Help Needed with Secure Boot on KW45B41Z-EVK

jictannu

Hi all,

I'm in the process of setting up Secure Boot on the KW45B41Z-EVK. I've flashed the CUST_PROD_OEMFW_ENC_SK, CUST_PROD_OEMFW_AUTH_PUK, and kw45b41_nbu_ble_1_9_12_3.sb3 files provided officially. I'm trying to follow the Secure Boot steps from this documentation(https://spsdk-try.readthedocs.io/en/master/examples/kw45xx_k32w1xx/kw45xx_k32w1xx_secure_boot.html), but I'm facing a couple of hurdles:

1. The documentation requires multiple .pub files, but I only found .pem files in AN13883SW, with no .pub files present. How do I generate the necessary .pub files? Also, will these keys match the official ones if I follow the key preparation process?

2. The chip is in OEM Open state at the moment. Is there a method to verify whether the CM33 image authentication has been completed successfully?

Any assistance or pointers would be greatly appreciated. Thanks!

jictannu

Hi @Ricardo_Zamora

Following the steps in section 5.1, I noticed that the SB3KDK generated in the `sb3kdk.txt` file is inconsistent with the SB3KDK that I have already programmed into the device. This inconsistency seems problematic. How can I ensure that the generated keys match the ones already burned into the device to successfully carry out the Secure Boot testing?

Looking forward to your reply and assistance.

Best regards,

jictannu

Ricardo_Zamora

Hello,

Could you please confirm that you are following the AN13883SW?

Using the "5.1. Generating OEM Keys & Certificates " you can have both, .pub and .pem.

Regards,

Ricardo

jictannu

Hi Ricardo,

Thank you for your input. I've already programmed the device with the official SB3KDK and RoTKTH. However, I'm concerned that if I generate new keys following the "5.1. Generating OEM Keys & Certificates" section, the resulting SB3KDK would be different from the one I've already flashed. Would this not lead to an inconsistency, and can authentication still be successful in this case?

Best regards,

jictannu

Ricardo_Zamora

Hello jictannu,

KW45 EVK fuses are pre-programmed with generic keys for ease of use in development. You can still follow this document with an EVK, but it is not possible to program its fuses. For an EVK, NXP SDK Keys (available in the attached zip file) should be used to generate secure binaries.

Best Regards,

Ricardo

jictannu

Hi Ricardo,

Just as I initially asked, the documentation for generating secure binaries requires .pub files, but these are not provided in AN13883SW. If I follow the document's steps to regenerate the keys, they will certainly not match what I've already programmed into the fuse, right? So, how should I proceed to test Secure Boot on KW45 EVK?

I appreciate your guidance on this matter.

Best regards,

jictannu

Ricardo_Zamora

Hello,

You just need to use the pem keys for the EVK, and follow the rest of the document.

Just omit the 5.1.

Regards,

Ricardo