FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

How to edit the CMPA using Secure provisioning on MCXA156

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED
Jump to solution

How to edit the CMPA using Secure provisioning on MCXA156

Jump to solution
‎09-03-2025 06:34 AM
782 Views
rj_engineer
Contributor III

secure_provisioning_cmpa_error.png

In Secure provisioning CMPA configuration, the default values shows an error and using the fix button before writing doesn't work. Reading the FRDM-MCXA156 values only show 0xFFFFFFFF on every parameter. Also, the terminal doesn't show the blhost command used (it does when verifying the connection).

 

The question is :

How to properly use the CMPA configuration ?

Labels (1)
Labels
0 Kudos
Reply
1 Solution

Jump to solution
‎09-03-2025 11:52 AM
755 Views
marek-trmac
NXP Employee
NXP Employee

Hi @rj_engineer 

Good question. If the processor is clear, there are 0xFF values in the whole flash and so the CMPA page is invalid and the flash configuration from CMPA is not applied. If you install CMPA using SEC tool, the flash access configuration will be applied and it is critical to set access rights properly.

There is not option allowing full flash access rights, so basically there is not "safe" default value. Each user needs to decide based on his application, what areas should be executable and what shall be read-only or shall be allowed for write. If the access right is not set properly, the processor will not boot.

This is the reason why SEC tool shows an error. The error is the "guide" to the configuration asking to be aware about the configuration and set it properly. To prevent to configure the processor into the state that it does not boot, SEC tool requires to set access right explicitly.

Regards,
Marek


NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button

View solution in original post

0 Kudos
Reply
7 Replies

Jump to solution
‎09-03-2025 11:52 AM
756 Views
marek-trmac
NXP Employee
NXP Employee

Hi @rj_engineer 

Good question. If the processor is clear, there are 0xFF values in the whole flash and so the CMPA page is invalid and the flash configuration from CMPA is not applied. If you install CMPA using SEC tool, the flash access configuration will be applied and it is critical to set access rights properly.

There is not option allowing full flash access rights, so basically there is not "safe" default value. Each user needs to decide based on his application, what areas should be executable and what shall be read-only or shall be allowed for write. If the access right is not set properly, the processor will not boot.

This is the reason why SEC tool shows an error. The error is the "guide" to the configuration asking to be aware about the configuration and set it properly. To prevent to configure the processor into the state that it does not boot, SEC tool requires to set access right explicitly.

Regards,
Marek


NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button
0 Kudos
Reply

Jump to solution
‎09-03-2025 11:22 PM
742 Views
rj_engineer
Contributor III

Hi marek,

Thank you for the quick answer.

 

To summarize what we understand :

  • 0xFF everywhere is the default state of the chip after manufacturing and isn't taken into account by the MCU
  • To program the CMPA we need to set at least one area as locked and make sure the user code don't use it

We also have a small doubt that we couldn't confirm in the reference manual:

Are the CMPA only one-time programmable?

0 Kudos
Reply

Jump to solution
‎09-03-2025 11:40 PM
736 Views
marek-trmac
NXP Employee
NXP Employee

Hi again,

0xFF everywhere is the default state of the chip after manufacturing and CMPA isn't taken into account by the MCU

Correct!

To program the CMPA we need to set at least one area as locked and make sure the user code don't use it

Not true. You can set access to all regions to "ROM_RX_UNLOCKED" for example, which means the code can be executed, the flash can be read but the code cannot modify the flash (write not allowed). Unlocked means you can modify access in the runtime

Are the CMPA only one-time programmable?

In development life cycle, it is possible to update CMPA several times.

Regards,
Marek


NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button
0 Kudos
Reply

Jump to solution
‎09-03-2025 11:49 PM
734 Views
rj_engineer
Contributor III

Not true. You can set access to all regions to "ROM_RX_UNLOCKED" for example, which means the code can be executed, the flash can be read but the code cannot modify the flash (write not allowed). Unlocked means you can modify access in the runtime

Does is it mean that we can set all regions to full access if we set one in "ROM_RX_UNLOCKED"?

