an_lpc54s0_xip_with_secureboot.zip

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

an_lpc54s0_xip_with_secureboot.zip

6,451 Views
oscarniño
Contributor III

Hi

I'm now using LPC54S018, I would like to know how to add security to my project I´ve worked with LPC54018 and LPC54608. I've read https://www.nxp.com/docs/en/nxp/application-notes/AN12352.pdf application note but it refers to an_lpc54s0_xip_with_secureboot.zip fle but I really don´t know where is it. I would like to know if there is an example that show me the best way to add security to my project

Best Regards.

Tags (1)
0 Kudos
Reply
22 Replies

5,664 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thank you for your interest in NXP Semiconductor products and
for the opportunity to serve you.
Please check the attachment.

Have a great day,
TIC

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

5,664 Views
oscarniño
Contributor III

Hi jeremyzhou

Thank you for reply, I have tried to build this example but there are some things that aren't pretty clear to me. First this example is for LPC54S018M and show me this error:


Unable to find part support for NXP LPC54S018M in project lpcxpresso54s018m_xip_with_secure_boot_an_demo Resetting to generic part for core cm4. lpcxpresso54s018m_xip_with_secure_boot_an_demo Unknown Problem.

 I try to copy the code to a hello_world_qspi_xip example but I don´t know if this is a good idea because of demo has two flash section and eight RAM section, I can use MCU setting option to generate them but there are another thing to take care; example use a label to write PRINTF messages ( fun_plaintext0, fun_plaintext1, fun_sram0, etc) so I should have to modify .id files to set them. I mean all this is a long proccess, Am I right doing it? to clone the example.

I have already solved this part, I leave it if someone has the same problem. It was because of I had to download the SDK for LPC54S018M and I have the LPCXpresso54S018 board, but Application Note mentioned "Board— LPCXpresso54S018 (LPC54S018-EVK) or LPCXpresso54S018M (LPC54S018M-EVK)" so I think this is the same for  both MCUs. Am I right?

Second these are the steps to performe the demostration:

1. Build & Compile
Build and compile the demo project located in an_lpc54s0_xip_with_secureboot/an_demo.
2. Process image
Process the image according to the chapter 2.3.3 and 2.3.4.
3. Download
Follow the chapter 2.4 to download images.
4. Program the AES key.
Follow the chapter 2.5 to program the AES key.
5. Program the related OTP bit fields
Follow the chapter 2.6 to program the related OTP bit fields.
6. Run
Reset the board to run by pressing the Reset button on the board.
7. Result

To process image Aplication Note recommend to use HxD but it isn´t pretty clear how to split the image.

Finally if I write the OTP as 5 step, It will never be aviable to modify right? 

0 Kudos
Reply

5,664 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
Q1)  Am I right doing it? to clone the example.
-- Yes.
Q2) So I think this is the same for both MCUs. Am I right?
-- Yes.
Q3) Splitting the image into the secure and non-secure parts in the HxD is as same as splitting the article in the word office.
Hope this is clear.

Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,664 Views
oscarniño
Contributor III

Hi

I still have some questions:

  1.       First; Section 2.3.3 Table 2 Indicates how a BIN file is stored. Am I right? If yes, thinking in this, for example, to my builded image is as follows:

                      a. My offset value is (address 0x28) 0x0160.

                      b.  The Image_length is 0x000056B4.

                      c.   So total length of the image is 0x000056B8.

Now this section indicates:

The secure-plain text image is from address 0 to address (total length of the image – 1) of the original image binary. This image is used to create the secure-bootable part image.

The non-secure image is from address 0x0010_0000 (0x1010_0000 - 0x1000_0000) to the end of the original image. This image is as non-secure part image.

 

Here is the doubt. It means that secure-plain text will be until address 0x000056B7 right? And so that, what will be the non-secure image?

Here is a reforcement of my doubt; A project that has been done before and that was test on LPC54018 is 2,172 kB of length so that, how I could split the image? It is posible to split image at will?

 

I have an idea about how it could be based on the las question, but I’m not pretty sure:

               If secure section is 192 kB, we could split image like that from 0 to 2FFFF address(0x30000 of length) and set it in that section, so the remains of the image(0x1EEA64 of length) will be set in non-secure from 0x10100000 to 0x102EEA63 address. So that there is 0xD0000(1MB – 192kB) between secure-plain and non-secure plain, what happens with stack pointer? It will be automatically jump from 0x10030000 to 0x10100000 address? Am I right with my guess about spliting image?

 

  1.       To créate the secure bootable part image based on secure-plain text image it means run alftosb file by command window right. In my case I do this:

                    a. Windows+r->cmd

                    b.Descargas\SDK_2.5.0_LPCXpresso54S018\middleware\mcu-boot\bin\Tools\elftosb\win\elftosb.exe                        --keygen 128 aes128_key.key on a command window.

        It was right?

  1.       Finally, I need to get pretty clear about write OTP in the demo example, so this is my question, doing the AN12352.pdf file’s steps, the OTP will be written? If this is yes I will need to build secure image of my projects with this aes128_key.key generated by elftosb.exe in this demo? If not when I get my final firmware how I will set the key on the OTP section?

