FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to secure FOTA update for LPC55S16?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

How to secure FOTA update for LPC55S16?

Jump to solution
‎01-29-2025 03:07 AM
722 Views
j_bos
Contributor I

How to secure OTA firmware update for LPC55S16-EVK? A dual image solution where one overwrites the other seems not feasible because the Secure Boot ROM does not support multiple images? Also there are no  secondary secure bootloaders that support booting verified (encrypted and signed SPSDK) images?

So the way to go is using recovery boot from an external 1-bit SPI flash device with an SB2.1 image? Is there an example for this? Or is the “MCU-OTA SBL and SFW” the canonical path, and how does this relate to SPSDK?

I’m sort of lost in the woods here on how to approach OTA firmware update and have secure/verified boot. I have looked at the references below.

 

  1. AN12278 LPC55S00 Security Solutions for IoT 
  2. AN12283 LPC55Sxx Secure Boot 
  3. AN13460 FOTA Design for SBL and SFW 
  4. AN12594 OTA 
  5. AN12327 Firmware Update Using Secondary Bootloader (Dual image update) 
  6. LPC55S16 2nd stage bootloader with Secure Boot 
  7. Github: Bootleby A LPC55 Bootloader 
LPC55S16-EVK
LPC55S16-EVK
LPCXpresso Boards
VIEW PRODUCT PAGE
Labels (1)
Labels
Tags (2)
0 Kudos
Reply
1 Solution

Jump to solution
‎02-04-2025 03:04 PM
615 Views
Habib_MS
NXP Employee
NXP Employee

Hello @j_bos ,
As mentioned in the chapter 2.4 called "Encrypted PRINCE flash region" in the AN12283,
LPC55Sxx supports 3 regions that allow multiple code images from independent encryption base to co-exist. You can use this method in order to put more encrypted regions. In the other hand, taking by reference the AN12327 you can use a secondary bootloader to receive a second image, where in general will be how the next figure.

 

2025-02-04_16-06-37.jpg

 

Also, in the same app note (AN12327) are mentioned two codes where you can find both in NXP documentation clicking the next button:

Untitled picture.png

I highly recommend take by reference the SDK (version 24.12) example called "mcuboot_opensource", where is in the LPCxpresso55s69 SDK.

Also, if you experience any issue, do not hesitate to let me know.

BR
Habib.

View solution in original post

Reply
1 Reply

Jump to solution
‎02-04-2025 03:04 PM
616 Views
Habib_MS
NXP Employee
NXP Employee

Hello @j_bos ,
As mentioned in the chapter 2.4 called "Encrypted PRINCE flash region" in the AN12283,
LPC55Sxx supports 3 regions that allow multiple code images from independent encryption base to co-exist. You can use this method in order to put more encrypted regions. In the other hand, taking by reference the AN12327 you can use a secondary bootloader to receive a second image, where in general will be how the next figure.

 

2025-02-04_16-06-37.jpg

 

Also, in the same app note (AN12327) are mentioned two codes where you can find both in NXP documentation clicking the next button:

Untitled picture.png

I highly recommend take by reference the SDK (version 24.12) example called "mcuboot_opensource", where is in the LPCxpresso55s69 SDK.

Also, if you experience any issue, do not hesitate to let me know.

BR
Habib.

Reply