FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to Enable Secure Boot on K32L3A

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

How to Enable Secure Boot on K32L3A

Jump to solution
‎05-08-2024 01:11 PM
1,936 Views
jraczak
Contributor I

I'm trying to implement secure boot on my project. I'm using the K32L3A and using BLhost to write the IFR's. I seem to have all other functions working except secure boot. For simplicity of testing, I'm putting an unsigned image and not programming the RKTH onto the part. I would like to see it not boot when I enable secure boot. My process is as follows.

  1. Enable secure boot
    1. The command I use is: ./blhost --spi <mysettings> --noping -- flash-program-once 0x98 8 FFFFFF00FFFFFF00
    2. According to this article each bit in the IFR is mapped to a CCOB register and the register should be written with a 0xFF for b'1 and 0x00 for b'0. I should be writing 11101110 to the register, which according to the documentation is:
      • secure boot enabled.
      • secure boot development mode disabled
      • if secure boot fails, go to bootloader mode.jraczak_0-1715198758152.png
  2. Enable Flash security.
    1. The command I use is: ./blhost --spi  <mysettings> --noping -- flash-program-once 0x80 4 FFFFFFFF
    2. I'm very confident this command works because any subsequent BLHost commands get a response of "security must be disabled".

 

Upon reset, the unsigned image boots, meaning secure boot is not active. I can't find any examples of how to enable secure boot and based on the user guide, these seemed to be the only two necessary steps. Any help is appreciated!

 

 

0 Kudos
Reply
1 Solution

Jump to solution
‎05-15-2024 06:36 PM
1,861 Views
jraczak
Contributor I

I was able to solve the issue. 0xFF and 0x00 only maps to logic 1's and 0's for some of the IFR's. It turns out, I just had to use ./blhost --spi <mysettings> --noping -- flash-program-once 0x98 8 FFFFFFFFFFFFFFE1 to get my desired setting.

View solution in original post

0 Kudos
Reply
2 Replies

Jump to solution
‎05-15-2024 06:36 PM
1,862 Views
jraczak
Contributor I

I was able to solve the issue. 0xFF and 0x00 only maps to logic 1's and 0's for some of the IFR's. It turns out, I just had to use ./blhost --spi <mysettings> --noping -- flash-program-once 0x98 8 FFFFFFFFFFFFFFE1 to get my desired setting.

0 Kudos
Reply

Jump to solution
‎05-10-2024 05:46 AM
1,905 Views
bobpaddock
Senior Contributor III
Is there any Endian byte swapping going on? That would not be apparent in writing all 0xFFs, it would in real data.

M0+ are Little Endian.
0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-1861832%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EHow%20to%20Enable%20Secure%20Boot%20on%20K32L3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1861832%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI'm%20trying%20to%20implement%20secure%20boot%20on%20my%20project.%20I'm%20using%20the%20K32L3A%20and%20using%20BLhost%20to%20write%20the%20IFR's.%20I%20seem%20to%20have%20all%20other%20functions%20working%26nbsp%3B%3CEM%3Eexcept%26nbsp%3B%3C%2FEM%3Esecure%20boot.%20For%20simplicity%20of%20testing%2C%20I'm%20putting%20an%20unsigned%20image%20and%20not%20programming%20the%20RKTH%20onto%20the%20part.%20I%20would%20like%20to%20see%20it%26nbsp%3B%3CEM%3Enot%3C%2FEM%3E%20boot%26nbsp%3Bwhen%20I%20enable%20secure%20boot.%20My%20process%20is%20as%20follows.%3C%2FP%3E%3COL%3E%3CLI%3EEnable%20secure%20boot%3COL%3E%3CLI%3EThe%20command%20I%20use%20is%3A%20.%2Fblhost%20--spi%20%3CMYSETTINGS%3E%20--noping%20--%20flash-program-once%200x98%208%20FFFFFF00FFFFFF00%3C%2FMYSETTINGS%3E%3C%2FLI%3E%3CLI%3EAccording%20to%20this%20%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2FKinetis-Microcontrollers%2FProgramming-the-K32L3A-MCU-Flash-IFR-Fields%2Fta-p%2F1127171%22%20target%3D%22_self%22%3Earticle%3C%2FA%3E%26nbsp%3Beach%20bit%20in%20the%20IFR%20is%20mapped%20to%20a%20CCOB%20register%20and%20the%20register%20should%20be%20written%20with%20a%200xFF%20for%20b'1%20and%200x00%20for%20b'0.%20I%20should%20be%20writing%2011101110%20to%20the%20register%2C%20which%20according%20to%20the%20documentation%20is%3A%3CUL%3E%3CLI%3Esecure%20boot%20enabled.%3C%2FLI%3E%3CLI%3Esecure%20boot%20development%20mode%20disabled%3C%2FLI%3E%3CLI%3Eif%20secure%20boot%20fails%2C%20go%20to%20bootloader%20mode.%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22jraczak_0-1715198758152.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22jraczak_0-1715198758152.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F277809iA0C882FF731FCC87%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22jraczak_0-1715198758152.png%22%20alt%3D%22jraczak_0-1715198758152.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3CLI%3EEnable%20Flash%20security.%3COL%3E%3CLI%3EThe%20command%20I%20use%20is%3A%20.%2Fblhost%20--spi%26nbsp%3B%20%3CMYSETTINGS%3E%20--noping%20--%20flash-program-once%200x80%204%20FFFFFFFF%3C%2FMYSETTINGS%3E%3C%2FLI%3E%3CLI%3EI'm%20very%20confident%20this%20command%20works%20because%20any%20subsequent%20BLHost%20commands%20get%20a%20response%20of%20%22security%20must%20be%20disabled%22.%3C%2FLI%3E%3C%2FOL%3E%3C%2FLI%3E%3C%2FOL%3E%3CBR%20%2F%3E%3CP%3EUpon%20reset%2C%20the%20unsigned%20image%20boots%2C%20meaning%20secure%20boot%20is%20not%20active.%20I%20can't%20find%20any%20examples%20of%20how%20to%20enable%20secure%20boot%20and%20based%20on%20the%20user%20guide%2C%20these%20seemed%20to%20be%20the%20only%20two%26nbsp%3B%3CEM%3Enecessary%3C%2FEM%3E%20steps.%20Any%20help%20is%20appreciated!%3C%2FP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1866669%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20How%20to%20Enable%20Secure%20Boot%20on%20K32L3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1866669%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EI%20was%20able%20to%20solve%20the%20issue.%200xFF%20and%200x00%20only%20maps%20to%20logic%201's%20and%200's%20for%20some%20of%20the%20IFR's.%20It%20turns%20out%2C%20I%20just%20had%20to%20use%20%3CSPAN%3E.%2Fblhost%20--spi%20%3CMYSETTINGS%3E%20--noping%20--%20flash-program-once%200x98%208%20FFFFFFFFFFFFFFE1%20to%20get%20my%20desired%20setting.%3C%2FMYSETTINGS%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1863478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ERe%3A%20How%20to%20Enable%20Secure%20Boot%20on%20K32L3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1863478%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EIs%20there%20any%20Endian%20byte%20swapping%20going%20on%3F%20That%20would%20not%20be%20apparent%20in%20writing%20all%200xFFs%2C%20it%20would%20in%20real%20data.%3CBR%20%2F%3E%3CBR%20%2F%3EM0%2B%20are%20Little%20Endian.%3C%2FLINGO-BODY%3E