kw45 secure boot

ilgfcyl · ‎04-24-2024

Hello everyone，

Recently I study the kw45 secure boot, but there is a problem i cannot understand?

Question1:

what is the difference between signed image and .sb3?

As mentioned in RM, The SB file format is encrypted and digitally signed. The NBU is the .sb3。

what is the signed image? Does signed image format just digitally signed, but not encrypted? I cant find the detailed description. Could anyone tell the relationship or the difference between them? Does the App in CM33 could be either .sb3 or signed image?

Question2:

If I need to do secure boot in CM33, then the .bin should be generated as signed image or .sb3?

Looking forward to your reply!

nxf77486 · ‎04-25-2024

Hello,

Thank you for contacting NXP support.

Regarding your questions:

Question 1:

The signed image is intended to be used primarily for boot images and other pieces of code that are executed in place. But it could also be used for images that are copied into RAM from an external device before execution.

The SB3.1 image uses the latest crypto graphical algorithms to ensure the highest possible authenticity and confidentiality of the carried firmware. The security level of SB3.1 is configurable.

Question 2:

We have the following application note, that explain in a deeper way how to perform a secure boot with the KW45.

Please let me know if this AN was useful.

ilgfcyl · ‎04-25-2024

Thanks for your reply!

I have check the RM，and find the information you mentioned. The KW45 support the secure boot and secure update firmware(which can be used to update the CM3 radio firmware). But the .SB image strcuture is different from singed image. If the secure update of CM33 flash successful, then I reset the chip, it should be secure boot. So I wonder how the updated image stored in CM33 flash, what is the structure of updated .SB flash? Is it the same with the signed image(for secure boot)? I cant find the detailed information in secure boot SRM!

Besides, I want to confirm that the relationship between the different version .xip(NBU). If I use the version A to develop，the I only update the .sb3(NBU) using version B and same keys, could the project work normally?

Finally, as the picture blow, what does the "plain image、Xip plain image" mean?

Looking forward to your reply!

Best Wishes!

nxf77486 · ‎04-29-2024

Hello,

Regarding your questions:

Yes it is correct the structure between the signed image and SB.1 is different but the certificate block used in the signed boot image is the same as the certificate block used in the SB3.1 firmware update container.

Also the difference between the plain image and the XIP plain image, is that the XIP plain image is executed in place (XIP) this means that this execute the program directly from the serial Flash without copying the code to the RAM.

Please let me know if you have any other question.

ilgfcyl · ‎04-30-2024

Thanks for your reply!

I cant use the spsdk to generate signed image. Is there any cases i can learn from?

Here is the problom!

SPSDK Version: 1.11.0.

The attach file is .yaml, for convenience, i have changed the file format.

nxf77486 · ‎04-30-2024

Hello,

Please find the link to an Application Note for the Secure Boot on the KW45, and also the link to the Application Note that has a brief explanation on how to use the SPSDK. Hope you find this information useful.

Please let me know if there is anything else where I can help you.

kw45 secure boot

kw45 secure boot

Product: KW41Z |31Z | 21Z