S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

Kishore_14 — Thu, 08 Jan 2026 08:51:43 GMT

Hardware: S32K144EVB-Q100
Software: S32 Design Studio, OpenBLT Bootloader, an5401-csec

We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.

We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.

After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:

Store application MAC somewhere during programming
Verify application MAC on every reset

We've considered these options but have concerns:

CSEc KEY slots (like KEY_2): Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?
Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.
EEPROM: Is this a good approach? Any recommended EEPROM addresses?

What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?

Re: S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

lukaszadrapa — Thu, 08 Jan 2026 15:16:50 GMT

This seems to be a duplicate of:

https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/td-p/2289948

topic Re: S32K144 CSEc Application MAC Storage Options for Secure Boot Verification in S32K

S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

Re: S32K144 CSEc Application MAC Storage Options for Secure Boot Verification