9. Booting an Encrypted Image from Flash

The DA1453x/DA14585 can boot from external flash or MCU by copying the content to SRAM. The SDK6 supports booting from an encrypted image, in fact, during the boot time the CPU will decrypt the image using the AES128 algorithm and store it in SRAM, the encryption keys are stored in OTP and the serial wire debug port must be disabled to prevent hackers to read out the encryption keys. If an encrypted image is burned in the SPI flash (or other resources) the booting can be done only if the secondary bootloader is used. The basic bootloader which runs from the ROM can’t do the decryption of an encrypted image. A secondary bootloader is required to do the decryption. For the secondary bootloader creation, see Reference Application. In the bootloader.h under the secondary bootloader project in this location: 6.0.22\utilities\secondary_bootloader

The SDK is defining this flag:

/************** Encrypted Image Support section**************/

#define AES_ENCRYPTED_IMAGE_SUPPORTED 1

../_images/encrypt.svg — Figure 38 DA1453x/DA14585 Booting an Encrypted Image from Flash

Note

The SUOTA of encrypted images is supported and the tools to encrypt the image are provided.