Hello everyone,
I am studying the security boot in S324146. I found these resource about security boot,
- Getting Started with CSEc Security Module AN5401 AN5401SW
- S32SDK_S32K1xx_RTM_3.0.0\examples\S32K146\demo_apps\csec_boot_protection
Basically, the procedure to enable security boot is like this,
1. Execute program partition command in RAM(only take effect after next reset)
2. Reset
3. Program MASTER_ECU_KEY,BOOT_MAC_KEY and other user keys
4. Define the secure boot flavor and the BOOT_SIZE using CMD_BOOT_DEFINE command
5. Program code to be security boot protected
6. Program BOOT_MAC
a. Automatically: Power on reset. The CSEc calculates BOOT_MAC and stores it in secure memory slot
b. Manually: using another program(runing in RAM) to calculate BOOT_MAC and program it.
7. Security boot will work in next power on reset
The examples provided by NXP need lanuch several external programs to enable security boot during step 1- step 4, so my question is if 100K need to enable security boot in mass production, what is the best solution?
Is NXP suggesting that we create our own solution for this using a tool such as
http://www.pemicro.com/products/product_viewDetails.cfm?product_id=15320148&productTab=1
or is there a preexisting solution for production environments?
Hi,
this depends on your programming tools. Programming tools usually allow some kind of scripting, so it’s necessary to transform described procedure to script.
Generally there are two options: you can either write flash registers directly via SWD to start some operation (like mass erase or partition). Or, because relatively lot of operations must be executed to enable CSE, load keys and so on, you can develop RAM project (binary RAM image) which will be loaded to RAM and executed.
SW examples provided in AN5401 are examples only. You can put it together to have single RAM image.
So, partition (and mass erase if needed) can be initiated by direct writes to registers in debug mode, then the flash can be programmed as usual and then you can load and execute RAM image with rest of the initialization.
Regards,
Lukas