Series 2 and Series 3 Device Security Features#
Protecting IoT devices against security threats is central to a quality product. Silicon Labs offers several security options to help developers build secure devices, secure application software, and secure paths of communication to manage those devices. Silicon Labs’ security offerings were significantly enhanced by the introduction of the Series 2 and Series 3 products that included a Secure Engine. The Secure Engine is a tamper-resistant component used to securely store sensitive data and keys and to execute cryptographic functions and secure services.
On Series 1 devices, the security features are implemented by the TRNG (if available) and CRYPTO peripherals.
On Series 2 and Series 3 devices, the security features are implemented by the Secure Engine and CRYPTOACC (if available). The Secure Engine may be hardware-based, or virtual (software-based). Throughout this document, the following abbreviations are used:
Series 2 devices: EFR32xx2xx devices
Series 3 devices: SiG3xxx devices
HSE: Hardware Secure Engine
VSE: Virtual Secure Engine
SE: Secure Engine (either HSE or VSE)
Additional security features are provided by Secure Vault. Three levels of Secure Vault feature support are available, depending on the part and SE implementation, as reflected in the following table:
Level (1) | SE Support |
|---|---|
Secure Vault High (SVH) and Series 3 Secure Vault | HSE only (HSE-SVH) |
Secure Vault Mid (SVM) | HSE (HSE-SVM), VSE (VSE-SVM) |
Secure Vault Base (SVB) | N/A |
Notes:
The features of different Secure Vault levels can be found in Security.
Refer to IoT Endpoint Security Fundamentals for details on supporting devices.
Secure Vault Mid consists of two core security functions:
Secure Boot: Process where the initial boot phase is executed from an immutable memory (such as ROM) and where code is authenticated before being authorized for execution.
Secure Debug access control: The ability to lock access to the debug ports for operational security, and to securely unlock them when access is required by an authorized entity.
Secure Vault High and Series 3 Secure Vault devices offer additional security options:
Secure Key Storage: Protects cryptographic keys by “wrapping” or encrypting the keys using a root key known only to the HSE-SVH.
Anti-Tamper protection: A configurable module to protect the device against tamper attacks.
Device authentication: Functionality that uses a secure device identity certificate along with digital signatures to verify the source or target of device communications.
Note: Series 3 Secure Vault devices do not include a device certificate for the host MCU.
A Secure Engine Manager and other tools allow users to configure and control their devices both in-house during testing and manufacturing, and after the device is in the field.
User Assistance#
In support of these products, Silicon Labs offers whitepapers, webinars, and documentation. The following table summarizes the key security documents:
| Document | Summary | Applicability |
|---|---|---|
How to lock and unlock Series 2 and Series 3 debug access, including background information about the SE |
Secure Vault Mid, High, and Series 3 devices |
|
Series 2 and Series 3 Secure Boot with RTSL (this application note) |
Describes the secure boot process on Series 2 and Series 3 devices using SE |
Secure Vault Mid, High, and Series 3 devices |
How to program, provision, and configure the anti-tamper module |
Secure Vault High, and Series 3 devices |
|
Authenticating Silicon Labs Devices using Device Certificates |
How to authenticate a device using secure device certificates and signatures, at any time during the life of the product |
Secure Vault High, and Series 3 devices |
How to securely "wrap" keys so they can be stored in non-volatile storage. |
Secure Vault High, and Series 3 devices |
|
How to program, provision, and configure security information using SE during device production |
Secure Vault Mid, High, and Series 3 devices |
|
AN1504: Series 3 Security Overview |
High level overview of the security features included in Series 3 devices |
Series 3 |
AN1509: Series 3 AXiP |
How to encrypt and authenticate memory contents |
Series 3 |
Key Reference#
Public/Private keypairs along with other keys are used throughout Silicon Labs security implementations. Because terminology can sometimes be confusing, the following table lists the key names, their applicability, and the documentation where they are used.
Key Name | Customer Programmed | Purpose |
|---|---|---|
Public Sign key (Sign Key Public) | Yes | Secure Boot binary authentication and/or OTA upgrade payload authentication |
Public Command key (Command Key Public) | Yes | Secure Debug Unlock or Disable Tamper command authentication |
OTA Decryption key (GBL Decryption key) aka AES-128 Key | Yes | Decrypting GBL payloads used for firmware upgrades |
Attestation key aka Private Device Key | No | Device authentication for secure identity |
AXiP Key | No | Used on Series 3 devices for encryption/ decryption and authentication of firmware placed in flash |
EXiP Key | No | Used on Series 3 devices for encryption/ decryption of firmware placed in flash |
SE Firmware#
Silicon Labs strongly recommends installing the latest SE firmware on Series 2 and Series 3 devices to support the required security features. Refer to Production Programming of Series 2 and Series 3 Devices for the procedure to upgrade the SE firmware and IoT Endpoint Security Fundamentals for the latest SE Firmware shipped with Series 2 and Series 3 devices and modules.