We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Secure Your World with Security-Focused MCUs


With the rapid expansion of 5G cellular networks and growing cloud computing infrastructure, developers of networking and data center equipment are seeking new ways to ensure that operating systems remain secure and uncompromised. Security threats are increasing exponentially in terms of frequency, targeted devices, malignancy and costs of attacks. In today’s vast interconnected world, the need to provide greater security within a product or system is becoming a standard requirement. You need to design robust, connected and secure systems to stay one step ahead of the criminal element and prevent theft of software, hardware, intellectual property and data, or communications services.

The CEC1302, CEC1702 and CEC1712 are full-featured 32-bit Arm® Cortex®-M4-based microcontrollers (MCUs) that enable secure boot of system firmware, providing an immutable identity and a root of trust to ensure that the firmware is untouched and hasn’t been corrupted. These devices can be used as stand-alone MCUs, while also providing easy-to-use firmware authentication, public key and customer-specific pre-provisioning flexibility to minimize your risk.

CEC1712

  • Ensures in-field security and firmware updates with key revocation and code rollback protection
  • Complies with NIST 800-193 guidelines; protects, detects and recovers from corruption for total system platform firmware resiliency

CEC1302

  • Ensures firmware is untouched and uncorrupted with a quick pre-boot authentication of the system firmware
  • Protects the system from malware or memory corruption by authenticating firmware updates

CEC1702

  • Reduces compute time with the hardware cryptographic cipher suite
  • Protects secrets with encryption
  • Validates firmware has been digitally signed and untouched using public key cryptography

Soteria Custom Firmware


  • Designed to be used in conjunction with the CEC1702 and CEC1712
  • Speeds adoption and implementation of a secure pre-boot platform
  • Simplifies code development and reduces risk

According to leaders in the industry, the pre-boot environment has come under attack via rootkits and bootkits. These types of attacks are insidious and not detectable by high-level operating systems or anti-virus software. Secure boot is a security standard to prevent against attacks to the pre-boot firmware environment.

Soteria is highly configurable custom firmware that runs on CEC17x2 devices to provide a complete platform to establish a chain of trust for platform firmware resiliency. Soteria-G1 runs on the CEC1702Q-S1 and Soteria-G2 runs on the CEC1712Q-S2. The Soteria solution is designed to work with virtually any application processor that meets two criteria:

  1. The application processor can be held in reset, and
  2. The application processor loads its first code from SPI-Flash

The Soteria secure boot firmware provides a platform firmware resiliency solution that meets the NIST SP 800-193 guidelines. It uses the immutable secure bootloader implemented in CEC1702/CEC1712 ROM as the system Root of Trust (RoT). The secure bootloader loads, decrypts and authenticates the firmware from the external SPI Flash. The validated CEC1702/CEC1712 code is designed to authenticate the application processor firmware in the same SPI Flash. Up to three additional SPI Flash components can be supported.

Soteria prevents the system from booting unless the application host’s firmware that is stored in the external SPI Flash is authentic code signed by the OEM. It offers security features to authenticate and optionally decrypt the SPI Flash image in the external SPI Flash device.

The application processor can utilize the crypto resources in the CEC1702/CEC1712 to authenticate other code in the system, thereby extending the chain of trust to ensure that all code running in the system is authorized. Soteria uses the same mechanisms to ensure that platforms only perform secure firmware updates.

By design, the Soteria can be a simple black-box secure boot solution or customizable firmware that provides secure boot, extended security features and runtime secure commands via a host interface.

Soteria is available under a Signed License Agreement (SLA). Contact a Microchip sales representative or authorized worldwide distributor to execute the SLA.

Security Capabilities


The CEC1x02 device family provides a variety of robust hardware-based crypto algorithms to meet your protection needs.

What is Secure Boot?

Everybody today is worried about security. We see the market moving to authenticated boot as a way to protect your overall system. One of the worries is that when you try to boot your system, it won’t work because someone has compromised it.

One solution being adopted is secure boot which ensures the integrity of the software running on a platform. We provide secure boot capabilities to ensure the authentication of the embedded firmware prior to boot of the system. Secure boot relies on public/private keys to verify the digital signature of the code before execution. This confirms that only the code which you intend to be loaded is loaded and used, protecting your system from malicious code. Every time you boot the machine, you have the exact same expectation of the performance of your machine.

What Is Key Revocation?

Key revocation allows public/private key pairs used for authentication to be permanently retired. This feature may be used as a preemptive solution for aging keys or as a defense mechanism if a private key becomes compromised, allowing the code image to be altered or hacked by an unauthorized entity.  Key revocation is a simple method for preventing code signed by a specific key from being used in the system.  The system must implement multiple keys to use the key revocation feature.

What Is Code Roll-Back Protection?

Code roll-back is used when you need to prevent an old image from running.  This should be performed using a secure update process.

Which Crypto Curves Are Supported?


The types of crypto curves that are supported are AES256, SHA-512, RSA-4096, ECDSA, Curve25519, Ed25519, True Random Number Generator and Public Key Engine (PKE).

