S32K3xx - Security Guide
- Mateusz Kozłowski
- Adam Czajkowski
The S32K3 series from NXP provides two main ways of authenticating device for debug and flash programming. The procedure for “locking” and “unlocking” the device, that is securing from unwanted access, differs from most of the other available MCUs.
Note: Considering MCU with HSE enabled: When HSE is enabled, access to internal programmable flash memory is restricted. Generally, the last 176 KB of the Program Flash and last 40 KB of the Data Flash are reserved for NXP usage only. Because of this, when using “Auto Prog.” device action it is recommended to set “Used by Code File“ option in Memory Options Dlg. This settings will avoid modifying restricted memory areas during programming. In this configuration, the code file should not contain data from any restricted regions.
1. Restricting Debug Access in Secure Password Mode (without HSE)
1.1. Prepare code file with password (CUST_DB_PSWD_A)
In the UTEST sector, which is OTP (One Time Programmable) region, Secure Password must be programmed. CUST_DB_PSWD_A is stored in the address 0x1B000080. It must be 16 bytes long. Though documentation says it is 32 bytes long, the last 16 bytes are reserved for NXP firmware usage.
Prepare code file which has password at the appropriate address.
This can be easily done using Texas Instruments (.txt) format. For example, file presented below contains password which is shown in the image above.
Example code file containing 16-byte password is located in Attachments section below document. It can be modified according to the needs.
Note: Other OTP fields which are not reserved for NXP usage and mentioned in S32K3xx_DCF_clients, attachment to S32K3XXRM can also be programmed, the same way as CUST_DB_PSWD_A.
1.2. Prepare Code File with your application (with advancing the Life Cycle stage)
Access to MCU can be restricted through Life Cycle. Life Cycle advancement is explained in Reference Manual for S32K3xx. Valid LC values are presented below. Restrictions resulting from LC stage are explained in Reference Manual.
SBAF advances and verifies LC during boot process. Memory address which contains LC value is defined in IVT (image vector table). LC address can be located in any flash location.
Value of the LC / Address of the LC value can be defined during code development or after. IVT is defined in startup code for the project. For example, when creating new S32DS example project in S32DS for S32K312 with SDK 2.0.0. LC address can be changed in startup_cm7.s file.
After defining LC address you can define value in separate file used during programming (1) or during code development (2).
Note: Life Cycle can only be advanced. Device cannot return to previous, less restrictive Life Cycle stage.
1.3. Write OTP memory and Flash
After preparing code files, they can be loaded in to the FlashPro-ARM. Open code file with application. Append code file with Debug Password using “Append” button. If LC value is defined in separate file, open it as well.
Make sure that “All Memory“ in “Memory Erase/Write/Verify Address Range” section of the Memory Setup window (Setup->Memory Setup) is selected.
Next, enable locking device, in Memory Protection section. Click “Lock Device” button. It will write Debug Password (and other OTP data if present). It will not lock the access to the device yet.
Next, click “Auto Prog.” to write application code (or just “write“ if you do not want to follow full procedure).
MCU is now locked from unwanted access. After reset, it cannot be reprogrammed without code file with proper password (CUST_DB_PSWD).
2. Authentication with Secure Password (without HSE)
When device with an advanced Life Cycle stage must be reprogrammed, programmer will have to be authenticated. Code File with CUST_DB_PSWD_A / Debug Password, which was prepared in the previous step will be needed for that.
Open Code File with Debug Password.
Next, make sure to select All Memory in Setup->Memory Setup window.
After opening Code File, Device Actions, such as “Erase Flash”, should work properly. Click “Erase Flash” to erase.
Note: Erasing the device won’t bring Life Cycle to factory level. Code File with password will still be needed.
You can reprogram the device in similar way, by loading the application code file and appending password code file. In that case, you may see warning screen showed below
In that case, click “Ignore” or “Retry”. To avoid this warning you can enable Memory Protection region by checking “Enable“
Note: Programmed Debug Password won’t be visible in the UTest region after Life Cycle advancement to IN_FIELD.
3. Restricting Debug Access (with HSE)
Currently not supported.
4. Authentication with Secure Password (with HSE)
Currently not supported.
5. Authentication in Challenge & Response Mode (with HSE)
Currently not supported.
More:
Attachments: