Hi @zhouqicheng
Let me summarize what we provide regarding CSEc:
We provide application note AN5401:
https://www.nxp.com/webapp/Download?colCode=AN5401&location=null
https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null
That's the best point to start. I recommend to read whole AN5401 thoroughly. Then it will be much easier to understand the examples in both AN5401 and in SDK or RTD.
Then there are drivers in SDK. The documentation can be found in SDK folder in S32 Design Studio IDE:
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\doc\S32SDK_S32K144_UserManual.pdf
Then there are some examples like:
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\driver_examples\system\csec_keyconfig\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\driver_examples\system\security_pal\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\demo_apps\csec_boot_protection\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\demo_apps\flexcan_encrypted\
AN5401 projects do not use SDK. The application note was written before the SDK was available. So, the code/drivers are different from SDK drivers.
S32 Design Studio IDE can be downloaded here:
https://www.nxp.com/design/software/development-software/s32-design-studio-ide/s32-design-studio-for...
SDK 4.0.3 can be installed in S32 Design Studio IDE 3.4 via Help -> S32DS Extensions and Updates. This SDK is not supported in newer S32DS 3.5.
Then there are RTD drivers. It replaces older SDK and Autosar MCAL drivers. There’s Autosar MCAL layer and Ip layer (similar to SDK):
https://www.nxp.com/design/software/automotive-software-and-tools/real-time-drivers-rtd:AUTOMOTIVE-R...
After installation, Crypto drivers can be found here:
c:\NXP\S32DS.3.5\S32DS\software\PlatformSDK_S32K1_S32M24\RTD\Crypto_TS_T40D2M20I0R0\
To generate M1-M5 values, there are two common options - you can either use calculate_M1_to_M5() function from AN5401 or from SDK examples and use CSEc to calculate it or second option is to use tools like OpenSSL: https://www.openssl.org/
S32K1xx devices can be secured / locked to restrict the access via JTAG/SWD.
This can be done by configuration of FSEC byte in Flash Configuration Field at address 0x400.
See please following sections in the reference manual for more details:
5.2.1 Flash memory security
5.2.1.1 Flash memory security interactions with debug
36.4.1 Flash configuration field description
https://www.nxp.com/webapp/Download?colCode=S32K1XXRM
It’s independent of debugging/programming tools. It’s just necessary to have the Flash Configuration Field included in the binary file of your application. If you use a project created in S32 Design Studio, you can find something like this in startup files (startup_S32K1xx.s):
/* Flash Configuration */
.section .FlashConfig, "a"
.long 0xFFFFFFFF /* 8 bytes backdoor comparison key */
.long 0xFFFFFFFF /* */
.long 0xFFFFFFFF /* 4 bytes program flash protection bytes */
.long 0xFFFF7FFE /* FDPROT:FEPROT:FOPT:FSEC(0xFE = unsecured) */
This field is forced to flash address 0x400 by linker file. By default, FSEC is configured to unsecured state.
To temporarily unlock the chip, it is possible to use Backdoor Access Key. You can read this section in the reference manual:
36.5.12.2.1 Un-securing the MCU using backdoor key access
We have SW example here:
https://community.nxp.com/t5/S32K-Knowledge-Base/Example-S32K144-Verify-Backdoor-Access-Key-S32DS1-3...
Regards,
Lukas
