https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370436#M46989 <P>In UM11126 chapter 7.2.2&nbsp;Secure firmware update it's written:</P><LI-CODE lang="c">If firmware updates are to be performed in the field when secure boot is enabled, then a secure firmware update mechanism is preferred. Otherwise inauthentic firmware may be written to the device, causing it to not boot.</LI-CODE><P>&nbsp;</P><P>Is there a way to allow secure update and permanently disable write-memory? otherwise I don't understand how it's possible to prevent writing of inauthentic firmware?</P><P>Marco</P> Fri, 12 Nov 2021 07:22:33 GMT MarcoBelli1 2021-11-12T07:22:33Z https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370023#M46984 <P>hi</P><P>I'm trying to understand LPC55S69 secure boot.</P><P>I'm reading UM11126 user manual and AN12283.</P><P>What are the options to update a firmware on LPC after secure boot is enabled?</P><P>I understand that 2 main commands are available for programming the flash</P><P>1) blhost write-memory</P><P>2) blhost receive-sb-file</P><P>are both of them available after secure boot is enabled?&nbsp;</P><P>is only receive-sb file enabled?</P><P>&nbsp;</P><P>the only info I have found is:</P><LI-CODE lang="c">SECURE_BOOT_CFG field determines whether secure boot flow is enabled or not. • If secure boot is enabled or debug authentication fields (CC_SOCU_xxx) are not in the default state, then limited ISP commands are allowed. Allowed command set can be retrieved by “blhost -p COMx/-u &lt;VID,PID&gt; -- get-property 7”.</LI-CODE><P>&nbsp;</P><P>thank you</P> Thu, 11 Nov 2021 15:20:28 GMT https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370023#M46984 MarcoBelli1 2021-11-11T15:20:28Z https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370126#M46985 <P>Both of these commands are available for programming the flash after secure boot is enabled.</P> <P>As you can see in AN12283, “write-memory” is used to write a signed image into flash (p. 15) and “receive-sb-file” is used to load a SB2.0 file into the device (p. 19). In both instances the secure boot is already enabled. &nbsp;</P> <P>You can also find some more information about each command on the “blhost User's Guide” document, here’s the link: <A href="https://www.nxp.com/docs/en/user-guide/MCUBLHOSTUG.pdf" target="_blank">https://www.nxp.com/docs/en/user-guide/MCUBLHOSTUG.pdf</A></P> <P>&nbsp;</P> <P>Best regards,</P> <P>Edwin.</P> Thu, 11 Nov 2021 19:08:21 GMT https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370126#M46985 EdwinHz 2021-11-11T19:08:21Z https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370436#M46989 <P>In UM11126 chapter 7.2.2&nbsp;Secure firmware update it's written:</P><LI-CODE lang="c">If firmware updates are to be performed in the field when secure boot is enabled, then a secure firmware update mechanism is preferred. Otherwise inauthentic firmware may be written to the device, causing it to not boot.</LI-CODE><P>&nbsp;</P><P>Is there a way to allow secure update and permanently disable write-memory? otherwise I don't understand how it's possible to prevent writing of inauthentic firmware?</P><P>Marco</P> Fri, 12 Nov 2021 07:22:33 GMT https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370436#M46989 MarcoBelli1 2021-11-12T07:22:33Z https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370824#M46994 <P>Secure Boot provides the tools to ensure that unauthorized code can’t be executed, not to disable flash programming. This is instead done with the Lifecycle state. Take a look into Section 10.3 of the User Manual, specifically “OEM Closed” on Table 273. I believe this will prove to be useful for your inquiry.</P> Fri, 12 Nov 2021 21:37:35 GMT https://community.nxp.com/t5/LPC-Microcontrollers/lpc55s69-secure-boot/m-p/1370824#M46994 EdwinHz 2021-11-12T21:37:35Z