[Security] CSEC secureboot verify

Gideon — Thu, 25 Apr 2024 12:56:00 GMT

Dear NXPs：

S32K146

P-Flash 1M(2 Block)

D-Flash 32K

background:

CMD_BOOT_DEFINE→BootManager 6KB Use CSEC's secureboot mechanism for verification.

The secondary verification area is Flex NVM Bootloader;

The area of third-level verification is Application;

A. Sequential Boot Mode

Q1:

(void)CSEC_DRV_BootDefine(BOOT_SIZE, CSEC_BOOT_SERIAL) After enabling secureboot, power on again to enter Secureboot. Since the selected mode is A. Sequential Boot Mode, even if the on-chip ROM fails to verify the Bootmanager image, the Bootmanager code will still be executed, so I It cannot be judged whether the first level verification is successful. I use the CSEC_DRV_GetStatus() interface in Bootmanager to determine the result of the first-level verification. If the (1 == (CSEC_STATUS_BOOT_OK & CSEC_DRV_GetStatus())) condition is met, the first-level verification is considered successful. Is my understanding correct?

Q2:

Is there any way I can get the BOOT_MAC value calculated by CSEC? Because I want to know what is the difference between this and the BOOT_MAC I calculated on my PC

Re: [Security] CSEC secureboot verify

lukaszadrapa — Mon, 08 Apr 2024 06:40:54 GMT

Hi @Gideon

Even if sequential or parallel secure boot mode fails, the application code is executed. The only effect of the failure is that boot protected keys cannot be used. Only if strict sequential boot mode is used, the device will stay in reset forever if secure boot fails. But notice that there's no way to recover - the device needs to be replaced.

Yes, use CSEC_STATUS_BOOT_OK to check the result.

There's no way to read BOOT_MAC. This would violate the SHE specification.

Regards,
Lukas

S32Kのトピック[Security] CSEC secureboot verify

[Security] CSEC secureboot verify

Re: [Security] CSEC secureboot verify