5.13.3. Secure Boot Demo¶
This example is to demonstrate how secure binding is achieved between LPC55S and SE05X using PUF for secure storage of PlatformSCP keys on the MCU. For details on secure boot process, refer to Section 3.20 Secure Boot
5.13.3.1. Secondary Bootloader (SBL)¶
Refer to Section 3.20.2 Secondary Bootloader for details on operations performed by the Secondary Bootloader (SBL).
5.13.3.2. Secure Application¶
The secure application is verified by SBL using RSA2k public
key stored at KeyID K_PUB_OEM_ID
. Secure application
will have the reference to keyCodes prepared by SBL, using which
PlatformSCP session can be established.
In this example, secure application is opening a PlatformSCP03 session using keyCodes prepared by SBL and transfers the control to non-secure application which will open an Applet session and test communication.
5.13.3.3. Non-Secure Application¶
The non-secure application used in this example is used to establish an Applet session and use non-secure callable APIs provided in secure application to wrap data with PlatformSCP context before sending to the SE.
5.13.3.4. Prerequisites¶
Building Plug & Trust middleware stack. (Refer Building / Compiling)
PUF must be enrolled first and original SCP03 keys must be provisioned and ActivationCode and KeyCodes must be updated in
ex_scp03_puf.h
. SBL and secure app should be compiled with the correct AC and KCs. See Section 5.13.1 Key Injection to PUF on how to provision PUF with PlatformSCP03 keys.Secure application verification public key must be provisioned at keyID
K_PUB_OEM_ID
and updated inpuf_se05x_sbl_s.c
at:#define K_PUB_OEM_ID 0xA55A
Refer to CLI Tool for details on how to provision keys into SE05x.
New PlatformSCP03 keys updated in
puf_se05x_sbl_s.c
at:uint8_t newScpKeyENC[PUF_INTRINSIC_KEY_SIZE] = {0}; uint8_t newScpKeyMAC[PUF_INTRINSIC_KEY_SIZE] = {0}; uint8_t newScpKeyDEK[PUF_INTRINSIC_KEY_SIZE] = {0}; status = getHostAesKeys(pCtx, newScpKeyENC, PUF_INTRINSIC_KEY_SIZE); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); // LOG_MAU8_W("Random ENC Key", newScpKeyENC, PUF_INTRINSIC_KEY_SIZE); status = getHostAesKeys(pCtx, newScpKeyMAC, PUF_INTRINSIC_KEY_SIZE); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); // LOG_MAU8_W("Random MAC Key", newScpKeyMAC, PUF_INTRINSIC_KEY_SIZE); status = getHostAesKeys(pCtx, newScpKeyDEK, PUF_INTRINSIC_KEY_SIZE); ENSURE_OR_GO_CLEANUP(status == kStatus_SSS_Success); // LOG_MAU8_W("Random DEK Key", newScpKeyDEK, PUF_INTRINSIC_KEY_SIZE);
Note
The SBL performs key rotation when run first time with randomized keys. If required for development, the user should change this to known keys so that in case of failure recovering SE050 is easy.
elftosb
tool from ELF to Secure Binary GUI to prepare signed images.Also see Section 3.20 Secure Boot
Refer AppNote AN12283.
5.13.3.5. How to build¶
Compile the SBL with the following CMake options:
PTMW_Host=lpcxpresso55s_s
PTMW_SCP=SCP03_SSS
PTMW_SE05X_Auth=PlatfSCP03
PTMW_SBL:STRING=None
Project:
puf_se05x_sbl_s
To complete the build process, you also need to sign the image for Bootloader verification. For this, you need to use ELF to Secure Binary GUI.
Configure elftosb GUI tool as:
Select your SBL input binary
Add certificate chain and signing key (Refer Chapter 3. Keys and certificates in AN12283)
Select your output signed SBL binary
Press
Process
button to create signed image.You should be able to see the log generated on right window containing RKTH as highlighted:
Note this value for next step.
We will configure CMPA and CFPA pages in next 2 steps. These pages are required to configure LPC55S registers before boot. We can configure boot config, boot speed, debugging registers, RKTH, etc (See AN12283 and AN13037 for more details). In this example, we configure CMPA page with RKTH value and CFPA with RoT Keys enabled. RKTH value is checked from CMPA while verifying the image to ensure that a different certificate chain was not used to create the signed binary. CFPA page is used to check if any key used in signed image preparation is enabled or revoked.
In
Device
tab, configure the following settings:In place of RKTH, enter your RKTH that you noted in the previous step.
Note
Do NOT Seal Security configuration
Enter ISP mode by holding ISP button on the device and pressing Reset button.
Update the COMPort and press
Process
. This will update CMPA page with this RKTH value which will allow ROM Bootloader to successfully verify SBL image. On successful programming of CMPA page, you should be able to see logs like this:Note
This will allow to boot only signed images. You won’t be able to boot plain images. To revert this setting to boot plain images, change Secure Boot setting to Boot plain images and update the CMPA page again.
