairs.

Gecko bootloader (GBL) key - 128-bit AES.

1. To generate new keys select menu Setup → Secure Engine (SE).

2. Specify Path to Security Store.

3. Check Enable load in corresponding key section (Command key, Sign key, GBL Key) and click Generate button.

4. New keys will be generated and saved in Security Store folder.

5. After keys generation disable key loading (uncheck Enable Load) and press OK.

Sign bootloader and application images with private sign key using Simplicity Commander

1. Generate GBL key in text file.

Simplicity Commander:

2. Open generated file and copy your key into it.

3. Write the GBL Decryption Key to the Application Properties of the generated GBL image.

Simplicity Commander:

4. Sign bootloader and application images.

Simplicity Commander:

5. Check images.

Simplicity Commander:

Load images to device using FlashPro/GangPro-ARM software

1. Before loading images to device clear device memory. Select form menu Setup → Memory Options.

2. In Memory Erase section select All Memory and click OK.

3. Open code file with signed bootloader image (bootloader-apploader_MG21B010_signed.hex).

4. Next append code file with signed application image (bt_soc_blinky_MG21B010_signed.hex). Leave Memory protection unchecked and perform Auto program.

5. Bootloader and application image are loaded to flash.

III. Provision Key, Enable Secure Boot and Enable Debug Lock using FlashPro/GangPro-ARM

1. Select menu Setup → Secure Engine (SE).

2. In the bottom left corner click Read from device to check security state. The figure below presents the state of a new device (not previously provisioned).

3. Device status is also displayed in main window.

4. To load keys to device check corresponding “Enable Load“ check-boxes and select the key files.

5. To load boot-and-tamper configuration check corresponding “Enable Load“ button and select configuration file (*.json). To generate new configuration file click generate.

6. Open configuration file (*.json) from Security Store and set suitable values. In the following file Secure boot is enabled - only signed firmware will be executed.

7. At this stage leave debug port open and device erase enable in case of any errors (eg. firmware boot error)

8. Click OK to save configuration

9. Secure Engine configuration will be applied after checking “Enable” in Memory Protection section of main window and clicking “Lock Device”. This will program OTP (load keys and boot & tamper configuration). Note: this options are one time programmable - once programmed can not be changed!

10. Check device status after configuration. Secure boot should be enabled and boot status should have the value 0x00000020 (OK )

11. Go to Secure Engine (SE) dialog and click Read from device button to get device status with OTP configuration. Implemented public keys are displayed in key implementation state sections.

12. Extended device status is added to the report in main window.

13. At the end of programming cycle device can be locked. Go to Secure Engine (SE) dialog, disable Device Erase and lock debug port (Debug Lock and Secure Debug Lock enable). Specify also Debug Restrictions for a TrustZone aware application. This configuration is irreversible and allows debug port to be unlocked with Debug unlock token only.

14. After locking the debug port, this port can be unlocked by checking Unlock device by token in Secure Debug unlock section. In this section debug unlock token and access certificate generation parameters can also be specified.

15. As OTP was already programmed, disable keys and OTP configuration loading and click OK to save configuration.

16. In main window clicking Lock Device to load configuration to device and generate Debug Unlock Token.

17. This step ends production programming.

Note

If Unlock device by token is enabled, the application will try to unlock debug port using Debug Unlock Token after an unsuccessful attempt to connect to the device. The token should be located in the following path: SecurityStore\device_(SerialNumber)\challenge_(challenge)\ .

Providing private keys and enabling “Generate Token form private keys” will automatically generate token when connecting to the device and use this token to unlock debug port.

If both private keys (command and sign) are not available, token can be generated from access certificate by checking Generate Token form Access certificate. The access certificate should be located in the following path: SecurityStore\device_(SerialNumber)\

Useful links

Elprotronic ST Microelectronics programmer’s page

[1] Flash and Gang Programmers for SiLabs