Series 3 Device Security Features#
Protecting IoT devices against security threats is central to a quality product. Silicon Labs offers several security options to help developers build secure devices, secure application software, and secure paths of communication to manage those devices. Silicon Labs' security offerings were significantly enhanced by the introduction of the Series 2 products that included a Secure Engine. Series 3 products continue to include and expand upon existing Secure Engine technology. The Secure Engine is a tamper-resistant component used to securely store sensitive data and keys and to execute cryptographic functions and secure services.
User Assistance#
In support of these products, we offer the following essential documentation:
Document | Summary | Applicability |
|---|---|---|
How to lock and unlock Series 2 debug access, including background information about the SE | Series 3 | |
Describes the secure boot process on Series 2 devices using SE | Series 3 | |
How to program, provision, and configure security information using SE during device production | Series 3 | |
How to program, provision, and configure the anti-tamper module | Series 3 | |
AN1268: Authenticating Silicon Labs Devices using Device Certificates | How to authenticate a device using secure device certificates and signatures, at any time during the life of the product | Series 3 |
How to securely "wrap" keys so they can be stored in non-volatile storage. | Series 3 |
Note: Documents in the above table were written for Series 2 devices and will be updated for Series 3.
Key Reference#
Silicon Labs security implementations use asymmetric key pairs and symmetric keys. The table below clarifies key names, applicability, and relevant documentation.
Key Name | Customer Programmed | Purpose | Used in |
|---|---|---|---|
Public Sign key (Public Sign Key) | Yes | Secure Boot binary authentication and/or OTA upgrade payload authentication | AN1218 (primary), AN1222 |
Public Command key (Public Command Key) | Yes | Secure Debug Unlock or Disable Tamper command authentication | AN1190 (primary), AN1222, AN1247 |
OTA Decryption key (GBL Decryption key) | Yes | Decrypting GBL payloads used for firmware upgrades | AN1222 (primary), UG266/UG489 |
Attestation key (Private Device Key) | No | Device authentication for secure identity | AN1268 |
Authenticated eXecute in Place (AXiP) Key | No | Authentication and encryption/decryption key for AXiP | AN1509 |
Encrypted eXecute in Place (EXiP) key | No | Encryption/Decryption key for EXIP | AN1509 |
SE Firmware#
We strongly recommend installing the latest SE firmware on Series 3 devices to support the required security features. Refer to Example 3.6 for the procedure to upgrade the SE firmware and UG103.05 for the latest SE Firmware shipped with Series 3 devices and modules.
Acronyms Used in this Document#
Acronym | Meaning |
|---|---|
AXiP | Authenticated execute in-Place |
DCI | Debug Challenge Interface |
DFA | Differential Fault Analysis |
DPA | Differential Power Analysis |
ECC | Elliptic Curve Cryptography |
OTP | One-time programmable |
SE | Secure Engine |