Getting Started with TrustFLEX for Secure Boot

This page shows you how to validate your firmware (Secure Boot) using TrustFLEX. You will use Jupyter Notebook to configure the TrustFLEX device, then use an example project (from the Trust Platform DesignSuite) to verify the firmware.

TrustFLEX is a pre-configured and partially pre-provisioned secure element, to ensure that a product with the consumables it uses, firmware it runs, accessories that support it, and the network nodes it connects to are not cloned, counterfeited, or tampered with. It is one of three ATECC608A sub-families (including Trust&GO and TrustCUSTOM) found on the CryptoAuth Trust Platform evaluation kit.

The CryptoAuth Trust Platform includes hardware prototyping tools along with a unique design suite to accelerate the prototyping of commonly implemented use cases (i.e., IoT authentication, firmware validation (Secure Boot), IP protection, custom public key infrastructure, etc.). The presence of three sub-families allows for a wide variety of flexibility for implementation, based on the complexity of the application.

cryptoauth_trust_platform1.png
CryptoAuth Trust Platform

 Materials

Hardware Tools

Tool About Purchase
board-50px.png
CryptoAuth Trust Platform
Evaluation Kit

The CryptoAuth Trust Platform evaluation kit includes an on-board Embedded Debugger (EDBG).

Software Tools

Tool About Installers
Installation
Instructions
Windows Linux Mac OSX
MPLAB® X
Integrated Development Environment
MPLAB® XC32
C/C++ Compiler
swtool-28px.png
Anaconda
Python Distribution
Trust Platform DesignSuite
GitHub Repository
Download

Note: The AWS Command Line Interface (CLI) and Jupyter Notebook are also required. These are conveniently included with the Anaconda download.

1. TrustFLEX Devices

TrustFLEX devices (part number ATECC608A-TFLXTLS) are a pre-configured and partially pre-provisioned Secure Element for Cloud Authentication.

1.1 Features:

  • Cloud Platform Support: Google Cloud, AWS IoT, AWS GreenGrass, and Microsoft Azure
  • Secure Boot Firmware validation
  • Secure Over The Air (OTA) upgrade
  • Custom Public Key Infrastructure (PKI)
  • IP/Firmware protection
  • Accessory and Disposable authentication

1.2 Device Customization Process:

There are five steps involved in customizing the TrustFLEX device:

  1. Selecting a Pre-defined Use Case(s) from the TrustFLEX use case library.
  2. Generate the development keys and certificates using the Jupyter Notebook resource generator.
  3. Prototyping the Use Case(s) in the Jupyter Notebook.
  4. Test the Use Case(s) on an embedded platform using MPLAB® projects provided in the suite.
  5. Generate the secret exchange for production.

2. TrustPlatform DesignSuite Repository

It is required to have a Git account to access this repository. If an account is not available, please create one. The account creation is not provided here, please refer to GitHub for instructions on how to create an account.
Once the account is created, the repository package can be accessed from this location: https://github.com/MicrochipTech/cryptoauth_trustplatform_designsuite. This link has the complete package for Use Case Tool, i.e., Jupyter notebook tutorials, C examples, and MPLAB X IDE projects.

designsuite1.png

Note: To simplify the use of Jupyter, it is required to clone or download this package into the documents folder. The package can be downloaded in two methods.

2.1 Direct Download method

  1. Go to the below link and click Clone or Download

Design Suite

  1. Click the Download ZIP to start downloading the packages in zip.
  2. Unzip the packages and place it in the Documents directory.
  3. There are two dependencies needed for the Use Case Tool:
    • cryptoauthlib: download the CryptoAuthLib (CAL) packages and unzip the package: Download.
    • micro-ecc: download the micro-ecc package and unzip the package. Download.
  4. Move both the unzipped cryptoauthlib & micro-ecc folders to the following folders respectively:

TrustPlatform-DesignSuite\TFLXTLS_examples\c\dependencies\cryptoauthlib
TrustPlatform-DesignSuite\TFLXTLS_examples\c\dependencies\micro-ecc

designsuite2.png

2.2 Git clone method

This method uses the git clone command which needs git installation and familiarity with the commands. Refer to the GitHub installation section in Annex for details on the installation.
Use following git clone command to download package:
git clone —recursive https://github.com/MicrochipTech/cryptoauth_trustplatform_designsuite.git
This command will take care of recursively pulling all dependencies automatically to the right location.

3. Getting Started with Jupyter Notebook:

Jupyter Notebook is an application packaged along with other packages in the Anaconda Distribution. Jupyter Notebook is an open-source web application that allows the user to create documents that contain code and narrative text that can be executed in place. It provides Graphical User Interface (GUI) elements, the ability to add images, and gives it the interactive look that is absent in normal code files.

The cells of the Notebook can be used to write code or text using markdown. The code cells contain executable code and the text cells contain the explanation of the code's functionality.

