Microchip Introduces CEC1712 MCU with Secure Boot for External Flash Systems

Microchip Technology has unveiled the CEC1712, a cryptography‑enabled MCU that safeguards operating systems booting from external SPI flash memory. The device counters rootkit and bootkit malware by enforcing a secure boot process that relies on a hardware root of trust compliant with NIST 800‑193.

As 5G deployments expand and cloud infrastructure grows, developers must ensure that operating systems remain uncompromised. Rootkits load before the OS starts, bypassing conventional anti‑malware solutions. Secure boot, powered by a hardware root of trust, is the only reliable shield that permits boot only of manufacturer‑trusted firmware.

Built on an Arm Cortex‑M4 core, the CEC1712 is the third generation in Microchip’s lineup. Paired with the Soteria‑G2 firmware, it detects and halts malicious firmware before runtime, enabling rapid adoption of secure boot. Soteria‑G2 relies on the CEC1712’s immutable ROM‑based bootloader as the system’s root of trust.

“We’re targeting any system that boots from SPI flash,” said Jeannette Wilson at embedded.com. “The CEC1712’s on‑chip cryptographic engines save up to 15 kB of code space and allow full verification in under 70 ms.”

Beyond protecting 5G and data‑center operating systems, the CEC1712/Soteria‑G2 combo also strengthens security for connected autonomous vehicles, automotive ADAS platforms, and any system that boots from external SPI flash.

In addition to pre‑boot protection, the CEC1712 supports key revocation and code rollback safeguards throughout the device’s life cycle, enabling secure in‑field firmware updates. These features align with NIST 800‑193’s platform firmware resilience requirements: maintain code integrity, detect corruption, and recover to a known good state.

• Maintain integrity and authenticity of firmware updates.
• Detect unauthorized changes to firmware or critical data.
• Recover firmware to a trusted state when corruption is detected.

Key revocation is essential when OEMs face credential compromise. “It may seem obvious, but introducing new keys and rejecting compromised ones is surprisingly complex,” Wilson explained.

The secure bootloader in the CEC1712’s ROM loads, decrypts, and authenticates firmware stored in external SPI flash. Once verified, the bootloader hands control to the first application processor. The device supports up to two application processors, each with two SPI flash modules.

Code execution begins in CEC1712 ROM. Application code, signed with the OEM’s private key, resides in SPI flash. The ROM holds the processor in reset until the code is authenticated, after which the host processor loads and executes the verified code. (Image: Microchip)

Microchip and Arrow Electronics offer pre‑provisioning of customer‑specific data as a secure manufacturing solution that mitigates over‑building and counterfeiting. The service reduces development time by months and eliminates the need for third‑party provisioning or certificate authorities.

“While many customers are sophisticated, not all have deep security expertise,” Wilson added. “Soteria gives them the tools to implement secure boot without in‑house code.” Development is performed in the MPLAB IDE suite.

Comparing the CEC1712 to its predecessor, the CEC1702, Wilson highlighted that the earlier model could not perform full redundant boot. The CEC1712 now meets NIST 800‑193 requirements, supports 4‑byte SPI address mode, uses SHA‑384 hashing instead of SHA‑256, and offers in‑circuit OTP for custom keypads and other programmable applications.

The CEC1712/Soteria‑G2 bundle is supported by Microchip’s MPLAB X IDE, MPLAB Xpress, and MPLABXC32 compilers, and is compatible with MPLAB ICD 4 and PICkit 4 programmers/debuggers. The CEC1712H‑S2‑I/SX variant is available in volume production of 10 000 units starting at $4.02, including the Soteria‑G2 firmware.

Wilson noted that several customers are already in the sampling phase, with others moving toward full‑scale production. The target markets include server vendors, multifunction printer manufacturers, aerospace and defense, as well as gaming, automotive, and notebook computer segments.