LPC55S69 : limited ISP comands are allowed ?

EugeneHiihtaja · ‎11-23-2019

Hello !

If secure boot option is enabled in Table 268. Lifecycle state descriptions

mentioned "then limited ISP comands are allowed"

But I can see the next dangerous commands :

"

8.6.6 ReadMemory command
The ReadMemory command returns the contents of memory at the given address, for a
specified number of bytes. This command can read any region of memory accessible by
the CPU and not protected by security.

8.6.9 Execute command
The Execute command results in the bootloader setting the program counter to the code
at the provided jump address, R0 to the provided argument, and a Stack pointer to the
provided stack pointer address. Prior to the jump, the system is returned to the reset
state.

8.6.10 Call command
The Call command executes a function that is written in memory at the address sent in the
command. The address needs to be a valid memory location residing in accessible flash
(internal or external) or in RAM.

"

And in SB file chapter:

"

7.3.6.4.3 Bootable section
A section that has the bootable section flag set is called a bootable section. It contains a
sequence of boot commands that are processed by the loader to perform a firmware
update.
The boot commands are described in the elftosb User’s Guide. The LPC55xx ROM loader
provides the support for the following bootloader commands:
WriteMemory, FillMemory, ConfigureMemory, FlashEraseAll, FlashEraseRegion,
The WriteMemory and FillMemory commands can be used to write data to RAMs.
WriteMemory can be also used to program internal flash, including the PFR CFPA page,
assuming the flash is erased, for example, by FlashEraseAll or FlashEraseRegion
commands. ConfigureMemory command can be used to configure LPC55xx PRINCE
on-the-fly encryption module.
SB 2.1 introduces two new commands that can be used to prevent firmware roll-back:
SecureFirmwareVersion
NonsecureFirmwareVersion
The recovery boot mode on the 1B version of the LPC55S6xx that is using SB 2.1, only
supports two commands:
WriteMemory (RAM only) and Execute.

"

Do you have exact list of commands what are "limited ISP comands are allowed" ?

And How I undestand limitation in SB file section ?

Regards,

Eugene

tomas_voda · ‎01-29-2020

Hi Eugene,

1) ISP Command limitation

ISP command limitation has different behaviour at 0A and 1B silicon.

0A silicon has ISP command limitation after Secure Boot is enabled (this info is in released UM)

1B silicon has ISP command limitation after CMPA HASH is written - lifecycle change into Tier 2 Dev or OEM closed

1B silicon has possibility to check lifecycle status:

blhost -p COMxx get-property 17

Limited ISP commands for 1B silicon:

GetProperty

Reset

KeyProvisioning

SetProperty

ReceiveSbFile

If you would like to disable all ISP commands then you have the possibility to disable it in CMPA registers CC_SOCU_xx in ISP_CMD_EN bits.

2) SB file limitation

1B silicon supports Recovery boot (3 types -> Passive, ISP, Recovery), which will be described in new UM release.

If Secure boot is enabled recovery boot should load SB2.1 from external SPI flash memory. In this recovery mode are reduced commands for SB file as is mentioned. ( version_check, load into internal RAM in a non-reserved region, jump/call).

Command for checking reserved region: blhost -p COMxx get-property 12

EugeneHiihtaja · ‎01-29-2020

Hi Tomas !

Thank you !

So we will have soon updated UM and Secure Boot AN with more clarifications and details.

Regards,

Eugene

ZhangJennie · ‎11-29-2019

hi

There is no document about "limited ISP comands". I have requested it, but haven't feedback so far. If I get it, I will update here.

According to our local test, erase/read/write/receive-sb-file,etc ISP commands are supported after secure boot enabled. ISP command is called by blhost. please test it on your side, if any different, let me know.

Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

EugeneHiihtaja · ‎11-29-2019

Hi Jun Zhang !

Thank you !

Please keep me updated with this issue.

If all ISP commands are available , security of chip is not looks as expected.

I think next step is completely disable ISP ( I hope it is possible according UM) and process SB2.1 file by using own custom bootloader.

What can supports limited ISP like command always even main image is corrupted. But it is extra job to write error less code.

Does your romcode like source code or similar ones available ?

Regards,

Eugene

ZhangJennie · ‎12-03-2019

To disable ISP, you can disable it in CMPA ISP field.

EugeneHiihtaja · ‎12-25-2019

Hi ZhangJennie‌ !

Do you have any update about supported ISP command when secure boot is enabled ?

Thank you !

Regards,

Eugene

ZhangJennie · ‎12-25-2019

No, I didn't get feedback. seems we don't have such a list address this issue.

I have escalated it as a requirement to design.

But for the moment, we don't have it yet.

Have a great day,
Jun Zhang

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------