- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- General Purpose Microcontrollers
- :
- LPC Microcontrollers
- :
- Re: Flash Access possible from lower to higher security tier
Flash Access possible from lower to higher security tier
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Flash Access possible from lower to higher security tier
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tested reading, writing and erasing flash of the highest security tier (secure privileged) from a lower security tier (secure non-privileged). As lower security tiers should not be able to access higher security tiers, this should not be possible if the microcontroller was configured correct according to my understanding. I made a test project with two binaries: bl1 (secure privileged, 0x10000000-0x10008000) and bl2 (secure non-privileged, 0x10008000-0x10010000). The SAU is set so that the flash is secure for both projects.
The secure AHB Controller is configured as follows:
ENABLE_SECURE_CHECKING = 0x1 (ENABLED)
ENABLE_S_PRIV_CHECK = 0x1 (ENABLED)
AHB_SECURE_CTRL->SEC_CTRL_FLASH_ROM[0].SEC_CTRL_FLASH_MEM_RULE[0] = 0x00000023U; (bl1=secure privileged, bl2=secure non-privileged)
With these settings, I expected bl2 (secure non-privileged) not to be able to tamper with the flash
area of bl1 (secure privileged). First I tried to read the memory with the CPU (memcpy) and it worked
as expected: With ENABLE_S_PRIV_CHECK DISABLED I COULD read the memory, with ENABLE_S_PRIV_CHECK I
could NOT read the memory.
However, with ROM API FLASH_Program() and FLASH_Erase(), I am able to make the flash inacessible even with ENABLE_S_PRIV_CHECK ENABLED.
According to my understanding, this should not be possible. secure non-privileged code should
not be able to tamper with secure privileged code, as this is a higher security level.
I attached a test project that demonstrates the behaviour: in bl1/source/tzm_config.c line 13 the
S_PRIV_CHECK can be enabled or disabled. In bl2/source/main.c line 36 the test case (read/write/erase)
can be set. In the current configuration, the flash is destroyed after bl2 runs and then bl1
does not work anymore, i.e. the microcontroller won't do anything as the flash at 0x0 is inaccessible.
I attached the project in case you want to replicate the behaviour.
Am I missing something in the configuration or is this somehow intended behaviour?
Sabina_Bruce
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Simon,
Hope you are doing well.
I noticed that the SDK is an older version 2.6.2. Could you please confirm if the behavior is the same with 2.8.0, there have been different improvements since then. Just to make sure that it is not an unknown bug in an earlier version.
Also could you please provide the version of the IDE, while I test your example from my end.
Best Regards,
Sabina
-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running MCUXpresso IDE 11.0.0
Unfortunately I cannot. I still use chips with silicon 0A (LPC55S69-EVK Revision A1) and when I tried to migrate to a newer version of the IDE and SDK I ran into a lot of problems. I ordered new boards, hoping this time I will receive silicon 1B, but I am not sure when they will arrive. As soon as I get new boards, I can make a new test project with the newest IDE and SDK.
However, compromising the flash from a lower to a higher security tier cannot be a bug in the SDK in my opinion. So I would still be interested if this is a configuration problem on my side or a problem on the chip.
Sabina_Bruce
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hope you are well.I have been attempting to run your example however I am not successful in reproducing them correctly. I am using the latest versions of LPC55S69 v 1B, SDK 2.8.0 and IDE 11.2, so I am trying to port it to the hello world example in the SDK that uses multicore as yours. I will update you if I am successful with this.
Apart from this, I have been checking with detail the changes you have made. To clarify some of the information, I'd like to go over just the general concepts of the secure/non-secure privilege check. If you enable secure/non-secure privilege check, the AHB secure controller performs additional check for privilege/non-privilege access. In this case privilege/non-privilege access (defined by either secure or non-secure MPU) has to be aligned with AHB secure controller settings. The privilege/non-privilege check can be separately enabled for secure and non-secure bus transactions. The security of transaction is defined by SAU+IDAU.
The AHB secure controller distinguishes between instruction fetch access and data access. In case of instruction fetch, the strict checking is applied. It means that code has to be executed from the same security level.
It means that if CPU is in secure-privilege mode, the code memory has to be configured as secure-privilege in AHB secure controller as well. In case of data accesses, the privilege code has access to both privilege and non-privilege (user) memory, the non-privilege code has access to non-privilege (user) memory only.
Please note that if CPU is in secure mode, the secure MPU takes effect. In non-secure/normal mode the non-secure MPU takes effect.
To make sure I am understanding you'd like to keep both bl1 and bl2 in secure mode but only differentiate between privilege and non-privilege access is this correct?
Best Regards,
Sabina
