https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2248069#M54788 <P>Hi <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/242600">@minjaekang99</a>&nbsp;</P> <P>1. This is described in section "7.10.4 Sanctions" in HSE firmware reference manual. If the secure boot fails, alternate image can be executed (if configured). If it fails too, the device enters recovery mode. Or you can only disable usage of individual keys (based on smrFlags) or all keys. Or the device can be reset and it can enter a recovery mode after 8 resets... See mentioned section in the manual for more details and also check HSE Service API reference manual.&nbsp;</P> <P>2. Yes, common way is to finalize your application and then start with configuration of secure boot.&nbsp;</P> <P>Regards,</P> <P>Lukas</P> Tue, 25 Nov 2025 06:29:27 GMT lukaszadrapa 2025-11-25T06:29:27Z https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2232752#M54715 <P>Hello, I am working with Secure Boot on the S32K324 (HSE firmware), and I want to confirm whether my understanding is correct.</P><OL><LI><P>Once Secure Boot is activated and the SMR/CR entries are provisioned, will the device refuse to boot if the application firmware changes even by one byte (e.g., code modification, rebuild, RTD version change, etc.) because the hash/signature no longer matches?</P></LI><LI><P>Given this behavior, is the recommended workflow to <STRONG>complete all firmware development first</STRONG>, finalize the application image, and <STRONG>activate Secure Boot only at the very end</STRONG> of the project (since any further code changes would cause Secure Boot verification to fail)?</P></LI></OL><P>Thank you in advance for your clarification.</P> Fri, 21 Nov 2025 10:29:10 GMT https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2232752#M54715 minjaekang99 2025-11-21T10:29:10Z https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2246832#M54756 <P><SPAN>Can anyone answer this question?</SPAN></P> Mon, 24 Nov 2025 08:03:08 GMT https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2246832#M54756 minjaekang99 2025-11-24T08:03:08Z https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2248069#M54788 <P>Hi <a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/242600">@minjaekang99</a>&nbsp;</P> <P>1. This is described in section "7.10.4 Sanctions" in HSE firmware reference manual. If the secure boot fails, alternate image can be executed (if configured). If it fails too, the device enters recovery mode. Or you can only disable usage of individual keys (based on smrFlags) or all keys. Or the device can be reset and it can enter a recovery mode after 8 resets... See mentioned section in the manual for more details and also check HSE Service API reference manual.&nbsp;</P> <P>2. Yes, common way is to finalize your application and then start with configuration of secure boot.&nbsp;</P> <P>Regards,</P> <P>Lukas</P> Tue, 25 Nov 2025 06:29:27 GMT https://community.nxp.com/t5/S32K/S32K3-Secure-Boot-activation-timing-question/m-p/2248069#M54788 lukaszadrapa 2025-11-25T06:29:27Z