S32GのトピックRe: seclogging at bl2

seclogging at bl2

Jayashree — Mon, 15 Dec 2025 09:32:25 GMT

Hello,

I am trying to implement secure logging on the A-core (BSP43). The goal is to log security-related failures such as Secure Boot failures, Wi-Fi/TLS failures, etc.

Currently, I am attempting to log Secure Boot failures at the BL2 stage. My initial approach was to write these logs directly into NOR flash and encrypt them using HSE. However, I am running into the following limitations at the BL2 level on S32G:

There are no predefined APIs available in BL2 to read from or write to NOR flash.
Persistent or append-style logging cannot be implemented at the BL2 stage.

Because of these constraints, I am unsure how or where such Secure Boot failure logs should be stored at BL2 so that they can later be accessed from Linux.

For Wi-Fi and TLS-related failures, I plan to use NetworkManager-based logging at the Linux level.

Could you please advise on a feasible approach for logging Secure Boot failures originating from BL2, or suggest a recommended mechanism for secure logging in this scenario?

Re: seclogging at bl2

chenyin_h — Tue, 16 Dec 2025 02:25:41 GMT

Hello, @Jayashree

Thanks for your post.

It is a user defined software implementation, sorry that there is not formal recommendation from our side for such topic.

Regarding the secure boot failure logged in BL2 stage, do you mean the BL2 failed to authenticate the BL3x binaries, and want to log the related information?

From my experience, the logs mentioned above could be found from the console, if you want to save them to the QSPI, since the BL2 could load images from QSPI, and put them into DDR, so that it could access the QSPI, would you mind checking the related code/API to find whether it could fulfill your requirements?

Chenyin

Re: seclogging at bl2

Jayashree — Fri, 26 Dec 2025 06:57:09 GMT

Hello Chenyin,

As per your suggestion, I attempted to use the MMIO read/write APIs from BL2; however, the boot process appears to halt immediately after the API call.

I also tried using the FSPI read/write APIs, but in this case, I am unable to complete the Yocto build itself.

Could you please confirm whether read/write access from BL2 is supported when secure boot is enabled? If it is supported, could you advise which APIs are recommended for this use case? Alternatively, I would appreciate your guidance on feasible approaches or recommended alternatives for logging or data persistence from BL2.

Best regards,
Jayashree