Viability of using ROM Bootloader as part of user firmware updates

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

Viability of using ROM Bootloader as part of user firmware updates

1,268 次查看
chrismc
Contributor II

We've been looking at the possibility of user the Kinetis ROM bootloader (on MKL27Z4) as part of the user (post-shipping) firmware update process via USB, however from what we can tell it doesn't seem it would be a viable option for us if we're interested in securing the flash.

The main issue we would hit is that once flash has been configured as secure, it seems that to make any update via the  ROM bootloader it would require a full erase (of absolutely all flash). This would mean that any 'factory' data stored in flash would be lost (the PC side updater app could potentially request and cache that data before switching the target to ROM bootloader mode, but the process could be interrupted and the data lost).

Is that understanding correct? If so, it would seem to mean that the ROM bootloader fundamentally can't be part of a secure firmware update process (where no other secure data storage is available).

标签 (1)
标记 (2)
0 项奖励
回复
4 回复数

1,113 次查看
cutworth
NXP Employee
NXP Employee

Hi Chris,

Please note the flash security feature apply only to external access from debug. CPU access to flash is not affected by flash security status.

Also Kinetis ROM bootloader has a command called FlashSecurityDisable which can be used for disabling flash security by comparing 8-byte backdoor key during flash firmware update. And you can enable flash security again as long as your updated firmware has 0x40C(flash configuration byte) configured as flash secured.

Hao

0 项奖励
回复

1,113 次查看
chrismc
Contributor II

Hi Hao

Thanks for the reply.

Regarding the CPU still having flash access... doesn't the ROM bootloader also respect the flash security status and not allow access through itself (even though it's running on the CPU)? Related to that, I have wondered if the bootloader's 'write-memory' and 'execute' command would mean that it would be relatively simple to bypass that.

On the backdoor key, we had previously discounted that as an option due to the need of transferring it unencrypted over USB, but we've reevaluated that and it does look like we can use that in a useful way.

Cheers, Chris

0 项奖励
回复

1,113 次查看
cutworth
NXP Employee
NXP Employee

Hi Chris,

Yes, you are correct.

For write memory command with the ROM bootloader, if you need to write flash area, then you need to first unsecure flash. See following note from RM.

First, any flash sector written to must have been previously erased with a FlashEraseAll, FlashEraseRegion, or FlashEraseAllUnsecure command.

But for execute command, there is no relationship with flash security, you can still execute code in flash under secure state. Secure mode just prevents external access to flash content.

Hao

0 项奖励
回复

1,113 次查看
chrismc
Contributor II

So if the bootloader allows you to upload and execute any code to be run on the CPU (which can then access the Flash and make its content available no matter what the security setting is), then it's possible to work around the security features right?

0 项奖励
回复