• AVR Freaks

Hot!Secureboot in ATECC608A - Compatible devices?

New Member
  • Total Posts : 1
  • Reward points : 0
  • Joined: 2020/08/26 06:52:27
  • Location: 0
  • Status: offline
2020/08/26 23:25:23 (permalink)

Secureboot in ATECC608A - Compatible devices?

Is there a list with devices compatible with the secureboot? As far as I know the secureboot process is not standarized for embedded systems and I did not found a list of compatible devices.

2 Replies Related Threads

    New Member
    • Total Posts : 5
    • Reward points : 0
    • Joined: 2020/07/13 04:59:29
    • Location: 0
    • Status: offline
    Re: Secureboot in ATECC608A - Compatible devices? 2020/09/12 03:04:22 (permalink)
    5 (1)
    I'm not aware of any such list.
    lists the "SAMD21" device.
    In theory, what your device needs as a minimum requirement is the possibility to start from a trusted boot loader. This boot loader could be written to a ROM so it can't be changed by any attacker, or it could use some other means of authentication. The boot loader will use the ATECC to verify the next boot stage.
    How you ensure that the ROM isn't replaced is another matter. Some SoCs may have some built-in ROM (e.g. the SAMD21). Or you can use physical measures to make it really hard to replace the ROM.
    Other devices like ESP32 or I.MX bring their own secure boot mechanism, but those could be coupled with the ATECC. Might be a silly idea though.
    I don't know if any of these devices/procedures are actually secure. You'll have to judge for yourself. Nothing is unhackable; better assume the worst and prepare for consequences now :-)
    New Member
    • Total Posts : 6
    • Reward points : 0
    • Joined: 2018/01/05 10:37:02
    • Location: www.scotteffx.com
    • Status: offline
    Re: Secureboot in ATECC608A - Compatible devices? 2020/09/27 08:01:59 (permalink)
    Any device with I2C can use the secure boot. Best to use Harmony for I2C and the SHA256 hash performed in your custom bootloader. You will need to write your own set of state engines for communicating with the ATECC608A, in order to provision it with a public key during manufacturing, or else use the Microchip Trust suite. Then, during boot all you do is SHA256 hash your application code (using Harmony) write the hash and the (Factory) signed hash to the ATECC608A, and wait for the ATECC to verify whether the 32 byte hash is correct. If it is correct then jump to the application code. 
    All that code takes some space, and my latest bootloader takes up 25% of the program flash for a 795MX device, although it performs functions besides secure boot.
    Jump to:
    © 2020 APG vNext Commercial Version 4.5