Update CFPA page using
blhost
utility available inelftosb
package:blhost.exe -p COM54 write-memory 0x9DE00 C:\_ddm\PnT\random\secure_boot\AN12283\CFPA_0x9de00.bin
Sample CFPA page is available with this demo which can be directly flashed. If you want to update the CFPA page again, you need to increment the CFPA version. See AN12283 for more details.
Compile SBL bootable secure application with the following CMake options:
PTMW_Host=lpcxpresso55s_s
PTMW_SCP=SCP03_SSS
PTMW_SE05X_Auth=PlatfSCP03
PTMW_SBL=SBL_LPC55S
Project:
sbl_app_s
To prepare Secure application signed image, configure elftosb as:
Run process to create signed secure application image.
Compile non-secure application with the following CMake options:
PTMW_Host=lpcxpresso55s_ns
PTMW_SCP=SCP03_SSS
PTMW_SE05X_Auth=PlatfSCP03
PTMW_Log=Silent
Project:
sbl_app_ns
Note
This process creates a signed image for SBL. However, there is an option to create signed + encrypted image. In that, the encrypted image is first decrypted by symmetric key provisioned in PUF, then the decrypted image is loaded in flash for signature verification. Refer to section 5.6 in AN12283 for details on creating Secure Binary (Signed + Encrypted).
A “Secure” Binary in this case means it is signed and encrypted, it is not related to Secure Boot or LPC55S TrustZone.
Using a Secure Binary would also disable debugging. Refer to AN13037 for details on how to update CC_SOCU registers in CMPA and CFPA pages to enable debugging.
5.13.3.6. How to run¶
Enter ISP mode by holding ISP button on the device and pressing Reset button. Flash the built images with these commands:
blhost.exe -p COMxx flash-erase-region 0x10000000 0x3F000 && blhost.exe -p COMxx write-memory 0x10000000 puf_se05x_sbl_s_SIGNED.bin
blhost.exe -p COMxx flash-erase-region 0x10040000 0x30000 && blhost.exe -p COMxx write-memory 0x10040000 sbl_app_s_SIGNED.bin
blhost.exe -p COMxx flash-erase-region 0x70000 0x28000 && blhost.exe -p COMxx write-memory 0x70000 sbl_app_ns.bin

Press the Reset button after completion. On successful execution you should be able to see these logs:
First boot log:
App :INFO :PlugAndTrust_v03.01.00_20210102
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Random test was successful with default SCP03 keys
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet deselection successful!
App :INFO :Key Rotation was successful!
App :INFO :NewKeyCode_ENC (Len=52)
00 00 00 02 E2 26 23 39 CB 6F D3 57 46 75 7D 7E
47 9C F4 68 D6 65 D4 8C 3D CF 28 4F 1F 3F 9D 4A
66 1F E3 D1 BB B0 0A D7 57 C3 35 3B 48 17 1B AF
33 AE 2C A6
App :INFO :NewKeyCode_MAC (Len=52)
00 00 00 02 10 F9 83 8B 91 BD 14 5E 6D 57 4A C2
46 13 7A 71 38 8D 14 05 99 B3 08 13 EE 1B 68 9E
36 E6 99 4B EC 1B BB 48 2D 50 58 D1 16 6E F3 3D
8D 2F 18 41
App :INFO :NewKeyCode_DEK (Len=52)
00 00 00 02 4D F1 02 83 E7 B9 C5 30 66 DB 92 43
86 7E 3C E2 A3 61 FF 48 72 C9 AE 68 03 31 6C 7B
6F C9 5C E4 28 BC D1 3F B6 DD 6C C9 AF 65 D8 B0
0B 38 E2 E6
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Session Open successful
App :INFO :Random test was successful with new SCP03 keys
App :INFO :Image verification successful, booting the application now!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet deselection successful!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Random test was successful from secure application
App :INFO :Entering normal world see you there.
Non-secure entry
NS Channel initialize successful
sss:WARN :Communication channel is Plain.
sss:WARN :!!!Not recommended for production use.!!!
NS Session open is Successful
sss_rng_get_random successful
Next boot log:
App :INFO :PlugAndTrust_v03.01.00_20210102
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Random test was successful, with KCs loaded from Flash!
App :INFO :Image verification successful, booting the application now!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet deselection successful!
sss :INFO :atr (Len=35)
01 A0 00 00 03 96 04 03 E8 00 FE 02 0B 03 E8 00
01 00 00 00 00 64 13 88 0A 00 65 53 45 30 35 31
00 00 00
App :INFO :Applet selection successful!
App :INFO :Random test was successful from secure application
App :INFO :Entering normal world see you there.
Non-secure entry
NS Channel initialize successful
sss:WARN :Communication channel is Plain.
sss:WARN :!!!Not recommended for production use.!!!
NS Session open is Successful
sss_rng_get_random successful