This application note describes how the secure boot and secure flash features operate with the Cypress® CYW4390X family of embedded wireless system-on-a-chip (SoC) devices. Secure boot and secure flash features are not required during the early product development phase. As feature functionality involves programming one-time programmable (OTP) nonvolatile memory, it is important to exercise diligent precautions before starting the process.
below is my test experience for share.
During boot-up, the second stage bootloader is decrypted and authenticated by the ROM bootloader. The ROM boot loader supports the following algorithms.
Encryption: AES128-CBC Authentication: HMAC_SHA256 or RSA (2048-bit)
In this folder there is a NULL folder as default. boot_aes.key and boot_sha.key fill with 0x00
I copy and modify a new folder, MY_KEY, 0x00~0x10 and 0x00~0x20 (use UltraEdit hex view)
I programming SHA key and AES key in OTP according AN214842 9.2.1. but use MY_KEY content
I programming Enable Secure Boot bit in OTP according AN214842 9.1.1. But found normal build "scan" still can run.
I programming Enable HW Crypto/Enable AES128-CBC Encryption/Enable HMAC_SHA256 Authentication (Signature) bit in OTP according AN214842 9.1.2. Thus I get expected result,only build with SECURE_BOOT can run.
Make snip.scan-CYW943907AEVAL1F download SECURE_BOOT=1 KEYS=MY_KEY run
If change a key when build, it can't run
I tested ota_fr.
Make snip.ota_fr-CYW943907AEVAL1F SECURE_BOOT=1 SECURE_SFLASH=1 KEYS=MY_KEY download download_apps run
Flash Partitions can be marked as secure during build time, during which the contents of the partitions is signed and encrypted before being programmed to the flash.
By default, Secure Flash ensures that the following flash partitions are secure:
❐ User application
❐ File System
❐ Device Configuration Table (DCT)
❐ OTA2 (Over the air upgrade version2) application
❐ OTA2 Failsafe application
❐ Factory Reset application
Encryption: AES128-CBC Authentication: HMAC_SHA256
Secure flash supports AES128-CBC for encryption and HMAC_SHA256 for authentication. A 256 bit HMC_SHA256 digest is stored at the end of each flash sector.
there no need set in OTP.
In case hacker got the image from serial flash. It can not run on the other board without correct key in OTP.
It is important to prevent any external host from reading OTP-secured keys. Note: Once SECURE_BIT is set to 1, OTP and flash cannot be programmed, so this must be the last task performed after the secure boot and secure flash procedures are completed. When the secure bit (SECURE_BIT) is set to 1, JTAG, SDIO, USB and HSIC interfaces are disabled on the device. This prevents any external host from reading secure keys stored in OTP.
- Set up the programming environment using WICED-SDK.
- Set the SECURE_BIT address shown below. This is identical for both version B0 and version B1.
# .\wl43909_B0.exe --serial otpraw 387 1 1
- Download the target application. This must be done before step 4, otherwise the JTAG port will be disabled and the application download will not be possible. 4. Power cycle the device.
!!! In HW Crypto, the second stage Bootloader size is limited to 16 KB.
and waf.ota2_bootloader app size bigger than 16KB.
So when you use ota2_bootloader, can't use HW_CRYPTO.