Answer
How to: permanently securing the Lyra device
Description:
The First Stage Bootloader Checker needs the Silicon Labs public key to verify the First Stage Bootloader. This was already burned into the ROM of the device at the Factory.
However, the First and Second Stage Bootloaders require the final product public key to verify the signature of any signed firmware images. This public key can be found in the files signing-key.pub and signing-key-tokens.txt. This key needs to be flashed into the device by the final product maker.
The commands below will permanently make your device secure. However, it will always require future software updates to be signed by the exact same private signing-key.
You may want to skip this step, knowing that you are preventing the device from having a complete Chain-of-Trust. Without the key stored in OTP memory, the First Stage Bootloader will not check the signature of future Second Stage Bootloader. This will allow you to reuse the chip with future projects by erasing the full-device along with the final product public key stored in flash.
If you choose to complete this section, you will need to use the same private key to sign future Second Stage Bootloader, Apploader and Application images.
-
Flashing the public key to the OTP, run the following command, Type "Continue" to confirm, that this step is irrevocable:
commander security writekey --sign signing-key.pub --device EFR32BG22C224F512IM40
-
Enable First Stage Bootloader to use Secure Boot to authenticate Second Stage Bootloader
-
Open the “Device Configuration”
-
Select the “Security Settings” tab, click “Read from Device”, and "Start Provisioning Wizard" to enable secure boot in the First Stage Bootloader
-
Enable irrevocable write data operation for OTP for public key. Alternatively, version number and certificate verification flags can be set, click Next:
-
In the “Security Keys” window you will notice that the sign key is already filled in, click Next:
-
Use the default settings in the “Secure Locks” dialog:
-
Review the summary, click “Provision” to continue, and then click “Yes” to complete changing the security settings:
-
At the “Security Settings” tab, you can verify success by reading “Secure Boot: Enabled” after completing the above steps:
-