Updating a Secure Application

When a secure application must be updated, the process is as follows:

  • Request an update. The bootloader polls a flag to determine if an update is requested, so this must be set.

BL_UpdateType_t BL_UpdateIsAvailable(uint32_t address, uint32_t extent);

  • Provide a new secure application. The bootloader checks if there is a new image in the download area.

BL_UpdateType_t BL_UpdateIsAvailable(uint32_t address, uint32_t extent);

  • Update the image. The bootloader uses the function with this prototype to perform the update.

void BL_UpdateImage(BL_UpdateType_t request,

uint32_t srcAddress, uint32_t dstAddress, uint32_t dstLength);

The application must also be authenticated. There are options to share a Root of Trust between the secure application and secure bootloader, such that a tradeoff can be made between boot time and the level of security needed. Alternatively, they can use separate Roots of Trust for increased security, but with increased boot time. The sequence is shown in the "Secure Authenticate/Load/Update Sequence" figure.

Figure: Secure Authenticate/Load/Update Sequence

The update process for the simple bootloader is very similar to that for the secure bootloader, the main differences being that the secure bootloader uses a different CCITT CRC algorithm on each frame and the connection must be pre-authenticated using a valid key certificate.