Firmware Encryption and Decryption

GR5xx series adopts ECIES, a hybrid encryption scheme that ensures firmware security and efficiency by integrating symmetric encryption (PRESENT-128) and public key cipher (elliptic-curve cryptography, ECC), combining the strength of the two security mechanisms.

The encryption and decryption processes of hybrid cryptosystem are shown in the figure below.

• Encryption with hybrid cryptosystem:

  1. Generate random private keys in ECIES: Generate random private keys used for ECIES encryption with a random number generator of GProgrammer or other tools.
  2. Obtain the session key: Use the random keys generated in Step 1 for ECIES calculation, and obtain the session key (PRESENT-128 symmetric key) and random public keys in ECIES.
  3. Generate ciphertext: Encrypt the session message with the session key in GProgrammer, and generate session message in ciphertext with the random public keys in ECIES.
  4. Import private keys and ciphertext: Download the firmware key used for ECC decryption to eFuse with GProgrammer; download the session message in ciphertext to Flash.

• Decryption with hybrid cryptosystem:

  1. Obtain private key in ECC: The firmware key used for ECC decryption is stored in eFuse. During system boot and initialization, the private key will be loaded to the KEYRAM module. The private key can hardly be obtained for undesired use thanks to the random number generator and eFuse.
  2. Obtain the session key: Start ECIES calculation with random public key in ECIES and firmware key through the PKC module; obtain the symmetric firmware code key for PRESENT-128, and load the key to the KEYRAM module.
  3. Decrypt the ciphertext: Load the firmware code key to the XIP_DEC module, so that the code on Flash can be decrypted automatically.