Standard Security Keys#

The following subsections will address the different security keys that are accepted by CPMS. Note that only public keys should be uploaded to CPMS. Silicon Labs strongly recommends that each key be generated using robust methods, that private keys are not shared with unauthorized parties, and that keys be stored in a well-managed and protected hardware security module (HSM).

Secure Boot Key#

The secure boot key, also known as the public signing key, is used for authenticating the signature on a bootloader or application image. CPMS will accept this key in .pem or .der format. This key should be generated as a public/private key pair, and only the public key should be provided to CPMS. For more information on this key pair, refer to AN1218: Series 2 Secure Boot with RTSL.

Command Key#

The command key is used for disabling tamper responses and performing a secure debug unlock. CPMS will accept this key in .pem or .der format. This key should be generated as a public/private key pair and only the public key should be provided to CPMS. For more information on this key pair and how to use it, refer to AN1190: Series 2 Secure Debug and AN1247: Anti-Tamper Protection Configuration and Use.

OTA Decryption Key#

The OTA Decryption Key, also known as the GBL Decryption Key, is used for decrypting GBL payloads used for firmware upgrades. This key will only be required if you enable “require encrypted firmware upgrade files” in the bootloader. Refer to UG489: Silicon Labs Gecko Bootloader User’s Guide for more information. An example of creating a bootloader with encrypted upgrades required is shown in Generating the Bootloader.

On an HSE device, a 16-byte decryption key can be provided to CPMS to be provisioned to the device. On a VSE part, this key can only be provided to CPMS in a token file, like the public sign key used for secure boot on a VSE part.

OTA Decryption Key for VSE Devices#

A few additional steps are required to setup a VSE device to use an OTA Decryption Key in CPMS. Refer to Section 7.2 of AN1222 for more information.

  1. Generate the key using the util genkey command.

    commander util genkey --type aes-ccm --outfile aes_key.txt

  2. Once the key is generated, it needs to be written to a place accessible to the bootloader. This key can be placed in either the app properties struct of the GBL, or in the top page of main flash. Only one of these methods need to be used.

    To write the OTA Decryption key into the Application properties struct of the bootloader project, use the following command.

    commander convert bootloader.hex --aeskey aes_key.txt --outfile bootloader-keys.hex

    Note when using this method:

    • The --aeskey option for the convert command requires Simplicity Commander v1.12.3 or above.

    • The GBL Decryption Key can only be added to the GBL with Application Properties Struct v1.2 or higher (GSDK v4.1.0 or higher).

    • This procedure must be implemented before signing the GBL image for Secure Boot.

    To write the OTA Decryption Key to the top page of flash on a VSE device, use the following command.

    commander flash --tokenfile aes_key.txt