Secure boot with resistance to differential power analysis and other external monitoring attacks

What is claimed is: 1. A computing device comprising: secure storage hardware to store a secret value; additional storage hardware; processing hardware coupled to the secure storage hardware, the processing hardware comprising at least one of a cache or a memory; and an interface between the processing hardware and the additional storage hardware, wherein at least one of the additional storage hardware or the interface is unsecure; wherein during a secure boot process the processing hardware is to: receive untrusted data from the additional storage hardware via the interface; load the untrusted data into at least one of the cache or the memory of the processing hardware, the untrusted data comprising an encrypted data segment and a validator; retrieve the secret value from the secure storage hardware; derive an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment and the secret value; verify, using the validator, whether the encrypted data segment has been modified; and responsive to verifying that the encrypted data segment has not been modified, decrypt the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment. 2. The computing device of claim 1 , wherein: the additional storage hardware is an unsecure storage hardware; and the interface is an unsecure interface. 3. The computing device of claim 1 , wherein the processing hardware and the secure storage hardware are components of a system on a chip (SOC). 4. The computing device of claim 1 , wherein the encrypted data segment comprises at least one of software or firmware, and wherein the processing hardware is further to: retrieve a minimum acceptable version number for the software or firmware from the secure storage hardware; and verify that the software or firmware has a version number that is equal to or greater than the minimum acceptable version number. 5. The computing device of claim 4 , wherein the untrusted data comprises instructions to update the minimum acceptable version number, and wherein the processing hardware is further to: update the minimum acceptable version number in accordance with the instructions. 6. The computing device of claim 1 , wherein the path through the key tree is based on the identifier and identifies a plurality of entropy distribution operations used to derive the initial key. 7. The computing device of claim 6 , the processing hardware further to: divide the identifier into a plurality of parts, where each of the plurality of parts determines a leg of the path, and where each leg of the path is associated with a particular entropy distribution operation of the plurality of entropy distribution operations. 8. The computing device of claim 1 , wherein the untrusted data comprises a plurality of encrypted data segments, and wherein the processing hardware is further to: apply an entropy distribution operation to the first decryption key to derive a second decryption key; and decrypt an encrypted data segment from the plurality of encrypted data segments with the second decryption key. 9. The computing device of claim 1 , wherein the untrusted data comprises a plurality of encrypted data segments, and wherein the processing hardware is further to: receive and decrypt the plurality of encrypted data segments using hash chaining operations comprising: decrypting a first encrypted data segment of the plurality of encrypted data segments to produce a first plaintext segment comprising a first decrypted data segment and a first hash value; validating a second encrypted data segment using the first hash value; and responsive to validating the second encrypted data segment, decrypting the second encrypted data segment of the plurality of encrypted data segments to produce a second plaintext segment comprising a second decrypted data segment and a second hash value. 10. The computing device of claim 1 , wherein to verify that the encrypted data segment has not been modified the processing hardware is to: compute a hash of the encrypted data segment; generate an expected validator based on performing a plurality of entropy distribution operations on the initial key using the key tree, wherein the hash indicates a path through the key tree, the path identifying the plurality of entropy distribution operations; and compare the expected validator to the validator. 11. The computing device of claim 1 , wherein the untrusted data comprises a plurality of encrypted data segments, and wherein hash chaining operations are performed to decrypt the plurality of encrypted data segments, the hash chaining operations comprising: cryptographically transforming a first encrypted data segment of the plurality of encrypted data segments to produce a first derived value; comparing the first derived value with a first expected value; responsive to determining that the first derived value matches the first expected value, decrypting the first derived value using the first decryption key to produce a first decrypted data segment and a second derived value; comparing the second derived value with a second expected value; and responsive to determining that the second derived value matches the second expected value, decrypting the second derived value using a second decryption key derived from the initial key to produce a second decrypted data segment. 12. A method comprising: during a boot process, loading, by a processing device, untrusted data into at least one of a cache or a memory of the processing device, the untrusted data comprising an encrypted data segment and a validator; deriving, by the processing device, an initial key using a path through a key tree based at least in part on an identifier associated with the encrypted data segment, a secret value and a plurality of entropy distribution operations; verifying, using the validator, whether the encrypted data segment has been modified; and responsive to verifying that the encrypted data segment has not been modified, decrypting the encrypted data segment using a first decryption key derived from the initial key to produce a decrypted data segment. 13. The method of claim 12 , further comprising: executing the decrypted data segment by the processing device, wherein the decrypted data segment comprises at least one of software or firmware. 14. The method of claim 12 , further comprising: responsive to a failure to successfully verify that the encrypted data segment has not been modified, removing the untrusted data from at least one of the cache or the memory. 15. The method of claim 14 , further comprising: after removing the untrusted data from at least one of the cache or the memory, repeating the loading of the untrusted data, the deriving of the initial key, and the verifying of whether the encrypted data segment has been modified. 16. The method of claim 12 , wherein the encrypted data segment comprises at least one of software or firmware, the method further comprising: determining a minimum acceptable version number for the software or firmware; and verifying that the software or firmware has a version number that is equal to or greater than the minimum acceptable version number. 17. The method of claim 16 , wherein the untrusted data comprises instructions to update the minimum acceptable version number, the method further comprising: updating the minimum acceptable version number in accordance with the instructions. 18. The m