secure boot

hello,Alice:

OpenSSL I haven't yet configured successfully，so certificates are generated by a tool found online; I'm trying to configure OpenSSL. Certificate in SDK expired and elftosb reported an error，Is it possible to provide a certificate?

   other question， DIGEST of CMPA is not configed，secure boot is configed； Is there any other way to modify CMPA except bootloader.

   I find that IMAGE_KEY_REVOKE of CFPA  has 4 bytes from address  0x9DE10,  but it only need two bytes； so i shall write 3C C3 00 00 from  address 0x9DE10 ? 

  Can you provide an example of a complete set of operational processes?  What is the first step?What is the second step? ...

Hello ning xie,

About the steps, please refer to this Application Note:

https://www.nxp.com/docs/en/application-note/AN12283.pdf    

Hello,Alice:

Thank you very much for your reply；The following three questions can be answered：

1、OpenSSL I haven't yet configured successfully，so certificates are generated by a tool found online; I'm trying to configure OpenSSL. Certificate in SDK expired and elftosb reported an error，Is it possible to provide a certificate?

 2、 DIGEST of CMPA is not configed，secure boot is configed； Is there any other way to modify CMPA except bootloader.

  3、 I find that IMAGE_KEY_REVOKE of CFPA  has 4 bytes from address  0x9DE10,  but it only need two bytes； so i shall write 3C C3 00 00 from  address 0x9DE10 ? 

Hello ning xie,

1. Sorry I can't give you a certificate, as I also need give you the Key. What's the problem when you using OpenSSL?

2. About this question, I will help you ask development team whether this is method.

3. From  AN12283 we can see, in IMAGE_KEY_REVOKE, the 31:16 reserved, only two bytes (15:0) are used as

IMG revocation counter:

Hello,Alice:

Thank you very much for your reply；When I use boot, I do the following：

Data preparation process：

1、I generated a secure image with a starting address of 0x10000000,  the size of this image is 0x10424;  config of this image :load address(0x10000000) 、imageTZ-M Enable but no preset data、add four ROOT keys, key is generated by referring to AN12283_LPC55Sxx_Secure_boot; As an annex“elftosb_gui”

   The starting address of the  non secure code is 0x20000, no crc 、no signed;

2、CFPA：config  "Version" of CFPA to 0x01 and config "ROTKH_REVOKE"为0x55；As an annex“cfpa_9DE00_1.bin”

3、CMPA is generated using elftosb_gui tool： SECURE_BOOT_CFG（0x9E41C） is Boot signed images、

RKTH is generated using elftosb tools（01747922a5d76949d3db0b7eb1cce7cfce9a46516456b19ea78f53375af2b943）、

DIGEST also is generated using elftosb tools.As an annex“cmpa_9E400_1.bin”

 note: puf、prince are not used.

Operating process：

   1、 Enter boot，erase flash :blhost.exe -p COM45 -- flash-erase-region 0x00000 0x40000; 

2、load image：blhost -p COM45 write-memory 0x20000 hello_world_ns_0614.bin 、blhost -p COM45 write-memory 0 hello_world_s_sig_0614.bin；

3、read and write CFPA :

blhost -p COM45 read-memory 0x9DE00 512 cfpa_9DE00_0.bin
blhost -p COM45 read-memory 0x9E000 512 cfpa_9E000_0.bin
blhost -p COM45 read-memory 0x9E200 512 cfpa_9E200_0.bin

blhost -p COM45 write-memory 0x9DE00 cfpa_9DE00_1.bin

blhost -p COM45 read-memory 0x9DE00 512 cfpa_9DE00_2.bin
blhost -p COM45 read-memory 0x9E000 512 cfpa_9E000_2.bin
blhost -p COM45 read-memory 0x9E200 512 cfpa_9E200_2.bin

4、read and write CMPA :

blhost -p COM45 read-memory 0x9E400 512 cmpa_9E400_0.bin

blhost -V -p COM45,57600 -- write-memory 0x9E400 cmpa_9E400_1.bin

5、reset，Running error；

these steps are  right ? Looking forward to your reply.