RSL15 Secure Bootloader Usage Options

Functionality Access Options

The RSL15 secure bootloader sample application includes the following options for accessing increasing levels of functionality depending on the end product needs:

  1. Basic bootloader functionality
  2. Secure bootloader with support for providing authenticated and validated loading of applications in addition to the bootloader itself
    • Authenticated transport layer
    • Authenticated images verified on load
    • Authenticated images verified again prior to overwriting an existing image
    • Authenticated images booted by the bootloader
  3. Secure storage
    • A limited area of flash memory that is allocated as secure storage
    • Enables the storage and retrieval of encrypted assets
    • Simple filing system that also provides storage for general secure storage in addition to asset storage
  4. Attestation
    • Support for the injection or creation of attestation keys
    • Attestation keys are stored in secure storage.
    • A public key can be requested from application code using the bootloader interface.
    • Support for an attestation token, which enumerates the hardware and firmware on the device
    • Support for a standard attestation protocol that is robust against replay attacks
    • Optional support for different types of attestation keys:
      1. AES (not recommended due to lower level of security, and not available in the initial release)
      2. RSA (provides the smallest increase in bootloader image size, as RSA is already being included in secure boot features)
      3. ECC (provides good balance between small keys, is robust against attack, requires the most application code to support, and is not available in the initial release)

Configuration

The options are provided as preprocessor definitions, and are available in the API file bl_options.h.