SiWx917 Security Features#

Protecting IoT devices against security threats is central to a quality product. Silicon Labs offers several security options on the SiWx917 to help developers build secure devices, secure application software, and secure paths of communication to manage those devices.

The SiWx917 consists of the following two core security functions:

  • Secure Boot: Process where the initial boot phase is executed from an immutable memory (such as ROM) and where code is authenticated before being authorized for execution.

  • Encrypted XiP: Process that adds confidentiality when instructions are being executed in place from off-die or off-chip storage.

It is also possible to lock access to the debug ports for operational security, and to unlock them when access is required.

User Assistance#

The following table summarizes the key security documents:

Document Summary

AN1431: SiWx917 SoC Firmware Update Application Note

Describes how to perform SoC firmware updates

AN1416: SiWx917 SoC Memory Map Application Note

Describes the SiWx917 SoC Memory Map

AN1439: SiWx917 Hardware Debugging Guidelines

Guidelines for debugging hardware related issues with SiWx917

AN1428: SiWx917 Debug Lock

How to lock and unlock SiWx917 debug access ports

AN1442: SiWx917 SoC Secure Boot with Anti-Rollback Protection

Describes the secure boot and anti-rollback protection processes on SiWx917

UG162: Simplicity Commander Reference Guide

Describes commands available in Simplicity Commander for provisioning eFuses for secure boot and anti-rollback protection

UG574: SiWx917 SoC Manufacturing Utility User Guide

Describes steps for provisioning SiWx917 hardware for production

Key Reference#

Secure boot requires the use of cryptographic keys for authenticating firmware before allowing it to run. The following table summarizes the cryptographic keys used for secure boot and their intended purpose:

Key Identifier Description Key Type Keysize (bits) Storage Lifetime

Master key

Used for decrypting and authenticating keys used by the NWP core

Symmetric, AES

256

Intrinsic³

Permanent

Unwrap key

Used for decrypting and authenticating keys used by the M4 core

Symmetric, AES

256

Intrinsic³

Permanent

TA public key¹,²

Validates TA firmware

Asymmetric, ECC

256

Flash

Permanent

TA OTA key²

Encrypt/decrypt TA firmware, generate CMAC MIC

Symmetric, AES

256

Flash

Permanent

M4 public key¹,²

Validates M4 firmware

Asymmetric, ECC

256

Flash

Updateable

M4 OTA key²

Encrypt/decrypt M4 firmware, generate CMAC MIC

Symmetric, AES

256

Flash

Updateable

Note:
1. Private keys must be kept secure and should be stored as securely as possible.
2. These keys are wrapped for tamper resistance.
3. Intrinsic keys are generated at runtime using the PUF and a 52-byte key code, stored in flash.

eFuse Reference#

Secure boot features in the SiWx917 are set in one-time programmable flags, known as eFuses. These efuses are one-time programmable and should be only written to after development is complete. During development, these options should be set using the Master Boot Record (MBR). Master Boot Record (MBR) is stored in flash and contains information like clock frequencies, offsets of structures like eFuse copy, SPI configurations, External Flash details, etc. There are separate MBRs for TA and M4 at the beginning of their respective flash regions. Any SiWx917 IC that is shipped out of the factory will have a default MBR. Using the OPN of a particular device, the user can update the MBR. For more information on manipulating the MBR, consult UG574: SiWx917 SoC Manufacturing Utility User Guide.

The e-fuse settings relevant to secure boot are summarized in the following table:

eFuse Name

Description

m4_secure_boot_enable

Enables MIC-based validation of firmware images before executing

m4_anti_roll_back

Enables anti-rollback protection for the M4 firmware

m4_digital_signature_validation

Enables authentication of M4 firmware before executing

ta_secure_boot_enable

Enables MIC-based validation of the TA firmware before executing

ta_anti_roll_back

Enables anti-rollback protection for the TA firmware

ta_digital_signature_validation

Enables authentication of TA firmware before executing

disable_m4_jtag

Locks the JTAG port of the M4 core

disable_ta_jtag

Locks the JTAG port of the TA core

safe_upgrade_frm_host

Enables failsafe upgrade mode. Firmware updates do not overwrite existing firmware until they’ve been authenticated.