Security Features#
SiWx917 offers best-in-class features to help secure your low-cost wireless product. Some of these features are interrelated and have overlapping configuration steps. Silicon Labs offers documentation on these features to aid developers integrating SiWx917’s security features into their product. The following table summarizes documentation available for these features:
Document | Summary |
|---|---|
Describes how to perform SoC firmware updates | |
Describes the SiWG917 SoC Memory Map | |
Guidelines for debugging hardware relate issues with SiWx917 | |
How to lock and unlock SiWx917 debug access ports | |
AN1442: SiWx917 SoC Secure Boot with Anti-Rollback Protection | Describes the secure boot and anti-rollback protection processes on SiWx917 |
AN1443: Si917 Encrypted Execute in Place | Describes the encrypted execute in place (XiP) capabilities of the SiWx917 |
Describes commands available in Simplicity Commander for activating PUF and provisioning the intrinsic device keys for XiP |
Key Reference#
Encrypted XiP involves device-internal intrinsic keys and the use of public keys for authenticating firmware before allowing it to run. The following table summarizes the cryptographic keys used for secure boot and their intended purpose:
Key Type | Description | Key Type | Key size (bits) | Storage | Lifetime |
|---|---|---|---|---|---|
Master key | Used for decrypting and authenticating keys used by the NWP core | Symmetric, AES | 256 | Intrinsic (2) | Permanent |
Unwrap key | Used for decrypting and authenticating keys used by the M4 core | Symmetric, AES | 256 | Intrinsic (2) | Permanent |
TA OTA key (1) | Used to Encrypt/decrypt TA firmware OTA updates, generate CMAC MIC | Symmetric, AES | 256 | Flash | Permanent |
TA OTA key (1) | Encrypt/decrypt M4 firmware OTA updates, gener-ate CMAC MIC | Symmetric, AES | 256 | Flash | Permanent |
TA FW key1, TA FW key2 | Encrypt/decrypt NWP firmware during XiP | Symmetric, AES | 128/256 | Updatable | Flash |
M4 FW key1, M4 FW key2 | Encrypt/decrypt NWP firmware during XiP | Symmetric, AES | 128/256 | Updatable | Flash |
Note:
These keys are wrapped for tamper resistance.
Intrinsic keys are generated at runtime using the PUF and a 52-byte key code, stored in Flash.
eFuse Reference#
Encrypted XiP is configured in the SiWx917 by modifying flags, known as MBR flags. The following table lists the settings required to enable Encrypted XiP:
| eFuse Name | Description |
|---|---|
m4_encrypt_firmware | 0: Disables encrypted XiP firmware on the m4 core. 1: Enables encrypted XiP firmware on the m4 core. |
m4_fw_encryption_mode | 1: Configures encrypted XiP in AES-CTR mode on the M4 core. 2: Configures encrypted XiP in AES-XTS mode on the M4 core. |
ta_fw_encryption_mode | Enables and sets encryption mode on the NWP core. 0: Disables encrypted XiP on the NWP core. 1: Enables encrypted XiP in AES-CTR mode on the NWP core. 2: Enables encrypted XiP in AES-XTS mode on the NWP core. |
m4_secure_boot_enable | 1: Enable M4 secure boot if encrypted XiP is required on M4. |
ta_secure_boot_enable | 1: Enable NWP secure boot if encrypted XiP is required on NWP. |
Minimum Wireless Pro Kit Firmware Version#
SiWx917 is supported on Wireless Pro Kit (WPK) Mainboards after firmware version 1v5p0b240 and later. When using SiWx917 on Silicon Labs' WPK, ensure your adapter firmware is up to date by consulting this "How to Update" guide on community.silabs.com.