Standard Security Keys#

The following sections describe the security keys supported by CPMS.

Important: When using asymmetric key pairs, upload only the public key to the CPMS portal. CPMS programs the public key onto the device. Store the corresponding private key securely and do not share it.

For symmetric keys (for example, AES keys or decryption keys), handle and store the keys according to your security requirements. Upload these keys only when required by the use case.

Silicon Labs strongly recommends generating all keys using robust methods, storing private keys in a managed and protected Hardware Security Module (HSM), and restricting access to authorized personnel.

Secure Boot Key#

The Secure Boot Key, also known as the public signing key, is used to authenticate the signature of a bootloader or application image.

CPMS accepts this key in .pub, .pem, or .der format. Generate the key as part of a public/private key pair, and provide only the public key to CPMS.

For more information about this key pair, see Series 2 and Series 3 Secure Boot with RTSL.

Command Key#

The Command Key is used to disable tamper responses and perform Secure Debug Unlock operations.

CPMS accepts this key in .pub, .pem, or .der format. Generate the key as part of a public/private key pair, and provide only the public key to CPMS.

For more information about this key pair and its usage, see:

• Series 2 and Series 3 Secure Debug

• Anti-Tamper Protection Configuration and Use

OTA Decryption Key#

The OTA Decryption Key, also known as the GBL Decryption Key, is used for decrypting GBL payloads used for firmware upgrades. This key will only be required if you enable “require encrypted firmware upgrade files” in the bootloader. Refer to Silicon Labs Gecko Bootloader User’s Guide for more information. An example of creating a bootloader with encrypted upgrades required is shown in Generating the Bootloader.

On HSE and Series 3 Secure Vault devices, you can provide a 16-byte decryption key to CPMS for provisioning to the device. On VSE devices, you can provide this key to CPMS only through a token file, similar to the public sign key used for secure boot.

OTA Decryption Key for VSE Devices#

A few additional steps are required to setup a VSE device to use an OTA Decryption Key in CPMS. Refer to Key Provisioning in Production Programming of Series 2 and Series 3 Devices for more information.

1. Generate the key using the util genkey command.

   commander util genkey --type aes-ccm --outfile aes_key.txtcommander util genkey --type aes-ccm --outfile aes_key.txt

2. Once the key is generated, it needs to be written to a place accessible to the bootloader. This key can be placed in either the app properties struct of the GBL, or in the top page of main flash. Only one of these methods need to be used.

   To write the OTA Decryption key into the Application properties struct of the bootloader project, use the following command.

   commander convert bootloader.hex --aeskey aes_key.txt --outfile bootloader-keys.hexcommander convert bootloader.hex --aeskey aes_key.txt --outfile bootloader-keys.hex

   Note when using this method:

   • The --aeskey option for the convert command requires Simplicity Commander v1.12.3 or above.

   • The GBL Decryption Key can only be added to the GBL with Application Properties Struct v1.2 or higher (GSDK v4.1.0 or higher).

   • This procedure must be implemented before signing the GBL image for Secure Boot.

   To write the OTA Decryption Key to the top page of flash on a VSE device, use the following command.

   commander flash --tokenfile aes_key.txtcommander flash --tokenfile aes_key.txt