Security boot verification failed

wang_q4 · ‎10-18-2021

Dear all,

If i enabled security boot mode is "Strict Sequential Boot Mode",but security boot verification is failed,

now, can i disable the security boot?

lukaszadrapa · ‎10-18-2021

Hi,

if strict sequential boot mode fails, the device will never leave reset state and the only option is to replace the chip. There's no way to recover in this case.

Regards,

Lukas

wang_q4 · ‎10-19-2021

Hi,

thank you for response.

If I enable the other two modes(Sequential Boot Mode、Parallel Boot Mode),If verification fails,Can I use the debug tool to restore CSEc to factory settings

lukaszadrapa · ‎10-20-2021

Hi,

yes, you can.

Strict sequential boot mode is special one as it keeps the device in reset forever when the verification fails.

Failing sequential and parallel boot modes don't do that, you are just not able to use boot protected keys in case of verification fail. But the device is still working without other limitations.

To reset the device back to factory state, you need to know MASTER ECU KEY.

More details and SW example can be found in AN5401:

https://www.nxp.com/webapp/Download?colCode=AN5401&location=null

https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null

Regards,

Lukas

wang_q4 · ‎10-20-2021

Hi，

thank you for response.

May I know the failing sequential or parallel boot verification result?

lukaszadrapa · ‎10-20-2021

If the sequential or parallel boot mode fail, BOK bit in FCSESTAT register is cleared and you can't use boot protected keys.

See "3.1.3 Key Attributes" in AN5401 for details.

See also SW examples in the application note. When loading a key, attributes can be added when calling calculate_M1_to_M5() function. It's the last parameter.

Regards,

Lukas

wang_q4 · ‎10-25-2021

Hi Lukas,

I enabled security boot mode is "Sequential Boot Mode",

but security boot verification failed, could you please determine what went wrong?

The FCSESTAT register value is :

FCSESTAT[SB]=1

FCSESTAT[BIN]=0

FCSESTAT[BFN]=1

FCSESTAT[BOK]=0

lukaszadrapa · ‎10-26-2021

Hi,

this means that BOOT_MAC calculated by CSE after reset does not correspond to value stored in BOOT_MAC slot.

Did you followed all the steps described in AN5401?

If you updated the content of flash, BOOT_MAC needs to be updated too. Or you can perform reset to factory state (also described in AN5401) and start over.

Regards,

Lukas

wang_q4 · ‎10-26-2021

Hi Lukas,

I have found the cause of the problem，thanks a lot.

If security boot verification success,do i need to actively call the CSEC DRV BootOK function?

lukaszadrapa · ‎10-27-2021

Hi,

no, it's not necessary. But it should be done as it locks CMD_BOOT_FAILURE command. Take a look at:

https://community.nxp.com/t5/S32K/s32k144-csec-Boot-Ok-Command/m-p/1330132

Regards,

Lukas

wang_q4 · ‎11-05-2021

Hi Lukas,

Now, secure boot verfication is success,i update ted secure boot area code and update BOOT MAC success,but after reset,secure boot failed,What do we need to pay attention to update BOOT MAC

lukaszadrapa · ‎11-08-2021

Hi,

this is described in AN5401:

Regards,

Lukas