Secure Boot

Kneron KL720 provide secure protect with AES and SHA. The boot mechanism will apply AES 256 CBC mode and SHA256. For AES, this requires 256 bits Key and 128 bits IV to encrypt or decrypt the data. For SHA, this requires 256 bits space on SPI flash to keep the hash value.

The SEC_EN bit from eFuse is used to decide if the secure boot mechanism should be applied or ignored. The content of 32 bits authentication number, the 256 bits Key and 128 bits IV inside eFuse should be decided and write to eFuse before the SEC_EN bit is set. If the SEC_EN bit of eFuse is 1. The boot flow will enter secure boot, and the firmware of SPL, SCPU and NCPU need be encrypted with the correct key.

1. eFuse Programming

The eFuse data will be programmed during chip or module production. The eFuse's data contains the following vendor's key information. The user only obtains the encrypted key(sbtkey.bin) and uses the sbtenc tool to perform firmware secure boot encryption.

2. Build Firmware and Create Encrypted Binary File

If the SEC_EN bit of eFuse is 1. The boot flow will enter secure boot, and the firmware of SPL, SCPU and NCPU need be encrypted with the correct key. We provide a "sbtenc.exe" tool for users to encrypt their firmware with SBT key(sbtkey.bin) for secure boot. You can refer the example projects of secure boot for SPL, SCPU and NCPU.

sbtenc.exe optional arguments: 
    -h, --help          Show this help message and exit
    -hd, --header       Add header file.
    -e, --encrypt       AES encryption.
    -i INFILE, --infile INFILE
                        Input firmware file for AES encryption.
    -o OUTFILE, --outfile OUTFILE
                        Encrypted output file.
    -s SBTKEYFILE, --sbtkeyfile SBTKEYFILE
                        Secure boot key file(sbtkey.bin)
Example Command:
Encrypt firmware with user's sbtkey file(sbtkey.bin) and generate to DFU binary format.
SPL:
​    sbtenc.exe -e -i boot_spl.bin -o boot_spl_enc.bin -s keys\sbtkey.bin
SCPU:
​    sbtenc.exe -e -i fw_scpu.bin -o fw_scpu_enc_tmp.bin -s keys\sbtkey.bin
​    gen_dfu_binary_for_win.exe -scpu fw_scpu_enc_tmp.bin fw_scpu_enc.bin
NCPU:
​    sbtenc.exe -e -i fw_ncpu.bin -o fw_ncpu_enc_tmp.bin -s keys\sbtkey.bin
​    gen_dfu_binary_for_win.exe -ncpu fw_ncpu_enc_tmp.bin fw_ncpu_enc.bin

3. KL720 SDK Secure Boot Example

The following are the example projects and post_build_enc.bat for secure boot on the KL720 SDK. Please reference the post_build_enc.bat for firmware encryption.

Example key. 
    .\firmware\utils\sbtenc\keys\sbtkey.bin

Example projects for SPL, SCPU and NCPU.
​    SPL 
         sbtenc.exe -e -i boot_spl.bin -o boot_spl_enc.bin -s keys\sbtkey.bin
​    SCPU 
         .\firmware\build\example_sbt\scpu\sn72096_9x9\scpu_keil\scpu.uvprojx
​    NCPU 
         Xtensa workspace and import HelloWorld project
         .\firmware\build\example_sbt\ncpu\
After the project is built, please run flash programming to update the flash data.
    .\firmware\utils\JLink_programmer\flash_prog_enc.bat
Secure boot success message.

Secure boot fail message.