CryptoAuthLib
Microchip CryptoAuthentication Library
|
The SecureBoot command is a new feature on the ATECC608A device compared to earlier CryptoAuthentication devices from Microchip. This feature helps the MCU to identify fraudulent code installed on it. When this feature is implemented, the MCU can send a firmware digest and signature to the ATECC608A. The ATECC608A validates this information (ECDSA verify) and responds to host with a yes or no answer.
The ATECC608A provides options to reduce the firmware verification time by storing the signature or digest after a good full verification (FullStore mode of the SecureBoot command).
The ATECC608A also provides wire protection features for the SecureBoot command, which can be used to encrypt the digest being sent from the host to the ATECC608A and add a MAC to the verify result coming back to the host so it can't be forced to a success state. This feature makes use of a shared secret between the host and ATECC608A, called the IO protection key.
The secure boot feature can be easily integrated to an existing project. The project should include the following files from the secure_boot folder:
The project should also implement the following platform-specific APIs:
The project can set the secure boot configuration with the following defines:
The secure boot process is performed by initializing CryptoAuthLib and calling the secure_boot_process() function.
For more information about secure boot, please see the example implementation project and documentation at: https://github.com/MicrochipTech/cryptoauth_usecase_secureboot