Thanks.

Best Regards

Oscar Niño

0 Kudos
Reply

5,664 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
Q1) Am I right with my guess about spitting image?
-- Yes, you're right.
Q2) It was right?
-- Yes.
Q3) If this is yes I will need to build a secure image of my projects with this aes128_key.key generated by elftosb.exe in this demo?
--Yes.


Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

Well I got some issues that doesn´t let me follow is this

Problema comandos Secure Boot Type bit field.png

The command above has a "-" between last hex number and efuse which show up "unkown option -"

 Any idea why?

Which usb connecto will be connected to evaluate result with terminal? and how to connect that terminal? It is posible from tab Terminal in MCU? and how?

Attach Bin files Original, splited images and secure image with key by elftosb-gui and key.

One doubt else:

Can I crearte manually the key array? for example:

"oscarninogarcia1"

0x6f, 0x73, 0x63, 0x61, 0x72, 0x6e, 0x69, 0x6e, 0x6f, 0x67, 0x61, 0x72, 0x63, 0x69  0x61, 0x31

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
Q1) In 2.6 Program the related OTP bit fields to enable secure boot section of AN12352, it only illustrates the command, however, it forgets to notify that these commands should be inputted in the CMD window, so please give a try again.

pastedImage_2.png
Q2) Can I create manually the key array?
-- Yes.

Have a great day,
TIC

 

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

 

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

The result is the same:

Error en comando blhost.png

this is the result of download flasloader:

Ejecucion de Flasloader.png

It have to be connected other usb port than USB1? Or just this. How can I connected the terminal to get the result screen in the AN12352.pdf?

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
It should follow the below format to input the efuse-program-once command, actually, it needs two '-' between the blhost.exe and efuse-program-once.
blhost.exe -- efuse-program-once  <addr> <data>

pastedImage_2.png


Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

I still have trouble. Using that function this is the result

Problema con los ultimos comandos para activar seguridad y encriptacion.png

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
According to the error message, the PC host hasn't recognized the USB1, it may be caused by the below reasons.
Before connecting the LPC54S0xx platform USB1, it should install a jumper in position 1-2 of JP9.

pastedImage_2.png
In further, after connecting the USB1,  please check the Device Manager to confirm whether the PC has recognized the new HID class device.


Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi Jeremyzhou

Maybe if I show you how I did it, you could find my error:

After split images and precessed the secure one, this is the flasher process.

Then build and compile the AES

and then updating by DFU tool

here is the error that I get

Well now this is how the board was connected for each case:

To download and flash secure and non-secure part and AES this was the connection

20190606_105836.jpg

to flashloader

20190605_134844.jpg

before this connection ISP0 and ISP2 were pressed to enter in DFU mode as AN12352 indicates.

And finally to Send commands it was the connection.

20190605_104550.jpg

do you know what I'm doing in the wrong way?

Best Regards

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.

The videos are unavailable, please check it.

pastedImage_1.png
I'd like to point out that when unplugging the USB0 to plug the USB1, the board should be constantly powered, so I think you should keep a USB cable to plug the J8 to supply the board.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi Jeremyzhou

Ok I have atteched those videos on zip file. I have tried you seggestion but the problem is still happened. I tried with J8 connector and with 5V Power Only connector but error is still happening.

Beast regards

Oscar Niño

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.
In the Encrypted and Security video, it illustrates that the blhost tool doesn't find the HID USB device after plugging the USB cable J2,  if the hardware circuit configuration is correct is right as you said before, I would suspect this issue is caused by the HID device whose VID and PID is 0x1fc9,0x01a2 respectively is not enumerated successfully.
So I'd like to suggest check the Device Manager to confirm whether the PC has recognized the new HID device.
Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

Thanks for reply. How it could showed or be configurated? Where can I find that device? I mean where can I check those VID and PID? 

Dispositivos HID.png

Best Regards

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.

Please check the VID and PID as Fig 1 demonstrates.

pastedImage_1.png

Fig 1

Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

Thanks for reply. I don´t get that HID device active. I think it could translate "dispositivo definido por usuario compatible con HID" (HID-compliant consumer control device). Any suggestions? I'm using windows 10 this, could be the problem?

Best Regards

0 Kudos
Reply

5,662 Views
jeremyzhou
NXP Employee
NXP Employee

Hi Oscar Niño,

Thanks for your reply.

I've attached an open-source software which is used to trace the new plugging USB device, even if this USB device enumeration failure.
So it maybe can give us an insight into this issue.


Have a great day,
TIC

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos
Reply

5,662 Views
oscarniño
Contributor III

Hi jeremyzhou

Thanks for reply, I have check this option but I still can't see that device, I was checking when desconnect every usb from LPCXpresso54S018 and PC, when USB DFU is connected there is information about usb port:

USB DFU information.png

 but the connect J8 connector(debug) to keep powered the board and after download flashloader, disconnect USB DFU(J3) and jumper J9 (set in FS), then after connect High Speed (J2) Connect J9 to HS position and then connect USB HS(J2). but non information is showed:

USB HS non-information.png

Thanks for your time.

Best Regards

Oscar Niño

0 Kudos
Reply