- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
S32K314 secure boot(period check)
I want to check application by AES-CMAC periodly:
1.smrEntry.checkPeriod set non zero.
2.smrEntry.pSmrDest set a valid RAM address.
But I have a question, if my application is more than 320kb, but S32K314 only have 320kb SRAM, applicaition can't load to SRAM to execute secure boot periodly.
So, if my application is more than 320kb and want to execute secure boot periodly,how should it be configured?
lukaszadrapa
Hi @JiayuZhou
Periodic check is not recommended for this use case. It's more convenient to use on-demand secure boot which can check the content directly in the flash memory, so no copy-down is necessary and which can be triggered anytime/periodically by your application if needed.
And I got some information from another team that periodic check is currently not recommended anyway. It looks like the content of flash is copied to RAM only once after reset, so it does not make sense and there are still some open questions. This should be updated and clarified in the future. So, on-demand secure boot is currently preferred solution if it is required to check the content in runtime.
Regards,
Lukas
When application is tampered, in this power-on cycle, host use Hse_SmrVerifyTest(service id=HSE_SRV_ID_SMR_VERIFY) to trigger the verification of application,the response always is OK. After a power failure/reset, secure boot for application is failure.
Besides, I do some other tests: I update SMR of application after updating application.
1.update CMAC for application.
2.install SMR(service id=HSE_SRV_ID_SMR_ENTRY_INSTALL)
3.tamper application.
4.verify SMR(service id=HSE_SRV_ID_SMR_VERIFY)
As a result, the step 4 always is OK, not failure. In theory, the application has been tampered, SMR validation should fail.
codes:
If I use on-demand secure boot without configuring smrEntry.checkPeriod parameter of SMR table to trigger periodical verification, how to execute to trigger the application verification peridically? As far as I know, SMR table validation is done proactively by the HSE firmware after a reset, can I proactively ask the HSE to validate the application through one of the services?
