AHAB: Advanced High Assurance Boot, firmware in the processor’s boot ROM that is in charge of authenticating boot images.
AVB: Android Verified Boot, a version of Verified Boot that works with Project Treble architecture.
BK: Blob Key, a random 256-bit AES-CCM key that encrypts the data on a CAAM blob.
BKEK: Blob Key Encryption Key, a 256-bit AES-ECB derived key that encrypts the BK in CAAM blobs.
CA: Certificate Authority, the entity that issues digital certificates.
CAAM: Cryptographic Accelerator and Assurance Module, a hardware module on the System-On-Chip which provides hardware-accelerated crypto capabilities.
CSF: Command Sequence File, a binary blob attached to signed U-Boot images that contains the signatures, certificates, and commands to configure the CAAM for the decryption and authentication processes.
DEK: Data Encryption Key, secret key used in the encryption of boot artifacts (such as U-Boot, Linux images, device tree blobs and bootscripts).
dm-verity: Device Mapper verity, a kernel feature that supports transparent integrity checking of block devices.
HAB: High Assurance Boot, firmware in the processor’s boot ROM that is in charge of authenticating boot images.
NVTK: Non-Volatile Test Key, a 256-bit key hardwired into the CAAM that is used on open (not secure enabled) devices as a replacement for the OTPMK. The NVTK value is public knowledge and is common to all parts, so its usage is not secure: it should only be used for testing.
OTP: One-Time Programmable bits, also referred to as electronic fuses or eFuses.
OTPMK: One-Time Programmable Master Key, a unique 256-bit key stored by the CPU manufacturer on the CPU’s OTP bits and used by the CAAM only on closed (secure boot enabled) devices.
PKI: Public Key Infrastructure, a set of certificates and private keys that Digi Embedded Yocto uses to sign the firmware images.
RPMB: Replay Protected Memory Block, a system that stores data to a replay-protected memory area that requires authentication for read and write access.
RSA: The Rivest-Shamir-Adleman cryptosystem for public-key encryption.
SRK: Super Root Keys, stored as hashes in the CPU’s OTP bits and used by the HAB for image authentication.
TA: Trusted Application, an application with special privileges that can perform security-related functions.
TEE: Trusted Execution Environment, a secure area inside a main processor that protects confidentiality and integrity of loaded code and data. A TEE runs in parallel with the operating system but in an isolated environment.
- Get started
Digi Embedded Yocto
- Release notes
- Digi ADE
- Qt Creator
- Command line
- Recovery library (firmware update)
- Digi APIx for embedded
- Cloud Connector
- WPE WebKit web browser
- XBee libraries
Yocto system development
- Set up workstation
- Install Digi Embedded Yocto
- Create and build projects
- Boot the system
- Customize the root file system
- Customize the kernel and DT
- Custom carrier board
- Storage layout
- Update firmware
- Dual boot
- Network failover and recovery
- U-Boot bootloader
- Machine Learning / AI
- Amazon Web Services (AWS) IoT
- Digi Remote Manager
- Simulate a SOM variant
- Recover your device
Linux kernel BSP
- Device tree files
- Pin multiplexing (IOMUX)
- Cryptographic accelerator (CAAM)
- OTP bits
- PCI Express (PCIe)
- DA9063 Power Management IC
- Power management
- Real-Time Clock (RTC)
- Thermal monitor
- Touch screen
- XBee socket
- Enable TrustFence in DEY
- Secure boot
- Partition encryption
- Secure storage
- Secure JTAG
- Secure console modes
- Secure build environments
- Secure firmware update
- Summary of TrustFence keys
Digi ConnectCore Smart IOmux
- Additional resources