use CSEc to encrypt the flash

取消
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

use CSEc to encrypt the flash

749 次查看
zhouqicheng
Contributor I
Hi, I want to use CSEc to encrypt the flash, which has been sent to JTAG and cannot be read or written to the flash. Finally, I will pass the key decryption chip through the serial port. At present, the partition has been successful, FCNFG [RAMRDY]==0 and FCNFG [EEERDY]==1, but FSEC [SEC]=10. I don't know what to do next. Is there a program example?
0 项奖励
回复
3 回复数

689 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi @zhouqicheng 

Let me summarize what we provide regarding CSEc:

We provide application note AN5401:
https://www.nxp.com/webapp/Download?colCode=AN5401&location=null
https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null
That's the best point to start. I recommend to read whole AN5401 thoroughly. Then it will be much easier to understand the examples in both AN5401 and in SDK or RTD.

Then there are drivers in SDK. The documentation can be found in SDK folder in S32 Design Studio IDE:

c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\doc\S32SDK_S32K144_UserManual.pdf
Then there are some examples like:
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\driver_examples\system\csec_keyconfig\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\driver_examples\system\security_pal\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\demo_apps\csec_boot_protection\
c:\NXP\S32DS.3.4\S32DS\software\S32SDK_S32K1XX_RTM_4.0.3\examples\S32K144\demo_apps\flexcan_encrypted\

AN5401 projects do not use SDK. The application note was written before the SDK was available. So, the code/drivers are different from SDK drivers.

S32 Design Studio IDE can be downloaded here:
https://www.nxp.com/design/software/development-software/s32-design-studio-ide/s32-design-studio-for...

SDK 4.0.3 can be installed in S32 Design Studio IDE 3.4 via Help -> S32DS Extensions and Updates. This SDK is not supported in newer S32DS 3.5.

Then there are RTD drivers. It replaces older SDK and Autosar MCAL drivers. There’s Autosar MCAL layer and Ip layer (similar to SDK):
https://www.nxp.com/design/software/automotive-software-and-tools/real-time-drivers-rtd:AUTOMOTIVE-R...

After installation, Crypto drivers can be found here:
c:\NXP\S32DS.3.5\S32DS\software\PlatformSDK_S32K1_S32M24\RTD\Crypto_TS_T40D2M20I0R0\

To generate M1-M5 values, there are two common options - you can either use calculate_M1_to_M5() function from AN5401 or from SDK examples and use CSEc to calculate it or second option is to use tools like OpenSSL: https://www.openssl.org/



S32K1xx devices can be secured / locked to restrict the access via JTAG/SWD.
This can be done by configuration of FSEC byte in Flash Configuration Field at address 0x400.

See please following sections in the reference manual for more details:
5.2.1 Flash memory security
5.2.1.1 Flash memory security interactions with debug
36.4.1 Flash configuration field description
https://www.nxp.com/webapp/Download?colCode=S32K1XXRM

It’s independent of debugging/programming tools. It’s just necessary to have the Flash Configuration Field included in the binary file of your application. If you use a project created in S32 Design Studio, you can find something like this in startup files (startup_S32K1xx.s):

/* Flash Configuration */
.section .FlashConfig, "a"
.long 0xFFFFFFFF /* 8 bytes backdoor comparison key */
.long 0xFFFFFFFF /* */
.long 0xFFFFFFFF /* 4 bytes program flash protection bytes */
.long 0xFFFF7FFE /* FDPROT:FEPROT:FOPT:FSEC(0xFE = unsecured) */

This field is forced to flash address 0x400 by linker file. By default, FSEC is configured to unsecured state.

To temporarily unlock the chip, it is possible to use Backdoor Access Key. You can read this section in the reference manual:
36.5.12.2.1 Un-securing the MCU using backdoor key access

We have SW example here:
https://community.nxp.com/t5/S32K-Knowledge-Base/Example-S32K144-Verify-Backdoor-Access-Key-S32DS1-3...

Regards,
Lukas

0 项奖励
回复

679 次查看
zhouqicheng
Contributor I

hello

1,Do I need to partition the CSEC for jatg encryption? The flash configuration key was successfully written, but the [sec] register was not successfully written,why?

2,Does this require configuring other encryption functions?

zhouqicheng_0-1698740137121.png

zhouqicheng_1-1698740153217.png

 

 

0 项奖励
回复

653 次查看
lukaszadrapa
NXP TechSupport
NXP TechSupport

CSEc and "Flash memory security" are two different things.

CSEc is not needed to enable flash memory security via FSEC. It's independent. Also notice that flash memory security feature just restricts the access via JTAG/SWD. It does not encrypt the flash.

Regards,

Lukas

0 项奖励
回复