0 Kudos
Reply

Jump to solution
‎09-04-2025 12:04 AM
728 Views
marek-trmac
NXP Employee
NXP Employee

Hi, which from the available options do you call "full access"?

marektrmac_1-1756969465067.png

 

Regards,
Marek


NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button
0 Kudos
Reply

Jump to solution
‎09-04-2025 12:14 AM
724 Views
rj_engineer
Contributor III

We refered to the "DEFAULT_RW_UNLOCKED" but after re-reading, it appear to be a misunderstanding on our side as it must mean only read and write access (not execute). That automatically answers my question.

 

I will mark your first answer as the accepted one.

 

Thank you for your time.

Reply

Jump to solution
‎09-04-2025 12:22 AM
718 Views
marek-trmac
NXP Employee
NXP Employee

Thank you for your question. We will improve the SEC tool documentation to provide more info about the configuration.

Regards,
Marek


NOTE: If you find the answer useful, kindly click on [ACCEPT AS SOLUTION] button
0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2162945%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3EHow%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162945%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22secure_provisioning_cmpa_error.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22secure_provisioning_cmpa_error.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F355402iC2D07BCF48A91015%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22secure_provisioning_cmpa_error.png%22%20alt%3D%22secure_provisioning_cmpa_error.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EIn%20Secure%20provisioning%20CMPA%20configuration%2C%20the%20default%20values%20shows%20an%20error%20and%20using%20the%20fix%20button%20before%20writing%20doesn't%20work.%20Reading%20the%26nbsp%3B%3CSPAN%3EFRDM-MCXA156%20values%20only%20show%26nbsp%3B0xFFFFFFFF%20on%20every%20parameter.%20Also%2C%20the%20terminal%20doesn't%20show%20the%20blhost%20command%20used%20(it%20does%20when%20verifying%20the%20connection).%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3E%3CSPAN%3EThe%20question%20is%20%3A%20%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20to%20properly%20use%20the%20CMPA%20configuration%20%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2162945%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CLINGO-LABEL%3EMCXA%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163437%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163437%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThank%20you%20for%20your%20question.%20We%20will%20improve%20the%20SEC%20tool%20documentation%20to%20provide%20more%20info%20about%20the%20configuration.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163429%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163429%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EWe%20refered%20to%20the%20%22DEFAULT_RW_UNLOCKED%22%20but%20after%20re-reading%2C%20it%20appear%20to%20be%20a%20misunderstanding%20on%20our%20side%20as%20it%20must%20mean%20only%20read%20and%20write%20access%20(not%20execute).%20That%20automatically%20answers%20my%20question.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EI%20will%20mark%20your%20first%20answer%20as%20the%20accepted%20one.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3EThank%20you%20for%20your%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163418%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163418%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%2C%20which%20from%20the%20available%20options%20do%20you%20call%20%22full%20access%22%3F%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22marektrmac_1-1756969465067.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22marektrmac_1-1756969465067.png%22%20style%3D%22width%3A%20204px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F355515iE6D519F6DC1FDF44%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22marektrmac_1-1756969465067.png%22%20alt%3D%22marektrmac_1-1756969465067.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163404%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163404%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CBLOCKQUOTE%3E%3CP%3E%3CSTRONG%3ENot%20true.%20You%20can%20set%20access%20to%20all%20regions%20to%20%22ROM_RX_UNLOCKED%22%20for%20example%2C%20which%20means%20the%20code%20can%20be%20executed%2C%20the%20flash%20can%20be%20read%20but%20the%20code%20cannot%20modify%20the%20flash%20(write%20not%20allowed).