3. Implementation

This section demonstrates how to build the required components to perform a secure boot. This includes building and writing the secure boot loader in OTP, signing a firmware image, and writing it in the QSPI Flash device.

3.1. Requirements

Import the following projects in your workspace:

  • scripts: contains scripts to manage the chip programming
  • python_scripts: contains scripts to manage the firmware image signature
  • ble_suota_loader: contains the Secure Boot Loader to be written in OTP
  • pxp_reporter: can be any project with SUOTA support and contains the firmware image

Your workspace should look like Fig. 5

_images/secure_boot_workspace.png

Fig. 5 Secure Boot Workspace

Warning

The next step will cause the Secure Boot Loader to be written in the OTP. This is not reversible. You should carefully store your signing keys otherwise the DA14682/DA14683 is no longer usable.

3.2. Generate Keys

  1. Select the secure image configuration as shown in Fig. 6
_images/secure_image_config.png

Fig. 6 Secure Boot Workspace

  1. In the pop-up window shown in Fig. 7, select Yes to generate the keys.
_images/create_new_key.png

Fig. 7 Create New Key

  1. Select one of the available ECC schemes and click OK.
_images/select_ecc.png

Fig. 8 Select ECC Scheme

  1. The configuration script creates a file in the python_scripts/secure_image folder. Refresh the folder (right-click and select Refresh) and open the product_keys.xml file which contains the private keys to program in the DA14682/DA14683.
_images/product_key_view.png

Fig. 9 Product Key View

3.3. Configure SUOTA Image

  1. When asked if you want to load the keys from product_keys.xml, click on Yes.

Note

If you select No, you can choose to load the keys manually however this procedure is not covered in the tutorial.

_images/use_product_keys.png

Fig. 10 Use Generated Product Keys

  1. Select the key to use for your secure_image.
_images/select_key.png

Fig. 11 Select Key

  1. Select the hash to use for your secure_image.
_images/select_hash.png

Fig. 12 Select Hash

  1. In order to keep this example simple we won’t define revocation keys or mininal version, select No for the two questions shown in Fig. 13 and Fig. 14.
_images/select_revocation_key.png

Fig. 13 Select Revocation Key

_images/select_minimal_version.png

Fig. 14 Select Minimal Version

You have now generated the secure_img_cfg.xml file in the secure_image folder. This file will be used to configure your Secure Boot Loader as well as to digitally sign your application image.

_images/secure_image_config_xml.png

Fig. 15 secure_img_cfg.xml File

3.4. Initial SUOTA Image Programming

The image is configured and you can now launch the initial Flash. This procedure performs the following actions:

  • erase the required area in the Flash device (bootloader and partition table)
  • write the selected application image (in this case pxp_reporter)
  • write the application image header (secure boot configuration information)
  • write the Secure Boot Loader in the OTP
  • write the secure key in the secure area

To initiate the programming, select your application in the Project Explorer and, in the application launcher, select secure_suota_initial_flash_jtag, see Fig. 16.

_images/secure_image_initial_flash.png

Fig. 16 Initial Secure Boot Programming

For reference, use this initial SBL flash log.

Your device should now advertise as Dialog PX Reporter as shown in Fig. 17.

_images/proximity_reporter_adv.jpg

Fig. 17 Proximity Reporter