SEC Tool v7 Assigns application to Non-XIP mode when start address is secure flash

george_iyo · ‎11-01-2023

We've noticed that for applications on the RT685S that are in secure flash XIP mode, assigning the start address to beginning of the image header in secure flash (0x18001000) causes the image to not boot properly when enabled a signed booting + force Trustzone enabled in OTP. This does not occur when in the plain image and plain image + CRC mode and with Trustzone enabled. It would seem the SEC tool interprets the start address of (0x18001000) to be a non-XIP load-to-RAM image - is this a bug or intended behavior? We have noticed that reassigning our start address location to non-secure flash (0x08001000) enables the image to boot properly when signed and with Trustzone enabled in the OTP configuration.

marek-trmac · ‎11-02-2023

Hi George,

as a workaround solution, you can modify template for the mbi_config.yaml, so the tool always generates "XIP" image:

locate file "c:\nxp\MCUX_Provi_v7\bin\data\script_templates\RTxxx\mbi_config.yaml" in your installation directory
search for line "outputImageExecutionTarget: {{ mbi_config.outputImageExecutionTarget }}"
comment the line and/or replace by a new value "outputImageExecutionTarget: External flash (XIP)"
save the file
build again

Please mind, after this change, load to RAM image for RTxxx will not work, as the tool will always generate XIP image.

Hope this helps.

Regards,
Marek

NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button

在原帖中查看解决方案

george_iyo · ‎11-02-2023

Following your instructions, when I change mbi_config.yaml's line 11 parameter to External flash (XIP), the app can't boot when launching from secure flash:

I've also noticed that hitting the "Build Image" button in the Build image tab also changes the mbi_config.yaml parameter back to RAM.

marek-trmac · ‎11-02-2023

Hi George,

I believe this is a bug, not intentional. I can see that generated mbi_config.yaml contains "outputImageExecutionTarget: RAM" instead "outputImageExecutionTarget: External flash (XIP)"

Could you please confirm, if you manually fix mbi_config.yaml and then if you invoke build script from the disk, the issue is resolved on your side?

Thank you for the report, we will fix this into next version (V8).

Regards,
Marek

NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button

george_iyo · ‎11-02-2023

Sorry, I misread your post. After selecting build image, and then changing the mbi_config.yaml parameter to:

outputImageExecutionTarget: External flash (XIP)

And then executing build_image_lnx.sh seems to resolve the issue - sending the Write Image command in the SEC tool, and then hitting the reset button with doing a POR with shadow registers enabled seems to enable the image to boot. I'm wondering now if this at all impacts the creation of a manufacturing package within the tool - does the package reupdate the the yaml file, or does it just take in the files from the workspace?

marek-trmac · ‎11-02-2023

Hi George,

as a workaround solution, you can modify template for the mbi_config.yaml, so the tool always generates "XIP" image:

locate file "c:\nxp\MCUX_Provi_v7\bin\data\script_templates\RTxxx\mbi_config.yaml" in your installation directory
search for line "outputImageExecutionTarget: {{ mbi_config.outputImageExecutionTarget }}"
comment the line and/or replace by a new value "outputImageExecutionTarget: External flash (XIP)"
save the file
build again

Please mind, after this change, load to RAM image for RTxxx will not work, as the tool will always generate XIP image.

Hope this helps.

Regards,
Marek

NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button

marek-trmac · ‎11-02-2023

Hi George,
the creation of manufacturing package should just take files in the workspace. Moreover, manufacturing package contains just files needed for write, as it is not expected the image will be re-built in the manufacturing.

Regards,
Marek

NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button