https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1836351#M33518 <P>Hi <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/222923">@anakha</a>&nbsp;</P> <P>there's some explanation in section "7.3. Implement secure boot" in the Secure boot application note.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lukaszadrapa_0-1711543271229.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/270695i7F460E82A1F7E486/image-size/medium?v=v2&amp;px=400" role="button" title="lukaszadrapa_0-1711543271229.png" alt="lukaszadrapa_0-1711543271229.png" /></span></P> <P><BR />When you update your application, you load also new auth_tag to the passive block (auth_tag of your new application). After AB swap, still the same SMR will read still the same address of auth_tag in active block - the auth_tag corresponds to the new application now, so everything is ok a secure boot will pass. <BR />If you don't do that in this way, it would be necessary to update the SMR.</P> <P>Regards,<BR />Lukas</P> Wed, 27 Mar 2024 12:42:09 GMT lukaszadrapa 2024-03-27T12:42:09Z https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1833800#M33355 <P>Hi,</P><P>Advanced Secure Boot authentication proof is based on defined start address, size and config. (regarding to HSE Demo Advanced Secure Boot example and also Secure Boot App demo - SW745310)</P><P>The start address and the reserved SMR size for the application remains same for most of the time even the application updates.&nbsp;<SPAN>Key catalog and the key values are also remain same.</SPAN></P><P><SPAN>then, the TAG value and its address in flash remain same all the time even App changes.&nbsp;</SPAN></P><P><SPAN>What am I missing here? How Secure boot checks my app is secured?</SPAN></P><P><SPAN>Do I need to change keys or catalog each time I change app? But these values are defined in bootloader not in app.</SPAN></P><P><SPAN>Do I need to implement another signature (RSA or ECC) depend on the content of the App? if yes, how?</SPAN></P><P><SPAN>Thanks in advance.</SPAN></P><P><SPAN>regards,</SPAN></P> Fri, 22 Mar 2024 14:20:54 GMT https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1833800#M33355 anakha 2024-03-22T14:20:54Z https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1836351#M33518 <P>Hi <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/222923">@anakha</a>&nbsp;</P> <P>there's some explanation in section "7.3. Implement secure boot" in the Secure boot application note.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="lukaszadrapa_0-1711543271229.png" style="width: 400px;"><img src="https://community.nxp.com/t5/image/serverpage/image-id/270695i7F460E82A1F7E486/image-size/medium?v=v2&amp;px=400" role="button" title="lukaszadrapa_0-1711543271229.png" alt="lukaszadrapa_0-1711543271229.png" /></span></P> <P><BR />When you update your application, you load also new auth_tag to the passive block (auth_tag of your new application). After AB swap, still the same SMR will read still the same address of auth_tag in active block - the auth_tag corresponds to the new application now, so everything is ok a secure boot will pass. <BR />If you don't do that in this way, it would be necessary to update the SMR.</P> <P>Regards,<BR />Lukas</P> Wed, 27 Mar 2024 12:42:09 GMT https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1836351#M33518 lukaszadrapa 2024-03-27T12:42:09Z https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1836371#M33522 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/37795">@lukaszadrapa</a>,</P><P>I am using full_mem right now, but will use AB_Swap soon.</P><P>Anyway, please correct me if I am wrong. I understand that you are saying to create a new TAG each time I update my App and write it to the same address. My problem/question is creating a different TAG.</P><P>KEY Catalog and and initial key is defined in bootloader not in APP and how can I crate different TAG if they remain same?</P><P>I only change App, bootloader config stays same, right?</P><P>&nbsp;</P> Wed, 27 Mar 2024 13:04:21 GMT https://community.nxp.com/t5/S32K/Advanced-Secure-Boot-SMR-verification/m-p/1836371#M33522 anakha 2024-03-27T13:04:21Z