mmoskal
commented
5 years ago You could in principle do it even without additional chips - especially on SAMD51, which has PUKCC - an embedded crypto library.
You would need to write-protect the bootloader (we already do that), and then have the bootloader restore the protection on every startup, unless a special signed update package is found somewhere.
I guess it will be somewhat difficult to get it all right and secure though.
PRs are welcome though!
I would like a support for secure boot option by bootloader signing from external authentication ic like ATECC508 or ATSHA204
For reference please see the support for NRF52 here