- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- 汎用マイクロコントローラ
- :
- LPCマイクロコントローラ
- :
- LPC55S16: Secure Boot - skboot_authenticate()
LPC55S16: Secure Boot - skboot_authenticate()
- RSS フィードを購読する
- トピックを新着としてマーク
- トピックを既読としてマーク
- このトピックを現在のユーザーにフロートします
- ブックマーク
- 購読
- ミュート
- 印刷用ページ
LPC55S16: Secure Boot - skboot_authenticate()
- 新着としてマーク
- ブックマーク
- 購読
- ミュート
- RSS フィードを購読する
- ハイライト
- 印刷
- 不適切なコンテンツを報告
Hello,
I am currently trying to implement Secure Boot functionality on a LPC55XpressoS16 eval board. My plan was to use the Secure ROM API function skboot_status_t skboot_authenticate(const uint8_t *imageStartAddr, secure_bool_t *isSignVerified) for the image verification.
I managed to access it using the necessary function pointers to the ROM API table. The image itself is signed according to the SPSDK documentation (Link to documentation). I also tried the whole thing using an image that was signed via the NXP Secure Provisioning GUI tool.
My problem now is that the function always returns kStatus_SKBOOT_InvalidArgument. I am actually pretty certain that the imageStartAddr parameter is correct (0x00000000) and that this is not the cause of this.
UM11295 states that this is exactly the same function that the already by NXP implemented secure boot functionality in ROM uses. When I then enabled that secure boot in addition to my own, the one by NXP passed and verified the image (the device booted normally and jumped to the reset handler) but my function again returned "invalid argument". Even though allegedly the same function is used.
Is there something I am overlooking or is there some additional documentation for that function (I already checked the appeneded Rom_API.pdf of the UM11295)?
- 新着としてマーク
- ブックマーク
- 購読
- ミュート
- RSS フィードを購読する
- ハイライト
- 印刷
- 不適切なコンテンツを報告
I am encountering the same issue, but on the IMXRT685S EVK. The device is able to succesfully boot a signed Master Boot Image with the correct keys loaded into the RKTH shadow registers. However, calling skboot_authenticate on the same memory region, both in RAM and on external flash, result in kStatus_SKBOOT_InvalidArgument. Taking inspiration from SBL, calling kb_init results in a non-defined return code "10".
Verifying that it works using the Secure Provisioning Tool is not helpful, as the EVK probe presents multiple HID devices, which blhost as used by the Secure Provisioning Tool does not handle correctly.
The wording in UM11147 is not 100% clear on how this function should work. I have also tried verifying a SB1.2 image but that also returns kStatus_SKBOOT_InvalidArgument.
The ROM uses this function during the Secure boot flow to authenticate 1st boot image, and it also uses it to verify authenticity of the SB 2.1 files.
Can you verify that the MIMXRT685S skboot_authenticate should be able to verify correct Master Boot Images from a booted first application?
If you have an engineer that can hop on a call to clear this up, that would be great.
- 新着としてマーク
- ブックマーク
- 購読
- ミュート
- RSS フィードを購読する
- ハイライト
- 印刷
- 不適切なコンテンツを報告
After double-checking my solution I have found that the kb_init function is mandatory, and I was passing a too small user buffer to it. You have to submit at least 4096 word-aligned bytes to this function for it to succeed.
With this I was able to verify a SB2.1 image container using skboot_authenticate.
My second question still holds: does the ROM API support validating a Master Boot Image from the application? One such image which the ROM bootloader happily starts up makes skboot_authenticate yield kStatus_SKBOOT_InvalidArgument.
Alice_Yang
- 新着としてマーク
- ブックマーク
- 購読
- ミュート
- RSS フィードを購読する
- ハイライト
- 印刷
- 不適切なコンテンツを報告
Hello @jesm86
About secure boot, recommend you use MCUXpresso secure provisioning tool:
Refer to User Guider -> 7.3 LPC55Sxx/LPC55xx/LPC553x device workflow.
BR
Alice
