[Security] CSEC secureboot verify

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

[Security] CSEC secureboot verify

ソリューションへジャンプ
1,150件の閲覧回数
Gideon
Contributor III

Dear NXPs:

S32K146

P-Flash 1M(2 Block)

D-Flash 32K

 

background:

CMD_BOOT_DEFINE→BootManager 6KB Use CSEC's secureboot mechanism for verification.

The secondary verification area is Flex NVM Bootloader;

The area of third-level verification is Application;

A. Sequential Boot Mode

Q1:

(void)CSEC_DRV_BootDefine(BOOT_SIZE, CSEC_BOOT_SERIAL) After enabling secureboot, power on again to enter Secureboot. Since the selected mode is A. Sequential Boot Mode, even if the on-chip ROM fails to verify the Bootmanager image, the Bootmanager code will still be executed, so I It cannot be judged whether the first level verification is successful. I use the CSEC_DRV_GetStatus() interface in Bootmanager to determine the result of the first-level verification. If the (1 == (CSEC_STATUS_BOOT_OK & CSEC_DRV_GetStatus())) condition is met, the first-level verification is considered successful. Is my understanding correct?
Q2:
Is there any way I can get the BOOT_MAC value calculated by CSEC? Because I want to know what is the difference between this and the BOOT_MAC I calculated on my PC

 

0 件の賞賛
返信
1 解決策
1,090件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @Gideon 

Even if sequential or parallel secure boot mode fails, the application code is executed. The only effect of the failure is that boot protected keys cannot be used. Only if strict sequential boot mode is used, the device will stay in reset forever if secure boot fails. But notice that there's no way to recover - the device needs to be replaced.

Yes, use CSEC_STATUS_BOOT_OK to check the result.

There's no way to read BOOT_MAC. This would violate the SHE specification.

Regards,
Lukas

元の投稿で解決策を見る

0 件の賞賛
返信
1 返信
1,091件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @Gideon 

Even if sequential or parallel secure boot mode fails, the application code is executed. The only effect of the failure is that boot protected keys cannot be used. Only if strict sequential boot mode is used, the device will stay in reset forever if secure boot fails. But notice that there's no way to recover - the device needs to be replaced.

Yes, use CSEC_STATUS_BOOT_OK to check the result.

There's no way to read BOOT_MAC. This would violate the SHE specification.

Regards,
Lukas

0 件の賞賛
返信