KW45 Secure Boot consultation on related issues

Taiyi · ‎05-10-2024

Hi

1.Hardware shall support secure boot mechanism to ensure integrity and authenticity of the firmware or operating system images. For example, it checks the digital signature of the images during startup phrase.

2.Secure boot should be based on a hardware trusted root such as HSM/SE/TPM.

3.If the firmware is tampered with or invalid firmware is brushed in, or the firmware cannot pass the integrity and signature verification for any reason, the ECU shall automatically roll back to the previous firmware version or refuse to start.

Can you provide some information and reference methods on how we should operate secure boot? Does this need to start operation edgelock enclave? I looked up some of your SPSDK secure boot reference routines. But it is not clear what their specific principles and motives are.

Best regards.

Taiyi · ‎05-16-2024

As follows ,after the signature image is put into KW45 through ISP mode as shown in the figure, what operations need to be carried out later, or directly run the project source code on the board? I now directly download the source code into the board with the secure boot signature image, and the board is now running properly. How does the secure boot mechanism check whether it is valid and whether the downloaded signature image is valid?

# uploads
I
#! blhost $UART COCTION write memorv OxO SHBI OUIPUT FILE
! blhost -p COM18 flash-erase-all
Response status = 0 (Ox0) Success.
In
[45]: ! blhost -p COM18 write-memory Ox0 workspace/lBI/my_mbi.bin
Writing memory
Response status = 0 (Ox0) Success.
Response word 1 = 1040836 (Oxfelc4)
In
[46]: ! blhost $UART_CONNECTION reset
Response status = 0 (Ox0) Success.

If KW45 is safely started, how should my program run normally? Do I need to encrypt and generate sb3 files separately?

Where is the nboot project routine, is there any relevant operation documentation, and what are the operations related to secure boot that must be done?

4.SEC tool about KW45, where is it? Can you provide it?

5.As follow shown , in ISP mode, how are these instructions sent out through the serial port? What software is used, what kind of environment and tools are needed, and it is best to have specific operation methods?

"This section explains the general protocol for the packet transfers between the host and the ROM Bootloader. The description

includes the transfer of packets for different transactions, such as commands with no data phase and commands with incoming

or outgoing data phase. The next section describes various packet types used in a transaction" 10.4 In-System Programming protocol

nxf77486 · ‎05-16-2024

Hello,

Please find the answer to your questions below:

How does the secure boot mechanism check whether it is valid the downloaded signature image?

In the AN13838 in the chapter 6.4 you will find the image verification, where the process of how the image is validated and use is explain in a deeper way.

Do I need to encrypt and generate sb3 file separately?

Yes, also on the AN13838 Chapter 6 you will find the differences between signed image (6.2), sb3 file (6.3), and unsigned or plain image (6.1).

SEC Tool about KW45, where is it? Can you provide it?

Sure we have the following application note AN14109, where is explained the usage of the SEC Tool.

Also please find the link to the Secure Provisioning Tool.

Please let me know if there is anything else where I can help you.

nxf77486 · ‎05-13-2024

Hello,

Thank you for contacting NXP support.

Regarding your questions, you can find more detailed information on Security Reference Manual on the Chapter 9.3 you will find the features of BOOT Rom in a more detailed way, also is in the Chapter 9.3.7 you will find a more detailed information on how the secure boot is used.

Please let me know if there is anything else where I can help you.

Taiyi · ‎05-13-2024

HI

Security Reference Manual I can't open this manual link. I have a version of this manual called Rev.3, but it doesn't have Chapter 9.

nxf77486 · ‎05-14-2024

Hello,

Please help me by login into your NXP account in order to have access to download this document.

Also we have a couple of application notes related to secure boot, located on the KW45 documentation under the secure files perspective. If you can please help me by verifying you have access to this documentation (you need to be log in into your NXP account).

Please let me know if you have access.

Taiyi · ‎05-29-2024

Hello!

I need your answers and support on the following two matters.

1. KW45 starts safely. What should I pay attention to if I use RoTKTH generated by NBU before? Why I used the previous key to generate the signature image, the security boot failed. I changed the state of FUSE to Security world closed. How can I determine what went wrong inside the security boot? I need your email or phone support.

2.Can NBU files (including general.sB3 files) be upgraded by Bootloader? If yes, can you provide relevant documents and software information? Is the method mentioned in AN14003 related to the NBU file upgrade by Bootloader? In addition, could you please provide the projects and tools mentioned in this document for our reference? Is the download mode supported by the CAN bus?

nxf77486 · ‎05-29-2024

Hello,

Answering your questions:

We have the following guide, that explain in a deeper way how to generate RoTKs properly and how to modify this, this also include how to generate the certificates, including examples on how this files should look once they are generated.
The NBU can be updated as you mention and we have an application note that explain how this process can be done and what are the requirements for this.

Please let me know if you have any other question.

Liyn · ‎06-06-2024

Hi,

I meet the same problems that KW45 can't jump to application and always run the ROM BOOT when I change KW45 lifecycle to "OEM SECURE WORLD CLOSED". I checked that the RoTKTH and SB3KDK is wrote in KW45 fuse right and KW45 can execute the "wireless uart" application before changing the life cycle.The way I burn the application firmware is that I generate the application sb3 image using the same keys(RoTKTH and SB3KDK) in KW45 fuse and send the application sb3 image to KW45 through ISP. How can kw45 execute the application code in "OEM SECURE WORLD CLOSED" lifecycle?

nxf77486 · ‎06-06-2024

Hello,

Please find the following application note that explain in a more detailed way how lifecycles work on the KW45 and how you configure this for the usage of applications.