FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

‎01-08-2026 01:51 AM
714 Views
Kishore_14
Contributor III

Hardware: S32K144EVB-Q100
Software: S32 Design Studio, OpenBLT Bootloader, an5401-csec

We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.


We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.

After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:

  1. Store application MAC somewhere during programming
  2. Verify application MAC on every reset

We've considered these options but have concerns:

  • CSEc KEY slots (like KEY_2): Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?
  • Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.
  • EEPROM: Is this a good approach? Any recommended EEPROM addresses?

What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?

Tags (3)
0 Kudos
Reply
1 Reply

‎01-08-2026 08:16 AM
676 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

This seems to be a duplicate of:

https://community.nxp.com/t5/S32K/S32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot/td-p/...

 

0 Kudos
Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2290022%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ES32K144%20CSEc%20Application%20MAC%20Storage%20Options%20for%20Secure%20Boot%20Verification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290022%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3E%3CSTRONG%3EHardware%3A%3C%2FSTRONG%3E%26nbsp%3BS32K144EVB-Q100%3CBR%20%2F%3E%3CSTRONG%3ESoftware%3A%3C%2FSTRONG%3E%26nbsp%3BS32%20Design%20Studio%2C%20OpenBLT%20Bootloader%2C%20an5401-csec%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20intend%20to%20protect%20only%20the%20bootloader%20using%20BOOT_DEFINE%20(16KB%20protected)%20and%20want%20the%20bootloader%20to%20verify%20the%20application%20MAC%20on%20every%20reset%20to%20establish%20a%20proper%20chain%20of%20trust.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EWe%20currently%20have%20a%20hardcoded%20CMAC%20value%20that%20we%20store%20and%20verify%20upon%20every%20reset%20as%20a%20proof%20of%20concept.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EAfter%20bootloader%20verification%20(BOK%3D1)%2C%20we%20need%20to%20verify%20application%20on%20every%20reset.%20For%20this%2C%20we%20need%20to%3A%3C%2FP%3E%3COL%3E%3CLI%3EStore%20application%20MAC%26nbsp%3Bsomewhere%20during%20programming%3C%2FLI%3E%3CLI%3EVerify%20application%20MAC%26nbsp%3Bon%20every%20reset%3C%2FLI%3E%3C%2FOL%3E%3CP%3EWe've%20considered%20these%20options%20but%20have%20concerns%3A%3C%2FP%3E%3CUL%3E%3CLI%3ECSEc%20KEY%20slots%20(like%20KEY_2)%3A%20Can't%20read%20back%20stored%20keys%20due%20to%20SHE%20protocol%20security%20-%20keys%20are%20write-only.%20How%20can%20we%20retrieve%20MAC%20for%20comparison%3F%3C%2FLI%3E%3CLI%3EFlash%20memory%3A%20Not%20suitable%20because%20application%20area%20gets%20erased%20when%20new%20application%20is%20programmed%2C%20so%20stored%20MAC%20would%20be%20lost.%3C%2FLI%3E%3CLI%3EEEPROM%3A%20Is%20this%20a%20good%20approach%3F%20Any%20recommended%20EEPROM%20addresses%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EWhat%20other%20approaches%20would%20be%20suitable%20for%20storing%20application%20MAC%20that%20bootloader%20can%20reliably%20read%20for%20verification%20on%20every%20reset%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2290327%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20S32K144%20CSEc%20Application%20MAC%20Storage%20Options%20for%20Secure%20Boot%20Verification%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2290327%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThis%20seems%20to%20be%20a%20duplicate%20of%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fcommunity.nxp.com%2Ft5%2FS32K%2FS32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot%2Ftd-p%2F2289948%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Fcommunity.nxp.com%2Ft5%2FS32K%2FS32K144-CSEc-Application-MAC-Storage-Options-for-Secure-Boot%2Ftd-p%2F2289948%3C%2FA%3E%3C%2FP%3E%0A%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E