Dear NXP Support Team,
I am currently running the example S32K3_HSE_DemoExamples_1_0_0\S32K3_HSE_DemoExamples\Secure_Boot\S32K344_Advanced_SecureBoot on the S32K344EVB-T172 board.
However, I have observed an issue where the following function call:
FLASH_Write(pCmacTag, Cmac_Tag, sizeof(Cmac_Tag))
does not program the CMAC tag into flash memory at the address defined by CmacTagFlashAddress.
The returned status is 0xC100, which indicates no error, but after dumping the flash memory, I can confirm that the CMAC tag has not been written to the expected flash location.
Could you please help me debug this issue?
I have executed the S32K344_Advanced_SecureBoot application, and the execution completed successfully without any errors. do you have anyway to debug or trace the secure boot process after a system reset?
One more thing is necessary - once configuration is done, BOOT_SEQ bit in boot configuration word in flash should reprogrammed to '1'. This enables the secure boot. Then SecureBootBlinky application should be executed after reset instead of configuration project. Once BOOT_SEQ is set to '1', normal reset vector (which is pointing to configuration project) is not taken into account.
I saw that there's a difference between Basic Secure Boot example and Advanced Secure Boot example:
Basic SB example has BOOT_SEQ already set in the boot header, Advanced SB example does not have BOOT_SEQ set. Either set it here or reprogram the flash manually once the configuration of secure boot is done. I described how it works here:
So, as I said above, if secure boot is successful, SecureBootBlinky application will be executed. If secure boot fails, the device will go to recovery mode. That means it will end up in endless loop in RAM at JTAG_RECOVERY_START_ADDRESS which is 0x20400100.
Regards,
Lukas
Hi, @lukaszadrapa
I am trying to customize S32K344_Advanced_SecureBoot so that it can configure HSE to verify itself.
I have made the following changes:
Linker :
Modified the linker file and removed S32K344_SecureBootBlinky.bin
Adjusted the PFlash length to 0x50000
Main
- Modified the main() configuration as follows
#define APPBL_ADDRESS (0x00400000)
#define APPBL_LENGTH (0x50000)
#define APP_HEADER_LENGTH 0x0U
My expectation is that after a reset, the S32K344_Advanced_SecureBoot application will execute from address 0x00400000.
However, I encounter a crash when attempting to write to the CMAC tag, specifically at the following code:
/* Write TAG in the expected location at the end of the image */
PFLASH_Unlock(PFLASH_BL0, PFLASH_SS5, PFLASH_S0);
status = FLASH_Write(pCmacTag,
Cmac_Tag,
sizeof(Cmac_Tag));
I attached source code file main in below.
Could you please help me identify the root cause of the error and explain how I can successfully execute S32K344_Advanced_SecureBoot after a system reset?
Thank you very much.
Here's the reason why you got hardfault:
In the original project, the application (SecureBootBlinky) is forced to flash block 1, so the CMAC was programmed to block 1 by code running from block 0.
Now you are going to verify application in block 0 and the CMAC is also going to be programmed to block 0 by code running from block 0.
But read while write is supported only between blocks:
Solution - the code programming the flash must be executed from another flash block or from RAM.
Regards,
Lukas
After modifying the Flash configuration to run from RAM, I was able to successfully program the Cmag_Tag at address 0x450000.
In addition, my program was able to execute to completion.
However, after performing a reset, I observed that the reset address changed to a different location. I suspect that the HSE may have incorrectly verified the SRM.
I do not understand why this issue occurs, as I had previously verified the SRM and successfully initialized the SMR.
I did quick test on my board using original project.
I modified only main.c. I configured it to verify 0x40_0000 - 0x4F_FFFF. The CMAC is programmed to 0x50_0000, so I do not need to care about read-while-write issues.
The file is attached. Those few changes are marked by:
/*** Modified start ***/
/*** Modified end ***/
After the configuration, you are supposed to re-program BOOT_SEQ in boot configuration word to enable secure boot:
Or you can go to file:
..\S32K344_Advanced_SecureBoot\src\target\m7\S32DS\Startup_Code\boot_header.c
And set this bit:
So, BOOT_SEQ will be set right at the beginning.
Then just load the project by debugger (don't do additional reset at this moment), run the configuration project and reset the device. The project will be executed again because the secure boot was successful.
Then you can try to modify any word in area 0x40_0000 - 0x4F_FFFF. The secure boot will fail and it will end up at JTAG recovery address:
If you revert back the modification in flash, the project will be executed again after next reset.
Regards,
Lukas
I followed the steps you suggested:
I changed the start address and length of the application.
#define APPBL_ADDRESS (0x00400000)#define APPBL_LENGTH (0x00100000)#define APP_HEADER_LENGTH 0x0U#define CMAC_FLASH_ADDRESS (0x00500000U)I updated the addresses:
.pPassReset = APPBL_ADDRESS;
CmacTagFlashAddress = (uint32_t)(CMAC_FLASH_ADDRESS);I added blinky code inside the for loop.
- Secure_boot is enabled (set to 1).
After resetting the board, my LED does not blink. However, it still does not work. Could you please help me check what might be wrong?
I want to place the Interrupt Vector Table (IVT) at the start address 0x400000.
Within this IVT, the start address of the Cortex-M7_0 core code is already defined at offset 0x0C.
My question is:
Does the symbol .pPassReset in CrEntry refer to the base address 0x400000 where the IVT is located, or does it refer to the actual start address of the Cortex-M7_0 core code as defined in the IVT?
