Image upgrade strategy
The TOE is certified in overwrite mode as an image upgrade strategy (Image upgrade strategy is applicable only
in the case of primary and secondary slots mode). In this configuration, the new image in a secondary slot is
copied into the primary slot by overwriting the previous image, during the firmware upgrade process. There is
no possibility to revert to the previous image version, once the new version is successfully installed. To get this
configuration, the define MCUBOOT_OVERWRITE_ONLY line must be activated in Linker\flash_layout.h
file.
#define MCUBOOT_OVERWRITE_ONLY /* Defined: the FW installation uses overwrite method.
Undefined: The FW installation uses swap mode. */
It is possible to configure the image upgrade strategy to swap mode. In this configuration, the new image in the
secondary slot is swapped with the previous image in the primary slot during the image upgrade process. After
the swap, a new image in the primary slot must be auto‑validated by the newly installed image at first execution,
otherwise, at the next boot, the images are swapped back. The flexibility for an integrator to change the image
upgrade strategy to swap mode without compromising the TOE security does not fall within the scope of this
evaluation and it is not the certified configuration.
Hardware‑accelerated cryptography
The TOE is certified with hardware‑accelerated cryptography enabled for secure boot and secure firmware
update process, and TFM cryptography secure services at run time. The hardware‑accelerated cryptography
improves performances and is resistant to side‑channel attacks. The activation of the cryptography hardware
accelerators for secure boot and secure firmware update process is achieved by enabling the define
BL2_HW_ACCEL_ENABLE in TFM_SBSFU_Boot\Inc\config-boot.h file.
/* HW accelerators activation in BL2 */
#define BL2_HW_ACCEL_ENABLE
The activation of the cryptography hardware accelerators for TFM secure cryptography services at run time is
achieved by activating the define TFM_HW_ACCEL_ENABLE in the TFM_Appli\Inc\tfm_mbedcrypto_conf
ig.h file.
/* HW accelerators activation in TFM */
#define TFM_HW_ACCEL_ENABLE
It is possible to disable hardware‑accelerated cryptography so that cryptography operations are purely performed
in software. The flexibility for an integrator to disable the hardware accelerators in the bootloader or TFM
cryptographic secure services without compromising the TOE security does not fall within the scope of this
evaluation and it is not the certified configuration.
Crypto scheme
The TOE is certified in RSA 2048 asymmetric crypto‑scheme configuration. In this configuration, the firmware
images are signed using the RSA‑2048 algorithm. This crypto‑scheme provides a good trade‑off between boot
time performance and security level. This configuration is achieved thanks to the define CRYPTO_SCHEME line
in the TFM_SBSFU_Boot\Inc\mcuboot_config\mcuboot_config.h file.
#define CRYPTO_SCHEME_RSA2048 0x0 /* RSA-2048 signature,
AES-CTR-128 encryption with key RSA-OAEP encrypted */
#define CRYPTO_SCHEME_RSA3072 0x1 /* RSA-3072 signature,
AES-CTR-128 encryption with key RSA-OAEP encrypted */
#define CRYPTO_SCHEME_EC256 0x2 /* ECDSA-256 signature,
AES-CTR-128 encryption with key ECIES-P256 encrypted */
#define CRYPTO_SCHEME CRYPTO_SCHEME_RSA2048 /* Select one of the available crypto schemes */
It is possible to select another asymmetric crypto‑scheme: RSA‑3072 or ECDSA‑256. The laboratory has
assessed the security of the following crypto schemes: RSA‑2048, RSA‑3072, and ECDSA‑256. However, to use
the certified configuration, the integrator must set the platform to use the RSA‑2048 asymmetric crypto‑scheme
for image verification.
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 11/27
To Next Page
Loading...
Need help?
General
