LPC54S018 securely booting was failed!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LPC54S018 securely booting was failed!

891 Views
827529957
Contributor III

I have reference AN12352 and try to operate my board, but obviously I failed from the result. The board can't run my encrypted image. The following is my operation.

1. As shown below, I use the elftosb tool to create a 128-bit AES key file named "aes128.key". This file can be found in the attachment.

1.png

2. I chose a bin file "hello_world.bin" from  the directory ”SDK_2.6.0_LPC54S018_MDK\boards\lpcxpresso54s018\demo_apps\hello_world“ as the object of encryption. I have tested the file by programing it to my board and my board could run it successfully before encryption. The file "hello_world.bin" can be found in the attachment. Next, I used the elftosb-gui tool to encrypt the file.  My operation is shown below.

微信图片_20191104085037.jpg

3. I use the blhost to program the AES key to OTP. At the begining, I directly use the AES key file "aes128.key" to program, and the blhost pointed that something wrong as the first picture below. I thought about it for a moment, I found the datas in the file "aes128.key" are not really the hex datas, so I changed the file "aes128.key" to the "aes128.bin". The file "aes128.bin" is also in the attachment. Then I program the file "aes128.bin" to OTP and succeeded. The second picture below is the result.

Snap10.bmp

Snap11.bmp

4. I use JFlash 6.44 Lite to load the encrypted image to my board successfully.

微信图片_20191104092325.png

5. Finally, I use blhost to turn on the security boot. I used the command "blhost.exe -u 0x1fc9,0x01a2" -- efuse-program-once 12 00000010" to set the secure boot type bit field, and used the command "blhost.exe -u 0x1fc9,0x01a2" -- efuse-program-once 12 00000004" to enable the sucure boot. However, when I reset my board, the board didn't print "hello world", and the Keil can not find the core in the Debug. Any operation to the board has no effect.

I guess the error may happen in the third step. The key file to programming at the beginning is wrong, but the wrong data may have been written, resulting in the correct AES key data not being written. Is that correct? Or is my other operation wrong? I hope you can help me, thank you.

Labels (1)
0 Kudos
5 Replies

731 Views
FelipeGarcia
NXP Employee
NXP Employee

Hi Kunsen,

 

Please try by using the example provided in the software for that application note.

 

https://www.nxp.com/docs/en/nxp/application-notes-software/AN12352SW.zip

 

As stated in the application note the image needs to be divided into two parts by modifying linker script. In the example above this work is already done. You will only need to split the image into two binaries. Please use it to test it.

 

Hope it helps!

 

Have a great day,
Felipe

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!

- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

0 Kudos

731 Views
827529957
Contributor III

As stated in AN12352, 

"The secure-plaini text image is from address 0 to address (total length of the image – 1) of the original image binary. This image is used to create the secure-bootable part image. The non-secure image is from address 0x0010_0000 (0x1010_0000 - 0x1000_0000) to the end of the original image. This image is as non-secure part image."

According to this sentence, the non-secure part starts from the address 0x00100000 of the original image, but my original image size is less than 0x00100000, then how should I divide it?

0 Kudos

731 Views
FelipeGarcia
NXP Employee
NXP Employee

Hi Kunsen,

 

If your image is smaller than the non-secure part then you can leave the division like that. As stated in application note:

 

The division helps place the code identified as protected in the secure bootable part and the non-protected code in the non-secure part.

 

You are good as long as they are not overlapped.

 

Best regards,

Felipe

0 Kudos

731 Views
827529957
Contributor III

Do you mean that my openation is ok when the image size is smaller than the non-secure part?  but I can't boot my board after encrypted as the question states. Is there any other problem with my operation? I need some help.

0 Kudos

731 Views
FelipeGarcia
NXP Employee
NXP Employee

I highly recommend you to try software provided for this application note before you load your own software, verify if it works on your side and then split your own image by using the linker file as stated in AN12352.

 

Regards,

Felipe

0 Kudos