Series 3 Security Features#
Protecting IoT devices against security threats is central to a quality product. Silicon Labs offers several security options to help devel- opers build secure devices, secure application software, and secure paths of communication to manage those devices. Silicon Labs' security offerings were significantly enhanced by the introduction of the Secure Engine on Series 2 products. Series 3 products contin- ue to include and expand upon existing Secure Engine Technology The Secure Engine is a tamper-resistant component used to se- curely store sensitive data and keys and to execute cryptographic functions and secure services.
User Assistance#
In support of these products Silicon Labs offers the following application notes:
Document | Summary | Applicability |
|---|---|---|
How to lock and unlock Series 2 debug access, including background information about the SE | Secure Vault Mid and High | |
Describes the secure boot process on Series 2 devices using SE | Secure Vault Mid and High | |
How to program, provision, and configure security information using SE during device production | Secure Vault Mid and High | |
AN1247: Anti-Tamper Protection Configuration and Use (this document) | How to program, provision, and configure the anti-tamper module | Secure Vault High |
AN1268: Authenticating Silicon Labs Devices using Device Certificates | How to authenticate a device using secure device certificates and signatures, at any time during the life of the product | Secure Vault High |
How to securely "wrap" keys so they can be stored in non-volatile storage. | Secure Vault High |
Key Reference#
Silicon Labs security implementations use asymmetric key pairs and symmetric keys. The table below clarifies key names, applicability, and relevant documentation.
Key Name | Customer Programmed | Purpose | Used in |
|---|---|---|---|
Public Sign key | Yes | Secure Boot binary authentication and/or OTA upgrade payload authentication | AN1218 (primary), AN1222 |
Public Command key | Yes | Secure Debug Unlock or Disable Tamper command authentication | AN1190 (primary), AN1222, AN1247 |
OTA Decryption key (or GBL Decryption key) | Yes | Decrypting GBL payloads used for firmware upgrades | AN1222 (primary), UG266/UG489 |
Attestation key aka Private Device Key | No | Device authentication for secure identity | AN1268 |
AXiP Key | No | Used on Series 3 devices for encryption/decryption and authentication of firmware placed in flash | AN1509 |
EXiP Key | No | Used on Series 3 devices for encryption/decryption of firmware placed in flash | AN1509 |