S32K144 CSEc Application MAC Storage Options for Secure Boot Verification

Kishore_14 · ‎01-08-2026

Hardware: S32K144EVB-Q100
Software: S32 Design Studio, OpenBLT Bootloader, an5401-csec

We intend to protect only the bootloader using BOOT_DEFINE (16KB protected) and want the bootloader to verify the application MAC on every reset to establish a proper chain of trust.

We currently have a hardcoded CMAC value that we store and verify upon every reset as a proof of concept.

After bootloader verification (BOK=1), we need to verify application on every reset. For this, we need to:

Store application MAC somewhere during programming
Verify application MAC on every reset

We've considered these options but have concerns:

CSEc KEY slots (like KEY_2): Can't read back stored keys due to SHE protocol security - keys are write-only. How can we retrieve MAC for comparison?
Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.
EEPROM: Is this a good approach? Any recommended EEPROM addresses?

What other approaches would be suitable for storing application MAC that bootloader can reliably read for verification on every reset?

lukaszadrapa · ‎01-08-2026

Hi @Kishore_14

Common approach is to have CMAC stored in code flash, it can be appended to application which is being verified by this CMAC.

“Flash memory: Not suitable because application area gets erased when new application is programmed, so stored MAC would be lost.”

- You don’t need old CMAC when updating the application. You need the new one for new application. I can’t see problem here.

Storing the CMAC to CSEc key slot is not an option, you can’t export it or use it as a CMAC.

Regards,

Lukas