How to: permanently securing the Lyra device

Answer

How to: permanently securing the Lyra device

Description: 

The First Stage Bootloader Checker needs the Silicon Labs public key to verify the First Stage Bootloader. This was already burned into the ROM of the device at the Factory.

However, the First and Second Stage Bootloaders require the final product public key to verify the signature of any signed firmware images. This public key can be found in the files signing-key.pub and signing-key-tokens.txt. This key needs to be flashed into the device by the final product maker.

The commands below will permanently make your device secure. However, it will always require future software updates to be signed by the exact same private signing-key.

You may want to skip this step, knowing that you are preventing the device from having a complete Chain-of-Trust. Without the key stored in OTP memory, the First Stage Bootloader will not check the signature of future Second Stage Bootloader. This will allow you to reuse the chip with future projects by erasing the full-device along with the final product public key stored in flash.

If you choose to complete this section, you will need to use the same private key to sign future Second Stage BootloaderApploader and Application images.

  1. Flashing the public key to the OTP, run the following command, Type "Continue" to confirm, that this step is irrevocable:

    commander security writekey --sign signing-key.pub --device EFR32BG22C224F512IM40

  2. Enable First Stage Bootloader to use Secure Boot to authenticate Second Stage Bootloader

    1. Open the “Device Configuration”

      User-added image

    2. Select the “Security Settings” tab, click “Read from Device”, and "Start Provisioning Wizard" to enable secure boot in the First Stage Bootloader

      User-added image

    3. Enable irrevocable write data operation for OTP for public key. Alternatively, version number and certificate verification flags can be set, click Next:

      User-added image

    4. In the “Security Keys” window you will notice that the sign key is already filled in, click Next:

      User-added image

    5. Use the default settings in the “Secure Locks” dialog:

      User-added image

    6. Review the summary, click “Provision” to continue, and then click “Yes” to complete changing the security settings:

      User-added image

    7. At the “Security Settings” tab, you can verify success by reading “Secure Boot: Enabled” after completing the above steps:

      User-added image