How to program a new image if I start secure boot?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to program a new image if I start secure boot?

Jump to solution
2,536 Views
827529957
Contributor III

1. I have read "AN12352 LPC54S0xx Execute In Place with Secure Boot",I know that the image can be downloaded before the secure boot is turned on, but if I start secure boot , can I still program a new image?

2. If the answer of the first question is OK, then the way to start a new image after booting safely is to enter ISP mode and download it using blhost?

3. I try to use blhost to program an image to the external flash refer to the "Getting Started with LPC540xx-LPC54S0xx Flashloader User's Guide", but one of the steps failed. I failed in the process of erasing the program. I guess I have error in configuring the external flash, but I dont't know how to configure it. I think the configureation method described in th manual is difficult to understand. Is there any good advice? The following is my operation.

pastedImage_1.bmp

pastedImage_2.bmp

pastedImage_3.bmp

pastedImage_4.bmp

pastedImage_6.bmp

Labels (1)
Tags (2)
0 Kudos
1 Solution
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Kunsen Chen,

If the secure boot is turned on, we can't program a new image with it anymore.


Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

11 Replies
1,856 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Kunsen Chen,

If the secure boot is turned on, we can't program a new image with it anymore.


Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

1,855 Views
827529957
Contributor III

Thank you for your answer,but is this mentioned in the manula? Or in which manual is mentioned? I hope you can provide help.

0 Kudos
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Hi Kunsen Chen

No, it doesn't mention in this manual. 

But according this AN (also can find same in LPC54s018 UM), "Modifying the OTP is a one-time operation and is not reversed", Secure boot enable bit field is one-time bit. Once it is enabled, there is no way to change it back.

 

in AN12352, flashloader.exe is only for plain image. flashloader.exe can not work for non-plain image if boot enable bit is enabled, thus we can't program the image in the same way.

By checking with the author of AN12352, I can confirm it.

Have a nice day,

Jun Zhang

1,855 Views
827529957
Contributor III

If IAP can be used to program after encryption?

0 Kudos
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

IAP can be used to program after enabling secure boot.

1,855 Views
827529957
Contributor III

That is to say, after the LPC54S018 is securely booted, neither the ISP nor the JTAG can download the program, but the IAP is OK. Am I right?

Sincerely thank you for your answer.

0 Kudos
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

All ISP, JTAG. IAP can be used to program after enabling secure boot. but you must use it program signed image, otherwise, it can't pass secure boot check.

It's not possible to program flash with IDE debug, because it't not a signed image when debugging code.

it's not possible to program flash with AN12352  flashloader.exe because it is only for plain image

1,855 Views
827529957
Contributor III

Oh, I understand a bit, but I still have doubts. 

Since IDE debug and AN12352 flashloader.exe can't download the encrypted image after securely booting, then which tool should I use to download the encrypted image after encrypting the image. Or, Is there any document can help me solve this question? What can I do to download an encrypted image after securely booting?

Thank you.

0 Kudos
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

any LPC flash tool can work for it. for example, MCUXpresso IDE GUI Flash Tool.

The key point is not Flash tool, but the image must be signed, and must be correctly signed. Otherwise secure boot can not recognize it. 

Don't forget using elftosb-gui to sign the image first.

If you can't connect board, check OTP setting, make sure the jtag interface is not disabled

0 Kudos
1,855 Views
827529957
Contributor III

I am confused now. 

First, as described in the chapter 4 of the manual "LPC54xx_LPC54S0xx(UM11060)" . There are three policies for secure boot: 1. Enforce authentication(corresponding to signed image); 2. Enforce encryption (corresponding to encrypted image) 3. Enforce both authentication and encryption.(corresponding signed and encrypted image). And what I used is the second policy "Enforce encryption". So the image I need is encrypted image and not signed image.

Second, as you said, "The key point is not Flash tool, but the image must be signed, and must be correctly signed. Otherwise secure boot can not recognize it. ".  that is to say, the image which is correctly signed can be download and run successfully. Howerver, I just used encrypted boot refer  "AN12352 LPC54S0xx Execute In Place with Secure Boot". Is it means, only signed images can use the way you said and only encrypted images can't be download after secure boot?

0 Kudos
1,855 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

you use the  second policy "Enforce encryption", this is same as signed one, you must use encrypted image to program with ISP, JTAG or IAP.   elftosb.exe can be used for encryption. you must make sure the encryption is correct, otherwise it can't pass secure boot check.

It's not possible to program flash with IDE debug, because it's only for plain image when debugging code.

it's not possible to program flash with AN12352  flashloader.exe because it is only for plain image