s32k144 csec : Boot Ok Command

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

s32k144 csec : Boot Ok Command

Jump to solution
1,268 Views
kmh48301
Contributor IV

Hello.

 

I have been studying 'Secure Boot' in csec.

 

In AN5401, Page 20

==========================================================================

If the secure boot process is successful and CMD_BOOT_OK is executed, keys marked as Boot Protected (BOOT_PROT) can
be used by the application code. Otherwise boot protected keys remain locked for application use.

==========================================================================

So my application is checking the secure boot status through "FTFC->FCSESTAT" .

and when boot mac verifying is succeeded, the application calls "CSEC_DRV_BootOK()".

 

And I tested boot protection flag key.

 

But, regardless of calling "CSEC_DRV_BootOK()", I could use the boot protection flag key,

As long as, the boot mac verifying is succeeded.

 

Do i misunderstand AN5401?

 

Thanks

Best regards

Phillip

0 Kudos
1 Solution
1,253 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi Phillip,

I got very fast feedback which confirmed my thoughts. CMD_BOOT_OK is not needed to use boot protected keys and it meets the SHE spec. The sentence in the app note will be updated.

Thanks for pointing this out.

Regards,

Lukas

View solution in original post

0 Kudos
2 Replies
1,254 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi Phillip,

I got very fast feedback which confirmed my thoughts. CMD_BOOT_OK is not needed to use boot protected keys and it meets the SHE spec. The sentence in the app note will be updated.

Thanks for pointing this out.

Regards,

Lukas

0 Kudos
1,260 Views
lukaszadrapa
NXP TechSupport
NXP TechSupport

Hi Phillip,

I can see that SHE specification does not explicitly say that CMD_BOOT_OK is needed to unprotect boot protected keys. It is used rather to lock CMD_BOOT_FAILURE command. In my opinion, the behavior you can see complies with the spec and the sentence in the AN is wrong.

But let me double check this. Notice that it will probably take a couple of days.

Regards,

Lukas

 

0 Kudos