Go to START > Anaconda Navigator to open the home screen for Anaconda. Navigate to Jupyter Notebook application to click on Launch.

trustflex1.png

The Notebook dashboard will open with the browser, which is the homepage for the notebook as shown below. The dashboard displays the folder structure that will help to navigate to the exact folder the GitHub repository was cloned to.

trustflex2.png

4. TrustFLEX Resource Generator:

The Resource Generator Notebook supports the development of Cryptographic Keys, Custom Root, and Signer Keys to issue device certificates and prototype the TrustFLEX devices with development keys and certificates.

TrustFLEX devices come with pre-programmed certificates in slots 10, 11, and 12. Slots zero-four have pre-generated private keys, other than these mentioned slots all the other slots have no data in them.

The Resource Generator Notebook will create development keys and certificates for all slots that can be further customized. Keys and certificate chains are stored in the PC filesystem and not generated in a secure environment.

Note: This tool is used only for development purposes and not for mass production

4.1 Setting up the Hardware:

  • Plug in the CryptoAuth Trust Platform to the PC using the USB cable.
  • The Design Suite is set up such that it communicates with the TrustFLEX device only.

4.2 Using the Trust Platform Suite for TrustFLEX:

  • Open the Jupyter Notebook and navigate to the Resource Generation Notebook and click to open it.
  • Double click on Crypto Resource Generator.ipynb to proceed ahead.

Folder Structure

trustflex3.png

Crypto Resource Generator

trustflex4.png
  • Execute each cell using Cell > Run Cell and observe the output of each successfully executed code cell.
  • If the Notebook has already been executed before then, Kernel > Restart and Clean Output helps to start the refresh, and the output of the script is shown.
trustflex5.png
  • Once all the cells are executed, you are prompted to choose between the MCHP certificate or a custom created certificate.

This enables to select the certificate chain for the examples. If MCHP certificates are selected, then the resources would be generated to handle default MCHP certificates. If custom certificates are selected, then it would be prompted for information like Organization Name to include in the custom certificates being generated.

  • Choose the required certificate by entering a number into the box
    • MCHP Certificate: "1"
    • Custom Certificate: "2"
    • For this example, enter the number 2 (custom certificate) in the certificate type box.
trustflex5a.png
  • A prompt will open asking you to enter the Organization Name. Choose any name (or a random set of characters) but make sure the name does not exceed 24 characters.
  • Once the Organization name has been entered, the output will be as follows:
trustflex6.png
trustflex7.png
trustflex8.png
  • The Notebook will also generate a manifest file to be uploaded into the public cloud of your choice (Google GCP, AWS IoT, and soon to be supported, Microsoft Azure).

5. Use Case Prototyping:

The Trust Platform Suite supports multiple use cases like Firmware Validation (Secure Boot), IP protection, and Custom Public Key Infrastructure, etc. Here in this document, we will see further details about Secure Boot prototyping.

5.1 Firmware validation (Secure Boot) Prototyping:

Secure Boot feature assists the microcontroller in identifying fraudulent code installed. When this feature is implemented, the microcontroller will send the digest to the TrustFlex device. The TrustFlex device validates this information and responds to the host with a success or fail.

Here are the steps that will be required to complete this use case successfully:

  • Generate the resources using the Resource generation notebook as mentioned in section four.
  • Run Secure Boot code (through a Jupyter Notebook)
  • Run Secure Boot code (through an MPLAB ‘C’ project)

Note: The software installations and the links are already mentioned in the CryptoAuth Trust Platform User Guide.

5.1.1 Executing the Secure Boot Use Case using Jupyter Notebook:

  • From the launched Jupyter Notebook navigate TFLXTLS_Use_Cases > notebooks > secureboot
trustflex11.png
  • Execute all the steps until 2.3.3, and once it is successfully executed, the SBoot Update button will appear. Click on the button and it will turn green or red based on the result.
trustflex12.png
  • Continue running the example till the end of the notebook, you will see an SBoot Verify button. Click on the button, if it turns green it is successful.
trustflex13.png
  • Once all the steps are successfully executed, proceed to the next step (open the example project in the MPLAB X IDE).

5.1.2 Program the CryptoAuth Trust Platform with the Secure Boot example project.

Make sure you have installed both the MPLAB X IDE and XC32 C compiler.

  • Launch MPLAB and open the example project by selecting File > Open Project.
  • Browse to the folder you downloaded the Trust Platform Design Suite to. You will find the Secure Boot example project in this folder:TFLXTLS_Use_Cases\c\firmware\
  • Select the TFLXTLS_example_SAMD21.X file, then click the Open Project button.
trustflex14.png
  • Double-click on the secureboot_verify.c file to open it and see the code responsible for verifying the firmware.
trustflex15.png
  • Program the CryptoAuth Trust Platform with the Secure Boot example project by right-clicking the project name in the projects window and selecting Make and Program Device.
trustflex16.png
  • The output window shows the progress of the make and program process. You will know the process is complete when you see the "Programming Complete" message.
trustflex17.png
  • Once the programming is complete, then the firmware will execute the Secure Boot operation. On successful completion of the operation, the Trust Platform status LED will start blinking.
    • Secure Boot Successful = LED blinks once every second
    • Secure Boot Unsuccessful = LED blinks five times every second
© 2019 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.