FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Load Encrypted Image - MCUBoot Flashloader

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Load Encrypted Image - MCUBoot Flashloader

Load Encrypted Image - MCUBoot Flashloader

The following document explains how to load an encrypted image using the MCUBoot in the K64.

Download the SDK for the K64, be sure that the MCU boot feature is selected: 

https://mcuxpresso.nxp.com/en/welcome

Alexis_A_0-1605221936413.png

 

For the example, I’m going to use gpio_led_output. To prepare the example to work with the bootloader, you would need to do the following steps:

  • In properties / C/C++ Build / MCU settings set the start of the flash to the 0xa000, this to preserve the bootloader section:
Alexis_A_1-1605221936940.png

 

Generate the binary for the image to load.

Alexis_A_2-1605221937524.png

 

  • Write BCA
    • Create the BCA, this field is to manage the different features of the bootloader. To generated this, the KinetisFlashTool can be used, you can find it in the following link. In this options you need to add the tag, the peripheral used to communicate and a timeout to have a time frame to call again the bootloader without need to call it from your application. Click OK and save the BCA to the image.
Alexis_A_3-1605221938212.png

 

 

The bootloader can be found in the SDK examples:

Alexis_A_4-1605221938669.png

In the bootloader_config.h, change the BL_FEATURE_ENCRYPTION_KEY_ADDRESS for outside the code you would load, in this case, I'm going to use the 0xF000:

#define BL_FEATURE_ENCRYPTION_KEY_ADDRESS 0xf000 // NOTE: this address must be 4-byte aligned.

After this, load the firmware to the MCU.

For the next steps we will need to generate the secure file:

  • Generate the AES 128 key using the elftosb
Alexis_A_5-1605221938743.png

Command: elftosb.exe -V -d -f kinetis -n 1 – K 128 -o SBKEK.key

  • Create the SB image from the binary,
    • Use option -k to pass the key generated before
    • Use option -f to define the device. Device must be kinetis to be able to use a 128 AES key
    • Use option -c to load the bd file. (see attached)
    • Use option -o to define the output
Alexis_A_6-1605221939013.png

Command: elftosb.exe -V -d -f kinetis -c (bd file path) -k (key path) -o (output path).sb2 (image path)

 

Now we will load the image using the blhost:

  • Erase the memory section to load the program and reset the device
Alexis_A_7-1605221939189.png

 Command: blhost.exe -p COMx – flash-erase-region 0xa000 0x10000

  • Program AES key, same as generated in the previous step. Load it to the memory section previously defined in the  BL_FEATURE_ENCRYPTION_KEY_ADDRESS and confirm that the key was loaded correctly:
Alexis_A_8-1605221939548.png

Command: blhost.exe -p COMx – write-memory 0xF000 “{{key generated}}”

Command: blhost.exe -p COMx –read-memory 0xF000 16

 

  • Load the SB file
Alexis_A_9-1605221939724.png

Command: blhost.exe -p COMx – receive-sb-file (path encrypted sb file)

After a reset the application should run correctly.

             

 

Was this article helpful? Yes No
100% helpful (1/1)
Version history
Last update:
‎11-20-2020 05:22 PM
Updated by:
NXP TechSupport