https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/m-p/2289948#M55973 <P><SPAN><STRONG>Hardware:</STRONG>&nbsp;S32K144EVB-Q100<BR /><STRONG>Software:</STRONG>&nbsp;S32 Design Studio, OpenBLT Bootloader, an5401-csec<BR /><BR />We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.<BR /><BR />We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.<BR /><BR /></SPAN></P><P>After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:</P><OL><LI>Store application MAC&nbsp;somewhere during programming</LI><LI>Verify application MAC&nbsp;on every reset</LI></OL><P>We've considered these options but have concerns:</P><UL><LI><P><STRONG>CSEc KEY slots (like KEY_2)</STRONG>: Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?</P></LI><LI><P><STRONG>Flash memory</STRONG>: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.</P></LI><LI><P><STRONG>EEPROM</STRONG>: Is this a good approach? Any recommended EEPROM addresses?</P></LI></UL><P>What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?</P><P><SPAN>&nbsp;</SPAN></P> Thu, 08 Jan 2026 07:38:15 GMT Kishore_14 2026-01-08T07:38:15Z https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/m-p/2289948#M55973 <P><SPAN><STRONG>Hardware:</STRONG>&nbsp;S32K144EVB-Q100<BR /><STRONG>Software:</STRONG>&nbsp;S32 Design Studio, OpenBLT Bootloader, an5401-csec<BR /><BR />We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.<BR /><BR />We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.<BR /><BR /></SPAN></P><P>After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:</P><OL><LI>Store application MAC&nbsp;somewhere during programming</LI><LI>Verify application MAC&nbsp;on every reset</LI></OL><P>We've considered these options but have concerns:</P><UL><LI><P><STRONG>CSEc KEY slots (like KEY_2)</STRONG>: Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?</P></LI><LI><P><STRONG>Flash memory</STRONG>: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.</P></LI><LI><P><STRONG>EEPROM</STRONG>: Is this a good approach? Any recommended EEPROM addresses?</P></LI></UL><P>What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?</P><P><SPAN>&nbsp;</SPAN></P> Thu, 08 Jan 2026 07:38:15 GMT https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/m-p/2289948#M55973 Kishore_14 2026-01-08T07:38:15Z https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/m-p/2290323#M55991 <P>Hi&nbsp;<a href="https://community.nxp.com/t5/user/viewprofilepage/user-id/257154">@Kishore_14</a>&nbsp;</P> <P>&nbsp;</P> <P>Common approach is to have CMAC stored in code flash, it can be appended to application which is being verified by this CMAC.</P> <P>&nbsp;</P> <P>“<STRONG>Flash memory</STRONG>: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.”</P> <P>- You don’t need old CMAC when updating the application. You need the new one for new application. I can’t see problem here. &nbsp;</P> <P>&nbsp;</P> <P>Storing the CMAC to CSEc key slot is not an option, you can’t export it or use it as a CMAC.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Lukas</P> Thu, 08 Jan 2026 15:10:34 GMT https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/m-p/2290323#M55991 lukaszadrapa 2026-01-08T15:10:34Z