SAM L11 Secure Boot

SAM L11 Secure Boot Overview

The SAM L11 Boot ROM is always executed at product startup. This software is ROM coded into the device and cannot be bypassed by the user. Depending on the Boot Configuration Row (BOCOR) fuse setting, the Boot ROM knows if a Secure Boot (BS) region is defined in the system. The Secure Boot region is defined by the parameter BS in the BOCOR fuse bits.

The Boot ROM can perform an integrity check (SHA-256) or authenticate (SHA-256 + BOOTKEY) the firmware stored in the Secure Boot region prior to executing it. This verification mechanism is a key element to consider for ensuring the system root of trust during deployment and execution of the Secure firmware. The following figure illustrates the Secure Boot process with BS (including BNSC) verification:

saml11-secure-boot.png


To validate the Secure Bootloader code stored in the Device Flash BS+BNSC memory section, the ROM code computes the hash of the Flash BS+BNSC regions using the Crypto Accelerator (CRYA) and compares it to a reference hash (256-bits/32 bytes) stored in the device BS memory section. This reference hash (256-bits) must be stored in the last 256-bits of the Secure Flash (BOOT Region) as shown in the following figure:

saml11-secure-boot_2.png


If the verification result is equal to the reference hashes, the Boot ROM starts the Secure Bootloader execution. Any mismatch in the value puts the device in an endless reset loop preventing Flash code execution. Only a ChipErase_ALL command allows recovery from this device state. The ChipErase_ALL command erases the full memory content and resets the fuses to their factory settings.

The following fuses are used in the Secure Boot process configuration:

  • BOOTPROT, BS, and BNSC: defines the configuration of the boot section in product Flash. The size of the Secure, Non-Secure and Non-Secure-Callable boot sections can be customized according to the application need. These fuses are used for security memory allocation in product Implementation Defined Attribution Unit (IDAU) and for integrity and authentication mechanisms when configured in the BOOTOPT fuse. Any change of the fuse setting requires a reset to be considered by the device as only the Boot ROM can change IDAU setting.
  • BOOTOPT: defines the type of verification to be performed as Secure or Non-Secure.
    • 0: no verification method
    • 1: integrity check (SHA-256)
    • 2 or 3: authentication check (SHA-256 with BOOTKEY)
  • BOOTKEY: 256-bit BOOTKEY used by the authentication mechanism.

Using the Secure Boot Authentication feature has an impact on the product startup time. Refer to the product data sheet for additional information.

The figure below highlights the fuses used for configuring the BS process:

saml11-secure-boot_3.png
© 2019 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.