FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

seclogging at bl2

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

seclogging at bl2

‎12-15-2025 02:32 AM
1,396 Views
Jayashree
Contributor II

Hello,

I am trying to implement secure logging on the A-core (BSP43). The goal is to log security-related failures such as Secure Boot failures, Wi-Fi/TLS failures, etc.

Currently, I am attempting to log Secure Boot failures at the BL2 stage. My initial approach was to write these logs directly into NOR flash and encrypt them using HSE. However, I am running into the following limitations at the BL2 level on S32G:

  • There are no predefined APIs available in BL2 to read from or write to NOR flash.

  • Persistent or append-style logging cannot be implemented at the BL2 stage.

Because of these constraints, I am unsure how or where such Secure Boot failure logs should be stored at BL2 so that they can later be accessed from Linux.

For Wi-Fi and TLS-related failures, I plan to use NetworkManager-based logging at the Linux level.

Could you please advise on a feasible approach for logging Secure Boot failures originating from BL2, or suggest a recommended mechanism for secure logging in this scenario?

Tags (1)
0 Kudos
Reply
2 Replies

‎12-15-2025 07:25 PM
1,371 Views
chenyin_h
NXP Employee
NXP Employee

Hello, @Jayashree 

Thanks for your post.

It is a user defined software implementation, sorry that there is not formal recommendation from our side for such topic.

Regarding the secure boot failure logged in BL2 stage, do you mean the BL2 failed to authenticate the BL3x binaries, and want to log the related information?

From my experience, the logs mentioned above could be found from the console, if you want to save them to the QSPI, since the BL2 could load images from QSPI, and put them into DDR, so that it could access the QSPI, would you mind checking the related code/API to find whether it could fulfill your requirements?  

 

BR

Chenyin

0 Kudos
Reply

‎12-25-2025 11:57 PM
1,213 Views
Jayashree
Contributor II

Hello Chenyin,

As per your suggestion, I attempted to use the MMIO read/write APIs from BL2; however, the boot process appears to halt immediately after the API call.

mmio.png

I also tried using the FSPI read/write APIs, but in this case, I am unable to complete the Yocto build itself.

Jayashree_0-1766732142440.png

 

Could you please confirm whether read/write access from BL2 is supported when secure boot is enabled? If it is supported, could you advise which APIs are recommended for this use case? Alternatively, I would appreciate your guidance on feasible approaches or recommended alternatives for logging or data persistence from BL2.


Best regards,
Jayashree

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2262614%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3Eseclogging%20at%20bl2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2262614%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EI%20am%20trying%20to%20implement%20secure%20logging%20on%20the%20A-core%20(BSP43).%20The%20goal%20is%20to%20log%20security-related%20failures%20such%20as%20Secure%20Boot%20failures%2C%20Wi-Fi%2FTLS%20failures%2C%20etc.%3C%2FP%3E%3CP%3ECurrently%2C%20I%20am%20attempting%20to%20log%20Secure%20Boot%20failures%20at%20the%20BL2%20stage.%20My%20initial%20approach%20was%20to%20write%20these%20logs%20directly%20into%20NOR%20flash%20and%20encrypt%20them%20using%20HSE.%20However%2C%20I%20am%20running%20into%20the%20following%20limitations%20at%20the%20BL2%20level%20on%20S32G%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EThere%20are%20no%20predefined%20APIs%20available%20in%20BL2%20to%20read%20from%20or%20write%20to%20NOR%20flash.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EPersistent%20or%20append-style%20logging%20cannot%20be%20implemented%20at%20the%20BL2%20stage.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EBecause%20of%20these%20constraints%2C%20I%20am%20unsure%20how%20or%20where%20such%20Secure%20Boot%20failure%20logs%20should%20be%20stored%20at%20BL2%20so%20that%20they%20can%20later%20be%20accessed%20from%20Linux.%3C%2FP%3E%3CP%3EFor%20Wi-Fi%20and%20TLS-related%20failures%2C%20I%20plan%20to%20use%20NetworkManager-based%20logging%20at%20the%20Linux%20level.%3C%2FP%3E%3CP%3ECould%20you%20please%20advise%20on%20a%20feasible%20approach%20for%20logging%20Secure%20Boot%20failures%20originating%20from%20BL2%2C%20or%20suggest%20a%20recommended%20mechanism%20for%20secure%20logging%20in%20this%20scenario%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2263179%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20seclogging%20at%20bl2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2263179%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F235643%22%20target%3D%22_blank%22%3E%40Jayashree%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20your%20post.%3C%2FP%3E%0A%3CP%3EIt%20is%20a%20user%20defined%20software%20implementation%2C%20sorry%20that%20there%20is%20not%20formal%20recommendation%20from%20our%20side%20for%20such%20topic.%3C%2FP%3E%0A%3CP%3ERegarding%20the%20secure%20boot%20failure%20logged%20in%20BL2%20stage%2C%20do%20you%20mean%20the%20BL2%20failed%20to%20authenticate%20the%20BL3x%20binaries%2C%20and%20want%20to%20log%20the%20related%20information%3F%3C%2FP%3E%0A%3CP%3EFrom%20my%20experience%2C%20the%20logs%20mentioned%20above%20could%20be%20found%20from%20the%20console%2C%20if%20you%20want%20to%20save%20them%20to%20the%20QSPI%2C%20since%20the%20BL2%20could%20load%20images%20from%20QSPI%2C%20and%20put%20them%20into%20DDR%2C%20so%20that%20it%20could%20access%20the%20QSPI%2C%20would%20you%20mind%20checking%20the%20related%20code%2FAPI%20to%20find%20whether%20it%20could%20fulfill%20your%20requirements%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EBR%3C%2FP%3E%0A%3CP%3EChenyin%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2269117%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20seclogging%20at%20bl2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2269117%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%20Chenyin%2C%3C%2FP%3E%3CP%3EAs%20per%20your%20suggestion%2C%20I%20attempted%20to%20use%20the%20MMIO%20read%2Fwrite%20APIs%20from%20BL2%3B%20however%2C%20the%20boot%20process%20appears%20to%20halt%20immediately%20after%20the%20API%20call.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22mmio.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22mmio.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371218i9E88DBFE0083EB02%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22mmio.png%22%20alt%3D%22mmio.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20also%20tried%20using%20the%20FSPI%20read%2Fwrite%20APIs%2C%20but%20in%20this%20case%2C%20I%20am%20unable%20to%20complete%20the%20Yocto%20build%20itself.%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jayashree_0-1766732142440.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cspan%20class%3D%22lia-inline-image-display-wrapper%22%20image-alt%3D%22Jayashree_0-1766732142440.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3Cimg%20src%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F371219i6C069B66EF842707%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Jayashree_0-1766732142440.png%22%20alt%3D%22Jayashree_0-1766732142440.png%22%20%2F%3E%3C%2Fspan%3E%3C%2FSPAN%3E%3C%2FP%3E%3CBR%20%2F%3E%3CP%3ECould%20you%20please%20confirm%20whether%20read%2Fwrite%20access%20from%20BL2%20is%20supported%20when%20secure%20boot%20is%20enabled%3F%20If%20it%20is%20supported%2C%20could%20you%20advise%20which%20APIs%20are%20recommended%20for%20this%20use%20case%3F%20Alternatively%2C%20I%20would%20appreciate%20your%20guidance%20on%20feasible%20approaches%20or%20recommended%20alternatives%20for%20logging%20or%20data%20persistence%20from%20BL2.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EBest%20regards%2C%3CBR%20%2F%3EJayashree%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E