%20Unlocked%20means%20you%20can%20modify%20access%20in%20the%20runtime%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3EDoes%20is%20it%20mean%20that%20we%20can%20set%20all%20regions%20to%20full%20access%20if%20we%20set%20one%20in%26nbsp%3B%22ROM_RX_UNLOCKED%22%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163391%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163391%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%20again%2C%3C%2FP%3E%0A%3CP%3E%3CEM%3E0xFF%20everywhere%20is%20the%20default%20state%20of%20the%20chip%20after%20manufacturing%20and%20%3CSTRONG%3ECMPA%3C%2FSTRONG%3E%20isn't%20taken%20into%20account%20by%20the%20MCU%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ECorrect!%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3ETo%20program%20the%20CMPA%20we%20need%20to%20set%20at%20least%20one%20area%20as%20locked%20and%20make%20sure%20the%20user%20code%20don't%20use%20it%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ENot%20true.%20You%20can%20set%20access%20to%20all%20regions%20to%20%22ROM_RX_UNLOCKED%22%20for%20example%2C%20which%20means%20the%20code%20can%20be%20executed%2C%20the%20flash%20can%20be%20read%20but%20the%20code%20cannot%20modify%20the%20flash%20(write%20not%20allowed).%20Unlocked%20means%20you%20can%20modify%20access%20in%20the%20runtime%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAre%20the%20CMPA%20only%20one-time%20programmable%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EIn%20development%20life%20cycle%2C%20it%20is%20possible%20to%20update%20CMPA%20several%20times.%3C%2FSTRONG%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163372%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163372%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%20marek%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20quick%20answer.%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ETo%20summarize%20what%20we%20understand%20%3A%3C%2FP%3E%3CUL%3E%3CLI%3E0xFF%20everywhere%20is%20the%20default%20state%20of%20the%20chip%20after%20manufacturing%20and%20isn't%20taken%20into%20account%20by%20the%20MCU%3C%2FLI%3E%3CLI%3ETo%20program%20the%20CMPA%20we%20need%20to%20set%20at%20least%20one%20area%20as%20locked%20and%20make%20sure%20the%20user%20code%20don't%20use%20it%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWe%20also%20have%20a%20small%20doubt%20that%20we%20couldn't%20confirm%20in%20the%20reference%20manual%3A%3C%2FP%3E%3CP%3EAre%20the%20CMPA%20only%20one-time%20programmable%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163082%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20How%20to%20edit%20the%20CMPA%20using%20Secure%20provisioning%20on%20MCXA156%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163082%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F251635%22%20target%3D%22_blank%22%3E%40rj_engineer%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGood%20question.%20If%20the%20processor%20is%20clear%2C%20there%20are%200xFF%20values%20in%20the%20whole%20flash%20and%20so%20the%20CMPA%20page%20is%20invalid%20and%20the%20flash%20configuration%20from%20CMPA%20is%20not%20applied.%20If%20you%20install%20CMPA%20using%20SEC%20tool%2C%20the%20flash%20access%20configuration%20will%20be%20applied%20and%20it%20is%20critical%20to%20set%20access%20rights%20properly.%3C%2FP%3E%0A%3CP%3EThere%20is%20not%20option%20allowing%20full%20flash%20access%20rights%2C%20so%20basically%20there%20is%20not%20%22safe%22%20default%20value.%20Each%20user%20needs%20to%20decide%20based%20on%20his%20application%2C%20what%20areas%20should%20be%20executable%20and%20what%20shall%20be%20read-only%20or%20shall%20be%20allowed%20for%20write.%20If%20the%20access%20right%20is%20not%20set%20properly%2C%20%3CSTRONG%3Ethe%20processor%20will%20not%20boot%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3CP%3EThis%20is%20the%20reason%20why%20SEC%20tool%20shows%20an%20error.%20The%20error%20is%20the%20%22guide%22%20to%20the%20configuration%20asking%20to%20be%20aware%20about%20the%20configuration%20and%20set%20it%20properly.%20To%20prevent%20to%20configure%20the%20processor%20into%20the%20state%20that%20it%20does%20not%20boot%2C%20SEC%20tool%20requires%20to%20set%20access%20right%20explicitly.%3C%2FP%3E%3C%2FLINGO-BODY%3E