Trust Platform Design Suite

Usecase Help – Secure Boot - PIC32CMSG00

This document helps to understand Pre and Post steps of Usecase transaction diagram.

Online documentation: Secure Boot Use Case - PIC32CMSG00 (Online Docs)

Setup requirements

• PIC32CM SG00 Curiosity Pro
• MPLAB X IDE v6.25 or later

Pre Usecase transaction Steps

• Connect PIC32CM SG00 Curiosity board to PC running Trust Platform Design Suite. Connect both TARGET USB (J102) and DEBUG USB (J200) to the PC. The board is powered via DEBUG USB; no external power supply is required.

  https://www.microchipdirect.com/dev-tools/EV53V42A

• Ensure MPLAB X Path is set in File -> Preference under System Settings. This helps

  • To program the Usecase prototyping kit by TPDS
  • To open the embedded project of the Usecase

• Note that ~/.trustplatform/pic32cmsg_secureboot' is the Usecase working directory. It contains the resources(Firmware MetaData Tool) required for the use case and resources generated during transaction diagram execution.

  • ~ indicates home directory.
  • Windows home directory is \user\username
  • Mac home directory is /users/username Most Linux/Unix home directory is /home/username

• Step 1b (Generate/Load User Keys): Supports ECC P-256, ECC P-384, AES-128, and AES-256. The slot selection dropdown only shows available (unused) slots.

• Step 2 (Load Application Image): When the file dialog opens, select one of the two provided LED demo variants (located in the working directory):

  • pic32cmsg_led_app_dice.X.production.unified.hex — DICE enabled (CDI shown on console)
  • pic32cmsg_led_app_nodice.X.production.unified.hex — DICE disabled
  • Both are built from the same source code with different fuse configurations. You can also select any compatible application hex file.

Post Usecase transaction Steps

• After programming (Step 5), the board resets automatically and the Boot ROM performs the secure boot sequence. If using the LED demo application:
  • LED1 blinks (heartbeat indicating successful boot)
  • SW0 button press turns on LED0
  • DICE variant: console shows [INFO] Retrieved CDI and FW Hash successfully after the secure banner
  • No-DICE variant: console shows [INFO] DICE is disabled after the secure banner
• Log from the PUF provisioning and state of secure boot can be viewed using applications like TeraTerm. Select the COM port and set baud rate as 115200-8-N-1.

Reprogramming a Secured Device

• If Step 4a was not executed (secure boot remains enabled), the device will only accept images signed with the same signing key (slot 2).
• To reprogram with a new application: re-run Steps 2 → 3 → 4 → 5 using the same signing key (private_key_slot2.pem in the working directory).
• To return to an unsecured state: perform a Chip Erase via MPLAB X IPE. This erases all flash and restores the device to DAL=2 (open).
• Running this use case does not permanently lock or brick the board. A Chip Erase always recovers the device.