I am following AN12283 in order to enable secure boot. So far, I have generated the necessary keys and then a signed binary with the elftosb-gui. Now I am trying to configure the CFPA page.
In section 5.3 in the AN, it is stated: "Prepare CFPA page in .bin file (example with RoT key 0-3 enabled is attached)". However, I don't see any example attached in the AN and no further notes on how to generate the CFPA page .bin file. In the user manual, it is said that "Prepare CFPA page using elftosb-gui PC tool". However, in the elftosb-gui, there is only one field that is part of the CFPA (the RKTH). So my question is, what is the right way to configure the CFPA page?
Then I was looking on the CFPA page layout. In table 179 of the user manual, it is said that the length of the RKTH_REVOKE field is 1 bit, at address 0x9DE18. However, then in table 180 the RKTH_REVOKE bit field is described as consisting of a total of 32 bits. However, the next field (PRINCE Region 0 IV Code) is at address 0x9DE30, which is only 24 bits from 0x9DE18. Is this a mistake in the user manual?
Also, in the application note, there are several warnings:
"In ROM A0 after programming signed image there is no way to read or write flash memory through ISP. Configure
the settings carefully. Only signed images with selected certificates are used."
- What is meant by ROM A0?
- Does this mean, that after programming the ROM with secure boot enabled (elftosb-gui "device" and "security" tab) and uploading a signed image, the protected flash region can never be change again through elftosb-gui, or is there a way to change it again?
- Can secure boot in general be disabled again, to continue application development and debugging through the MCUexpresso IDE?