Crypto Parametrics CEC1302 CEC1702 CEC1712
Symmetric Encryption AES128, AES192 and AES256
Modes: ECB, CBC, OFB, CFB, CTR
Hashing SHA-1, SHA-256 SHA-1, SHA-256, SHA-384, SHA-512
Public Key Engine (PKE) RSA RSA-512 to RSA-2048 RSA-1024 to RSA-4096
ECC Keys from 160 to 256 bits in GF(p) 192 to 521 bits in GF(p)
160 to 571 bits in GF(2m)
Curve25519
DSA No ECDSA, EC-KCDSA, Ed25519
Other No Miller-Rabin Primality Testing
Modular Arithmetic Primitives
Random Number Generator True RNG
  1K FIFO for pre-calculation
Monotonic Counter No Yes
User Programmable OTP 500 bits 2.5 Kbits 4 Kbits
Field Programmable No Yes
Memory Protection Unit No Yes Yes
Secure Boot
Integrity SHA256 SHA256 SHA-384
Authentication No ECDSA-P256 ECDSA-P384
Encryption (optional) No ECDH-P256/AES-256 ECDH-P384/AES-256
Attestation
DICE No 1st Mutable Code In ROM
UDI No Factory Provisioned (optional)

Development Tools

Product Description

Clicker 2 for CEC1302

Part Number: TMIK044

Whether loading code from a private or shared SPI Flash device, the cryptographic engine CEC1302 ensures a hardware-based root of trust, that is not easily thwarted via physical replacement attack, occurs before each boot of the host processor. Before execution of your code has been loaded from a SPI Flash device, the CEC1302 validates the code using a digital signature encoded according to PKCS #1. The signature uses RSA-2048 encryption and SHA-256 hashing, providing automated detection of invalid code that may be a result of malicious or accidental corruption.

CEC1x02 Development Board

Part Number: DM990013

The PIM ships with the CEC1702, a full-featured Arm® Cortex®-M4F-based microcontroller with complete hardware cryptography accelerators enabled solutions in a single package. The CEC1702 can be used as a secure boot product for application processors and can also be used as the sole standalone MCU in embedded applications.

 

CEC1702 IoT Development Kit

Part Number: DM990013-BNDL

Easily incorporate security into designs with the CEC1702 IoT Development Kit, a Microsoft®-certified Azure IoT Starter Kit with DICE support for fast development.

CEC1702Q-B2 Plug-in Module (PIM)

Part Number: MA990004

The CEC1702Q-B2 PIM is included with the CEC1x02 Development Board and CEC1702 IoT Development Kit. It allows you to evaluate the CEC1702 and program its One-Time-Programmable (OTP) memory.

MPLAB® XC Compilers

MPLAB XC32/32++

Provides a comprehensive solution for your project’s software development and is offered in free, unrestricted-use downloads.

When combined with Microchip’s award-winning, free integrated development environment, MPLAB X IDE, the full graphical frontend provides:

  • Editing errors and breakpoints that match corresponding lines in the source code
  • Single stepping through C and C++ (C++ only available in MPLAB XC32++ compilers) source code to inspect variables and structures at critical points
  • Data structures with defined data types, including floating point, display in watch windows

MPLAB PICkit™ 4 In-Circuit Debugger

Part Number: PG164140

The MPLAB PICkit 4 In-Circuit Debugger/Programmer allows fast and easy debugging and programming of PIC®, CEC and dsPIC® Flash microcontrollers, using the powerful graphical user interface of MPLAB X Integrated Development Environment (IDE), version 4.15.

Featuring a powerful, 32-bit, 300 MHz SAM E70 MCU, the MPLAB PICkit 4 offers significantly faster programming speeds than its predecessor.

MPLAB ICD 4 In-Circuit Debugger

Part Number: DV164045

The MPLAB ICD 4 In-Cicuit Debugger is Microchip’s fastest, cost-effective debugging and programming tool for PIC and CEC microcontrollers (MCUs) and dsPIC Digital Signal Controllers (DSCs).

  • Debugs and programs with the powerful, yet easy-to-use graphical user interface of MPLAB X Integrated Development Environment (IDE).
  • Debug applications on your own hardware in real time 

Documentation

Title Download
AN2402 - AN2402 - PCB Layout Guide for CEC1702 Download
Title Download
Security Products - Glossary of Terms Download
CEC1x02 Sell Sheet Download
Title Download
CEC1702 - Cryptographic Embedded Controller - Data sheet Download
CEC1302 Data Sheet Download
Title Download
CEC1702 Silicon Errata and Data Sheet Clarification Download
Title Download
CEC1302 Crypto API User's Guide Download
CEC/MEC Family Devices ROM API User's Guide Download
CEC1x02 Development Board User’s Guide Download
CEC1302 Peripheral Interface User's Guide Download
CEC1302 Addendum Download
CEC1702 Quick Start Guide Download
CEC1702 Efuse Generator Tool User's Guide Download
Title Download
Azure IoT SDK w/ DICE on CEC1702 IoT Development Kit - build 800 Download