FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

lpc55s69 secure boot

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

lpc55s69 secure boot

‎11-11-2021 08:20 AM
1,149 Views
MarcoBelli1
Contributor II

hi

I'm trying to understand LPC55S69 secure boot.

I'm reading UM11126 user manual and AN12283.

What are the options to update a firmware on LPC after secure boot is enabled?

I understand that 2 main commands are available for programming the flash

1) blhost write-memory

2) blhost receive-sb-file

are both of them available after secure boot is enabled? 

is only receive-sb file enabled?

 

the only info I have found is:

SECURE_BOOT_CFG
field determines whether
secure boot flow is
enabled or not.
• If secure boot is enabled
or debug authentication
fields (CC_SOCU_xxx) are
not in the default state,
then limited ISP
commands are allowed.
Allowed command set can
be retrieved by “blhost -p
COMx/-u <VID,PID> --
get-property 7”.

 

thank you

0 Kudos
Reply
3 Replies

‎11-11-2021 12:08 PM
1,139 Views
EdwinHz
NXP TechSupport
NXP TechSupport

Both of these commands are available for programming the flash after secure boot is enabled.

As you can see in AN12283, “write-memory” is used to write a signed image into flash (p. 15) and “receive-sb-file” is used to load a SB2.0 file into the device (p. 19). In both instances the secure boot is already enabled.  

You can also find some more information about each command on the “blhost User's Guide” document, here’s the link: https://www.nxp.com/docs/en/user-guide/MCUBLHOSTUG.pdf

 

Best regards,

Edwin.

0 Kudos
Reply

‎11-12-2021 12:22 AM
1,123 Views
MarcoBelli1
Contributor II

In UM11126 chapter 7.2.2 Secure firmware update it's written:

If firmware updates are to be performed in the field when secure boot is enabled, then a
secure firmware update mechanism is preferred. Otherwise inauthentic firmware may be
written to the device, causing it to not boot.

 

Is there a way to allow secure update and permanently disable write-memory? otherwise I don't understand how it's possible to prevent writing of inauthentic firmware?

Marco

Tags (1)
0 Kudos
Reply

‎11-12-2021 02:37 PM
1,111 Views
EdwinHz
NXP TechSupport
NXP TechSupport

Secure Boot provides the tools to ensure that unauthorized code can’t be executed, not to disable flash programming. This is instead done with the Lifecycle state. Take a look into Section 10.3 of the User Manual, specifically “OEM Closed” on Table 273. I believe this will prove to be useful for your inquiry.

0 Kudos
Reply