1. Secure Boot Solution

1.1. MCUBoot

• User: Zephyr/Mynewt/RIOT/MBED-OS/…;

• Driver port: Flash/Uart/Usb/OTA/Crypto/Platforms init;

• Crypto module supported: MbedTLS/TinyCrypt;

• Update type

• MCUBOOT_OVERWRITE_ONLY: secondary->primary;

• MCUBOOT_SWAP_USING_MOVE: primary->swap, secondary->primary;

• Hook function:

• boot_read_image_header_hook: check image header;

• boot_image_check_hook: image check,e.g. image index, slot number

• boot_perform_update_hook: perform a clean image update;

• boot_read_swap_state_primary_slot_hook: boot swap state item check;

• boot_copy_region_post_hook: netcore update after appcore update

• boot_serial_uploaded_hook: netcore update in serial console;

1.2. MCUBoot Flow

2. TEE Solution

2.1. Trusted Firmware-M(TF-M)

TF-M is the reference implementation of PSA. (like op-TEE used for Cortex-A), it support a set of secure run time services.

• Secure Storage

• tfm_platform_mem_read

• Cryptography:

• hashing with SHA-256

• generating random numbers

• Audit Logs

• Attestation

2.12. TF-M -> Support Platform

• ARM: Corstone-1000/Corstone-300/Corstone-Polaris/Musca-B1

• NXP: LPCXpresso55S69

• Cypress

• STM

• Nordic: nrf5340/nrf9160

• Laird Connectivity: BL5340

• Nuvoton: M2351/M2354

2.13. TF-M -> Architecture