3.20. Secure Boot

In this section we describe the process of secure boot followed by Secondary Bootloader (SBL) to initialize SE05X and MCU for secure binding and communication.

3.20.1. Secure Boot flow

  1. LPC55S ROM Bootloader verifies Secondary Bootloader (SBL) image (see AN12283) and hands over control to SBL

  2. SBL performs Secure Binding and opens session to SE05X

  3. SBL uses pre-provisioned key K_PUB_OEM in SE05X to verify secure application image

  4. After successful verification, SBL loads verified image

  5. (Optional) Secure Application can perform further initialization, non-secure image verification, hand over control to Non-Secure applications, or use SE050 with provided credentials (Secure Binding)

3.20.2. Secondary Bootloader

Secondary Bootloader (SBL) performs the following tasks to enable secure boot:

  • Secure Binding: Preparing SE05X for PlatformSCP
    • Establish a pairing between the host MCU and the SE

    • MCU is only able to use services offered by the paired SE

    • SE is only able to provide services to the paired MCU

    • Mutually authenticated, encrypted SCP03 channel

  • Preparing host MCU for PlatformSCP session
    • Securely storing PlatformSCP keys in PUF, protected by keyCodes

  • Verifying secure application
    • Check the signature of secure application to verify that it is signed by a trusted key

  • KeyCode handover to secure application
    • Handing over reference to ENC and MAC keyCodes prepared by SBL to secure application to open PlatformSCP session

3.20.3. Secure Binding

  1. First boot
    • SBL performs key rotation of the PlatformSCP key

    • PlatformSCP keys are stored in PUF

    • KeyCodes stored in flash to be used in subsequent boots

    • Flag set in flash to disable key rotation in subsequent boots

    • Verifies secure application

    ../_images/secure_boot_first_boot.png
  2. Next boot
    • Checks for flag to disable key rotation

    • Uses keyCodes from flash to verify secure application

    ../_images/secure_boot_next_boot.png

Also see Secure Boot Demo