Overview#

More steps are involved in the production programming process of Series 2 and Series 3 devices compared to Series 1 devices. The steps vary if the device is to have Secure Boot enabled or disabled. For more information about Secure Boot, see Series 2 and Series 3 Secure Boot with RTSL. Enabling Secure Debug is a recommended step in the process. For more information about Secure Debug, see Series 2 and Series 3 Secure Debug.

A general overview of the production programming steps is described in the following sections.

Silicon Labs provides Custom Part Manufacturing Service (CPMS) to customize the users' security features and settings.

Production Programming for Secure Boot-Disabled Device#

The following figure illustrates the production programming flow for Secure Boot-disabled devices. It is possible to upgrade Series 2 and Series 3 devices deployed in the field without Secure Boot to Secure Boot with RTSL.

Series 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Disabled DevicesSeries 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Disabled Devices

Upgrading the SE Firmware and flashing the bootloader and application firmware are required in the production programming process. Provisioning the GBL Decryption Key for GBL payload decryption, Public Sign Key for Secure Boot, Public Command Key for Secure Debug Unlock, and enabling the Debug Lock are strongly recommended.

A more detailed version of the Series 2 and Series 3 production programming flowchart for a Secure Boot-disabled device is illustrated in the following figure.

Series 2 and Series 3 Step-by-Step Production Programming Flowchart for a Secure Boot-Disabled DeviceSeries 2 and Series 3 Step-by-Step Production Programming Flowchart for a Secure Boot-Disabled Device

Notes:

  1. Refer to Provisioning the GBL Decryption Key in Simplicity Commander on how to program the GBL Decryption Key to the Series 2 or Series 3 device.

  2. The VSE devices store a Public Sign Key copy on the top page of the main flash for Secure Boot (see Signing for ECDSA-P256-SHA256 Secure Boot in Series 2 and Series 3 Secure Boot with RTSL).

  3. The Public Command Key can also be used to temporarily disable anti-tamper protection on HSE-SVH devices (see Anti-Tamper Protection Configuration and Use).

  4. Enabling the debug lock should be the final step in production, and the following debug lock options are available on Series 2 and Series 3 devices.

    For more information about these debug lock options, see the section Debug Lock State Transition in Series 2 and Series 3 Secure Debug.

  5. For Series 3, the final step is to close all code regions. See _Bootloader Firmware Programming and Application Firmware Programming for instructions.

Production Programming for Secure Boot-Enabled Device#

The following figure illustrates the production programming flow for Secure Boot-enabled devices.

Series 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Enabled DevicesSeries 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Enabled Devices

Upgrading the SE Firmware and flashing the SIGNED bootloader and application firmware are required in the production programming process. Provisioning the Public Sign Key and enabling Secure Boot are also needed in the production programming process to enable the Secure Boot option. Provisioning the GBL Decryption Key for GBL payload decryption, Public Command Key for Secure Debug Unlock, and enabling the Debug Lock are strongly recommended. Provisioning Tamper Configuration (HSE-SVH and Series 3 Secure Vault only) is also recommended.

A more detailed version of the Series 2 and Series 3 production programming flowchart for a Secure Boot-enabled device is illustrated in the following figure.

Series 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Enabled DevicesSeries 2 and Series 3 High-Level Production Programming Flowchart for Secure Boot-Enabled Devices

Notes:

  1. The device will enter the Secure Boot failed state if the bootloader firmware is either unsigned or incorrectly signed (see Bootloader Firmware Programming).

  2. If the Secure Boot option is enabled in the bootloader, the application firmware must be signed (see Application Firmware Programming).

  3. The VSE devices store a Public Sign Key copy on the top page of the main flash for Secure Boot (see section Signing for ECDSA-P256-SHA256 Secure Boot in Series 2 and Series 3 Secure Boot with RTSL).

  4. On HSE-SVH and Series 3 Secure Vault devices, the anti-tamper protection configuration is provisioned with Secure Boot settings (see Enabling Secure Boot and Tamper Configuration).

  5. Refer to Provisioning the GBL Decryption Key in Simplicity Commander on how to program the GBL Decryption Key to Series 2 or Series 3 devices.

  6. The Public Command Key can also be used to temporarily disable anti-tamper protection on HSE-SVH devices (see Anti-Tamper Protection Configuration and Use).

  7. Enabling the debug lock should be the final step in production, and the following debug lock options are available on the Series 2 device.

    For more information about these debug lock options, see the section Debug Lock State Transition in Series 2 and Series 3 Secure Debug.

  8. For Series 3, the final step is to close all code regions. See Bootloader Firmware Programming and Application Firmware Programming for instructions.