Skip to end of banner
Go to start of banner

Silicon Labs Secure Engine walk-through

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

I. Upgrade the SE Firmware version on the target MCU

  1. Verify access to device and check current SE firmware version.

image-20240126-100639.png
  1. Open firmware hex file using Open Code File button.

image-20240126-100947.png
  1. Select menu Setup → Device Reset.

  2. In Target’s Reset Options window select "Hardware Reset (RST line) and start the application program” option and specify Application Program RUN time for at least 5 seconds. Then press OK button.

image-20240112-082025.png
  1. Run Auto Program by pressing AUTO PROG. (F8) button in main window. This will load SE firmware to device flash, reset device and run the firmware. Firmware will by updated automatically after a few seconds.

  2. Verify Access to device to check if SE firmware was successfully updated. Check SE FW ver. text output shown below to verify.

image-20240126-101603.png

II. Flash Bootloader Firmware and Application Firmware

This step will require setup using Simplicity Studio, described below:

Generate bootloader image and application image using Simplicity Studio

  1. Create and build bootloader project (ex. Bluetooth Apploader OTA DFU).

  2. Create application project.

  3. Add to application project Bootloader Application Interface (to include app_properties.c with ApplicationProperties_t struct).

image-20240201-155610.png
  1. Configure version (in app properties component).

image-20240201-160003.pngimage-20240201-160032.png
  1. Build application project.

Generate keys using FlashPro/GangPro-ARM software

Command key and Sign key - ECDSA-P256-SHA256 key pairs.

Gecko bootloader (GBL) key - 128-bit AES.

  1. To generate new keys select menu Setup → Secure Engine (SE).

  2. Specify Path to Security Store.

  3. Check Enable load in corresponding key section (Command key, Sign key, GBL Key) and click Generate button.

image-20240117-094656.png
  1. New keys will be generated and saved in Security Store folder.

  2. After keys generation disable key loading (uncheck Enable Load) and press OK.

Sign bootloader and application images with private sign key using Simplicity Commander

  1. Generate GBL key in text file.

Simplicity Commander:

commander util genkey --type aes-ccm --outfile gbl_key.txt
  1. Open generated file and copy your key into it.

image-20240122-074927.png
  1. Write the GBL Decryption Key to the Application Properties of the generated GBL image.

Simplicity Commander:

commander convert bootloader-apploader_BG24B220.hex --aeskey gbl_key.txt --outfile bootloader-apploader_BG24B220_aes.hex
  1. Sign bootloader and application images.

Simplicity Commander:

commander convert bootloader-apploader_BG24B220_aes.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bootloader-apploader_BG24B220_signed.hex
commander convert bt_soc_blinky_BG24B220.hex --secureboot --keyfile sign_key.pem --verify sign_pubkey.pem --outfile bt_soc_blinky_BG24B220_signed.hex
  1. Check images.

Simplicity Commander:

commander util appinfo bootloader-apploader_BG24B220_signed.hex
commander util appinfo bt_soc_blinky_BG24B220_signed.hex

Load images to device using FlashPro/GangPro-ARM software

  1. Before loading images to device clear device memory. Select form menu Setup → Memory Options.

  2. In Memory Erase section select All Memory and click OK.

image-20240117-105556.png
  1. Open code file with signed bootloader image (bootloader-apploader_BG24B220_signed.hex).

image-20240206-161842.png
  1. Next append code file with signed application image (bt_soc_blinky_BG24B220_signed.hex). Leave Memory protection unchecked and perform Auto program.

image-20240206-162357.png
  1. Bootloader and application image are loaded to flash.

image-20240206-165012.png

III. Provision Key, Enable Secure Boot and Enable Debug Lock using FlashPro/GangPro-ARM

  1. Select menu Setup → Secure Engine (SE).

  2. In the bottom left corner click Read from device to check security state. The figure below presents the state of a new device (not previously provisioned).

image-20240117-112120.png
  1. Device status is also displayed in main window.

image-20240126-102104.png
  1. To load keys to device check corresponding “Enable Load“ check-boxes and select the key files.

image-20240117-113355.png
  1. To load boot-and-tamper configuration check corresponding “Enable Load“ button and select configuration file (*.json). To generate new configuration file click generate.

image-20240117-132013.png
  1. Open configuration file (*.json) from Security Store and set suitable values. In the following file Secure boot is enabled - only signed firmware will be executed.

image-20240117-131609.png
  1. At this stage leave debug port open and device erase enable in case of any errors (eq. firmware boot error)

image-20240122-083627.png
  1. Click OK to save configuration

  2. Secure Engine configuration will be applied after checking “Enable” in Memory Protection section of main window and clicking “Lock Device”. This will program OTP (load keys and boot & tamper configuration).

image-20240126-102240.png
  1. Check device status after configuration. Secure boot should be enabled and boot status should have the value 0x00000020 (OK )

image-20240126-102324.png
  1. Go to Secure Engine (SE) dialog and click Read from device button to get device status with OTP configuration. Implemented public keys are displayed in key implementation state sections.

image-20240123-133723.png
  1. Extended device status is added to the report in main window.

image-20240126-102426.png
  1. At the end of programming cycle device can be locked. Go to Secure Engine (SE) dialog, disable Device Erase and lock debug port (Debug Lock and Secure Debug Lock enable). This configuration is irreversible and allows debug port to be unlocked with Debug unlock token only.

image-20240123-174117.png
  1. Loading debug unlock tokens and token generation can be enabled in “Debug unlock token“ section.

image-20240123-174244.png
  1. As OTP was already programmed, disable keys and OTP configuration loading and click OK to save configuration.

  2. In main window clicking Lock Device to load configuration to device and generate Debug Unlock Token.

  3. This step ends production programming.

Note

If token loading is enabled, the application will try to unlock debug port using Debug Unlock Token after an unsuccessful attempt to connect to the device. The token should be located in the following path: SecurityStore\device_(SerialNumber)\challenge_(challenge)\ .

Providing private keys and enabling “Generate missing Tokens” will automatically generate token when connecting to the device and use this token to unlock debug port.

image-20240126-103141.pngimage-20240126-103619.png

  • No labels