FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

What does locking the CFPA actually mean?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

What does locking the CFPA actually mean?

‎05-21-2021 09:06 AM
1,911 Views
andrewfisher
Contributor III

I am using an LPC55S28 device and am trying to enable secure boot without shooting myself in the foot and bricking the device.

The UM11126 user guide explains that the CMPA and CFPA can be locked by writing the SH256 hash at the end. If I understand this correctly this means that I can program the CMPA and CFPA repeatedly if I do not update this hash. Is that correct?

Is this also true for the monotonic fields too? Can they be reset freely if not locked?

With regards to the CFPA what does it actually mean to lock it. If I lock it then it seams that I can never again flash new firmware, signed or not, as the revocation fields etc will no longer be updatable. At very least I loose the ability to ever revoke keys etc. Am I missing something here?

Also where is the CFPA located the UM says 0x003DE00 but some docs and questions refer to it being at 0x009DE00

0 Kudos
Reply
2 Replies

‎05-24-2021 03:25 AM
1,901 Views
Alice_Yang
NXP TechSupport
NXP TechSupport

Hello andrewfisher,

 

 

The UM11126 user guide explains that the CMPA and CFPA can be locked by writing the SH256 hash at the end. If I understand this correctly this means that I can program the CMPA and CFPA repeatedly if I do not update this hash. Is that correct?

->> No, it depends on Lifecycle state, about detail please refer to:

UM11126-> 10.3 LPC55S69 Customer Development Lifecycle state.

 

 

With regards to the CFPA what does it actually mean to lock it. If I lock it then it seams that I can never again flash new firmware, signed or not, as the revocation fields etc will no longer be updatable. At very least I loose the ability to ever revoke keys etc. Am I missing something here?

->> Yes, you can't program lash never.

 

Also where is the CFPA located the UM says 0x003DE00 but some docs and questions refer to it being at 0x009DE00

->> 0x009DE00 is right. 0x003DE00 is typo, it the address for lpc55s1x.

 

BTW, for secure boot, please refer to 

https://www.nxp.com.cn/docs/en/application-note/AN12283.pdf 

 

BR

Alice

0 Kudos
Reply

‎05-28-2021 12:07 PM
1,885 Views
andrewfisher
Contributor III

->> Yes, you can't program lash never.

If it is never safe to lock the CFPA as I loose access to revoke etc. then why on earth is locking it possible? Things are tricky enough in this area without providing an extra way to shoot yourself in the foot.

What am I missing?

Reply