Security boot verification failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Security boot verification failed

6,557 Views
wang_q4
Contributor I

Dear all,

If i enabled security boot mode is "Strict Sequential Boot Mode",but security boot verification is failed,

now, can i disable the security boot?

 

0 Kudos
Reply
11 Replies

6,548 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

if strict sequential boot mode fails, the device will never leave reset state and the only option is to replace the chip. There's no way to recover in this case.

Regards,

Lukas

0 Kudos
Reply

6,538 Views
wang_q4
Contributor I

Hi,

thank you for response.

If I enable the other two modes(Sequential Boot Mode、Parallel Boot Mode),If verification fails,Can I use the debug tool to restore CSEc to factory settings

0 Kudos
Reply

6,531 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

yes, you can.

Strict sequential boot mode is special one as it keeps the device in reset forever when the verification fails.

Failing sequential and parallel boot modes don't do that, you are just not able to use boot protected keys in case of verification fail. But the device is still working without other limitations.

To reset the device back to factory state, you need to know MASTER ECU KEY.

More details and SW example can be found in AN5401:

https://www.nxp.com/webapp/Download?colCode=AN5401&location=null

https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null

Regards,

Lukas

0 Kudos
Reply

6,528 Views
wang_q4
Contributor I

Hi,

thank you for response.

May I know the failing sequential or parallel boot verification result?

0 Kudos
Reply

6,522 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

If the sequential or parallel boot mode fail, BOK  bit in FCSESTAT register is cleared and you can't use boot protected keys.

See "3.1.3 Key Attributes" in AN5401 for details.

See also SW examples in the application note. When loading a key, attributes can be added when calling calculate_M1_to_M5() function. It's the last parameter.

Regards,

Lukas

 

0 Kudos
Reply

6,504 Views
wang_q4
Contributor I

Hi Lukas,

I enabled security boot mode is "Sequential Boot Mode",

but security boot verification failed, could you please determine what went wrong?

The FCSESTAT register value is :

FCSESTAT[SB]=1

FCSESTAT[BIN]=0

FCSESTAT[BFN]=1

FCSESTAT[BOK]=0

0 Kudos
Reply

6,485 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

this means that BOOT_MAC calculated by CSE after reset does not correspond to value stored in BOOT_MAC slot.

Did you followed all the steps described in AN5401?

If you updated the content of flash, BOOT_MAC needs to be updated too. Or you can perform reset to factory state (also described in AN5401) and start over.

Regards,

Lukas

0 Kudos
Reply

6,475 Views
wang_q4
Contributor I

Hi Lukas,

I have found the cause of the problem,thanks a lot.

If security boot verification success,do i need to actively call the CSEC DRV BootOK function?

0 Kudos
Reply

6,469 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

no, it's not necessary. But it should be done as it locks CMD_BOOT_FAILURE command. Take a look at:

https://community.nxp.com/t5/S32K/s32k144-csec-Boot-Ok-Command/m-p/1330132

Regards,

Lukas

0 Kudos
Reply

6,393 Views
wang_q4
Contributor I

Hi Lukas,

Now, secure boot verfication is success,i update ted secure boot area code and update BOOT MAC success,but after reset,secure boot failed,What do we need to pay attention to update BOOT MAC

0 Kudos
Reply

6,358 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

this is described in AN5401:

lukaszadrapa_0-1636359439270.png

Regards,

Lukas

0 Kudos
Reply