- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
S32K144 CSEc Application MAC Storage Options for Secure Boot Verification
01-08-2026
12:38 AM
785 次查看
Kishore_14
Contributor III
Hardware: S32K144EVB-Q100
Software: S32 Design Studio, OpenBLT Bootloader, an5401-csec
We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.
We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.
After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:
- Store application MAC somewhere during programming
- Verify application MAC on every reset
We've considered these options but have concerns:
CSEc KEY slots (like KEY_2): Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?
Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.
EEPROM: Is this a good approach? Any recommended EEPROM addresses?
What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?
1 回复
01-08-2026
08:10 AM
750 次查看
lukaszadrapa
NXP TechSupport
Hi @Kishore_14
Common approach is to have CMAC stored in code flash, it can be appended to application which is being verified by this CMAC.
“Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.”
- You don’t need old CMAC when updating the application. You need the new one for new application. I can’t see problem here.
Storing the CMAC to CSEc key slot is not an option, you can’t export it or use it as a CMAC.
Regards,
Lukas
