FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

‎01-08-2026 12:38 AM
728 Views
Kishore_14
Contributor III

Hardware: S32K144EVB-Q100
Software: S32 Design Studio, OpenBLT Bootloader, an5401-csec

We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.

We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.

After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:

  1. Store application MAC somewhere during programming
  2. Verify application MAC on every reset

We've considered these options but have concerns:

  • CSEc KEY slots (like KEY_2): Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?

  • Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.

  • EEPROM: Is this a good approach? Any recommended EEPROM addresses?

What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?

 

Tags (3)
0 Kudos
Reply
1 Reply

‎01-08-2026 08:10 AM
693 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @Kishore_14 

 

Common approach is to have CMAC stored in code flash, it can be appended to application which is being verified by this CMAC.

 

Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.”

- You don’t need old CMAC when updating the application. You need the new one for new application. I can’t see problem here.  

 

Storing the CMAC to CSEc key slot is not an option, you can’t export it or use it as a CMAC.

 

Regards,

Lukas

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2289948%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ES32K144%20CSEc%20Application%20MAC%20Storage%20Options%20for%20Secure%20Boot%20Verification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2289948%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSPAN%3E%3CSTRONG%3EHardware%3A%3C%2FSTRONG%3E%26nbsp%3BS32K144EVB-Q100%3CBR%20%2F%3E%3CSTRONG%3ESoftware%3A%3C%2FSTRONG%3E%26nbsp%3BS32%20Design%20Studio%2C%20OpenBLT%20Bootloader%2C%20an5401-csec%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20intend%20to%20protect%20only%20the%20bootloader%20using%20BOOT_DEFINE%20(16KB%20protected)%20and%20want%20the%20bootloader%20to%20verify%20the%20application%20MAC%20on%20every%20reset%20to%20establish%20a%20proper%20chain%20of%20trust.%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20currently%20have%20a%20hardcoded%20CMAC%20value%20that%20we%20store%20and%20verify%20upon%20every%20reset%20as%20a%20proof%20of%20concept.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAfter%20bootloader%20verification%20(BOK%3D1)%2C%20we%20need%20to%20verify%20application%20on%20every%20reset.%20For%20this%2C%20we%20need%20to%3A%3C%2FP%3E%3COL%3E%3CLI%3EStore%20application%20MAC%26nbsp%3Bsomewhere%20during%20programming%3C%2FLI%3E%3CLI%3EVerify%20application%20MAC%26nbsp%3Bon%20every%20reset%3C%2FLI%3E%3C%2FOL%3E%3CP%3EWe've%20considered%20these%20options%20but%20have%20concerns%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CSTRONG%3ECSEc%20KEY%20slots%20(like%20KEY_2)%3C%2FSTRONG%3E%3A%20Can't%20read%20back%20stored%20keys%20due%20to%20SHE%20protocol%20security%20-%20keys%20are%20write-only.%20How%20can%20we%20retrieve%20MAC%20for%20comparison%3F%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EFlash%20memory%3C%2FSTRONG%3E%3A%20Not%20suitable%20because%20application%20area%20gets%20erased%20when%20new%20application%20is%20programmed%2C%20so%20stored%20MAC%20would%20be%20lost.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EEEPROM%3C%2FSTRONG%3E%3A%20Is%20this%20a%20good%20approach%3F%20Any%20recommended%20EEPROM%20addresses%3F%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhat%20other%20approaches%20would%20be%20suitable%20for%20storing%20application%20MAC%20that%20bootloader%20can%20reliably%20read%20for%20verification%20on%20every%20reset%3F%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2290323%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K144%20CSEc%20Application%20MAC%20Storage%20Options%20for%20Secure%20Boot%20Verification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290323%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F257154%22%20target%3D%22_blank%22%3E%40Kishore_14%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ECommon%20approach%20is%20to%20have%20CMAC%20stored%20in%20code%20flash%2C%20it%20can%20be%20appended%20to%20application%20which%20is%20being%20verified%20by%20this%20CMAC.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3E%E2%80%9C%3CSTRONG%3EFlash%20memory%3C%2FSTRONG%3E%3A%20Not%20suitable%20because%20application%20area%20gets%20erased%20when%20new%20application%20is%20programmed%2C%20so%20stored%20MAC%20would%20be%20lost.%E2%80%9D%3C%2FP%3E%0A%3CP%3E-%20You%20don%E2%80%99t%20need%20old%20CMAC%20when%20updating%20the%20application.%20You%20need%20the%20new%20one%20for%20new%20application.%20I%20can%E2%80%99t%20see%20problem%20here.%20%26nbsp%3B%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3EStoring%20the%20CMAC%20to%20CSEc%20key%20slot%20is%20not%20an%20option%2C%20you%20can%E2%80%99t%20export%20it%20or%20use%20it%20as%20a%20CMAC.%3C%2FP%3E%0A%3CBR%20%2F%3E%0A%3CP%3ERegards%2C%3C%2FP%3E%0A%3CP%3ELukas%3C%2FP%3E%3C%2FLINGO-BODY%3E