Features

Secure key storage

Keys are stored in eFuse, which means the key information in eFuse cannot be directly accessed through MCU. In security mode, GR5xx SoCs load the key information to the KEYRAM module in encryption, and true random numbers are generated as masks in this process. The key information in the KEYRAM module cannot be directly obtained by MCU. When key information is required by security modules, an independent hardware unit in the SoC exports the keys to the modules automatically.

Preventing firmware from being eavesdropped

GR5xx combines the efficiency of a symmetric-key cryptosystem with the convenience of a public-key cryptosystem. For decryption, elliptic curve cryptography (ECC) algorithm shall be used in combination with the private key stored in eFuse, to calculate the keys required for decrypting the PRESENT-128 module. Even if eavesdroppers obtain the encrypted firmware stored in Flash memories, they cannot use the firmware because they cannot obtain the key.

Preventing malicious attacks

To prevent malicious attacks, GR5xx provides Serial Wire Debug (SWD) locks and secure device firmware update (DFU) for firmware stored in Flash memories. At the stage of mass production, SWD can be disabled by modifying the configuration information stored in eFuse, to prevent the SoC firmware information from being read or modified. When SWD is disabled, users can also upgrade firmware, through DFU and the App Bootloader process, during which the encrypted firmware is verified, to prevent the firmware from being maliciously modified.

One data key for one device

Firmware keys and data keys are stored separately in different zones in eFuse. The same firmware can be programmed in SoCs with different data keys, so that one device owns its unique data key.