Security boot verification failed

キャンセル
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Security boot verification failed

2,823件の閲覧回数
wang_q4
Contributor I

Dear all,

If i enabled security boot mode is "Strict Sequential Boot Mode",but security boot verification is failed,

now, can i disable the security boot?

 

0 件の賞賛
11 返答(返信)

2,814件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

if strict sequential boot mode fails, the device will never leave reset state and the only option is to replace the chip. There's no way to recover in this case.

Regards,

Lukas

0 件の賞賛

2,804件の閲覧回数
wang_q4
Contributor I

Hi,

thank you for response.

If I enable the other two modes(Sequential Boot Mode、Parallel Boot Mode),If verification fails,Can I use the debug tool to restore CSEc to factory settings

0 件の賞賛

2,797件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

yes, you can.

Strict sequential boot mode is special one as it keeps the device in reset forever when the verification fails.

Failing sequential and parallel boot modes don't do that, you are just not able to use boot protected keys in case of verification fail. But the device is still working without other limitations.

To reset the device back to factory state, you need to know MASTER ECU KEY.

More details and SW example can be found in AN5401:

https://www.nxp.com/webapp/Download?colCode=AN5401&location=null

https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null

Regards,

Lukas

0 件の賞賛

2,794件の閲覧回数
wang_q4
Contributor I

Hi,

thank you for response.

May I know the failing sequential or parallel boot verification result?

0 件の賞賛

2,788件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

If the sequential or parallel boot mode fail, BOK  bit in FCSESTAT register is cleared and you can't use boot protected keys.

See "3.1.3 Key Attributes" in AN5401 for details.

See also SW examples in the application note. When loading a key, attributes can be added when calling calculate_M1_to_M5() function. It's the last parameter.

Regards,

Lukas

 

0 件の賞賛

2,770件の閲覧回数
wang_q4
Contributor I

Hi Lukas,

I enabled security boot mode is "Sequential Boot Mode",

but security boot verification failed, could you please determine what went wrong?

The FCSESTAT register value is :

FCSESTAT[SB]=1

FCSESTAT[BIN]=0

FCSESTAT[BFN]=1

FCSESTAT[BOK]=0

0 件の賞賛

2,751件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

this means that BOOT_MAC calculated by CSE after reset does not correspond to value stored in BOOT_MAC slot.

Did you followed all the steps described in AN5401?

If you updated the content of flash, BOOT_MAC needs to be updated too. Or you can perform reset to factory state (also described in AN5401) and start over.

Regards,

Lukas

0 件の賞賛

2,741件の閲覧回数
wang_q4
Contributor I

Hi Lukas,

I have found the cause of the problem,thanks a lot.

If security boot verification success,do i need to actively call the CSEC DRV BootOK function?

0 件の賞賛

2,735件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

no, it's not necessary. But it should be done as it locks CMD_BOOT_FAILURE command. Take a look at:

https://community.nxp.com/t5/S32K/s32k144-csec-Boot-Ok-Command/m-p/1330132

Regards,

Lukas

0 件の賞賛

2,659件の閲覧回数
wang_q4
Contributor I

Hi Lukas,

Now, secure boot verfication is success,i update ted secure boot area code and update BOOT MAC success,but after reset,secure boot failed,What do we need to pay attention to update BOOT MAC

0 件の賞賛

2,624件の閲覧回数
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi,

this is described in AN5401:

lukaszadrapa_0-1636359439270.png

Regards,

Lukas

0 件の賞賛