Update NXP S32K3xx HSE Firmware
In this topic:
Introduction
This topic provides step-by-step instructions for updating the Hardware Security Engine Firmware (HSE FW) on NXP S32K3xx devices and enabling security features. It covers key operations such as firmware installation, updates, and status verification. For additional technical details, refer to the NXP documentation listed in the Additional resources.
Requirements
•winIDEA version 9.21.322 or newer
•HSE Firmware and software package provided by NXP
HSE FW operations
HSE FWD update offers the following operations for the activation of security features:
Enable HSE FW
You can enable HSE FW usage for the application by programming a 8 bytes HSE FW feature flag at address 0x1B000000. This UTEST field is one-time programmable only. By default, this value is unprogrammed - the HSE FW cannot be installed in the system and the application does not intend to use HSE FW on the device.
If the UTEST is modified:
1.The application informs SBAF that it wants to use HSE FW on the device.
2.The HSE FW update software checks if the HSE FW is already programmed in the UTEST, if not, it writes the value 0xAABBCCDDDDCCBBAA at 0x1B000000.
3.HSE FW is enabled and further operations can be performed.
The HSE FW installation is a one-time process and once HSE FW is in the system, it can only be updated further. For more information, refer to the HSE Firmware Reference Manual.
If the installed HSE FW is AB SWAP (OTA Enabled), any further update with FULL MEM (OTA Disabled) will not be possible anymore.
HSE FW update supports two ways of HSE FW installation:
•HSE FW installation with IVT
•HSE FW installation without IVT
HSE FW installation with IVT
The Full Mem HSE FW image and AB SWAP HSE FW image should have a header marker value of 0xDA and 0xDB respectively. In the demo application, the script programs:
•IVT to address 0x00400000
•Full Mem or AB SWAP HSE FW pink image at 0x00422000
•Demo app image at 0x00402000
•Secure boot app image along with app header at location 0x00451FC0
After programming the mentioned files, the functional reset is issued and SBAF installs the HSE FW.
HSE FW installation without IVT
In this case, either FULL MEM or AB SWAP HSE FW pink image is flashed at BLOCK 0 of location 0x00400000 and no IVT is present in code flash. The demo application and Secure boot app images are loaded to the same addresses as in installation with IVT.
After programming the files, the functional reset is issued and SBAF will install the HSE FW.
After installing the firmware, you can check the install status and installed version by selecting the Check FW status operation.
Update HSE FW
Once you have installed the HSE FW in the device, reinstallation is not allowed. The new HSE FW version can only be updated through the FW update process.
You can select between two updating options (Data transfer mode):
•One Shot Mechanism - Requires the entire encrypted image of HSE FW delivered by NXP to be programmed on application memory. The firmware update is requested once by the application and the complete firmware update takes place at once.
•Streaming Mode Mechanism - Requires only a chunk of firmware image to be present on the application memory. The size of the chunk is shared by the application while requesting the firmware update service. The streaming mode happens in 3 stages – init, update and finish. The Init and Finish commands are called only once, while the update can be called repeated times, depending on the size of firmware (Refer demo app code for more information). The firmware update completes only after the finish is requested to the firmware.
HSE FW can be updated for 3 different configurations:
•FULL MEM (OTA Disabled) to FULL MEM (OTA Disabled)
•FULL MEM (OTA Disabled) to AB SWAP (OTA Enabled)
•AB SWAP (OTA Enabled) to AB SWAP (OTA Enabled)
In the FULL MEM configuration, the entire Flash memory is seen as one continuous memory block.
In the AB SWAP configuration the Flash memory splits into two blocks of equal size:
•Active block
•Passive block
When the Flash configuration is set to AB_SWAP, it is not possible to go back to the FULL_MEM configuration. Hence, only an AB_SWAP HSE Firmware image can be used in this configuration.
You can distinguish between FULL MEM configuration and AB SWAP configuration firmware from the first byte of HSE Firmware image:
•0xDA - FULL MEM HSE Firmware configuration
•0xDB - AB SWAP HSE Firmware configuration
You have to select the demo application folder and correct HSE FW - pink file.
Update troubleshooting
If the update fails, check:
•If the HSE FW is enabled - 8 bytes of UTEST must be different from 0xFF.
oIf not enabled, execute the Enable HSE FW operation.
•You are not updating from OTA Enabled to OTA Disabled firmware.
•SBAF is updated to the correct version.
oIf not, update to the correct version with SBAF Update.
SBAF Update
HSE FW offers an option to update the Secure-BAF on the device. You need to select the correct SBAF pink image file that wants to program to the SBAF. If you try to update SBAF to the same version, the operation will fail.
|
You can check the SBAF version on address 0x4039c020 or via the Check FW status operation. |
Activate passive block
In AB SWAP configuration the Flash memory splits into two blocks of equal size (Active block and Passive block). HSE FW offers the option to activate the passive block. Please refer to the device reference manual for more details.
Check FW status
HSE FW update offers an operation to check the current firmware installed on the device. Additionally it checks and prints the SBAF version.
Configuration steps
Follow these steps for HSE FW update to activate security features on NXP S32K3xx devices.
|
Open a winIDEA Workspace with S32K3xx device selected. |
This will be needed by HSE FW update to connect to the target.
|
Press F6 (or Tools | Run Script) and select S32K3xx_HSE_FW_Update.py. |
The script can be found in your C:\ISYSTEM_TEMP\JP30_SFR_<winIDEA version>\ARM folder. This will open the GUI with control over the HSE FW operations.
|
Select the desired operation in the HSE FW update GUI. |
The Data transfer mode and Streaming size configurations are needed only with the Update HSE FW operation.
|
Add the path to the demo application folder. |
For example, C:/NXP/HSE_DEMOAPP_S32K3XX_0_2_1_0.
|
Select the correct pink file. |
•Select the HSE FW pink image you want to install (not for SBAF Update operation); for example, C:/NXP/HSE_FW_S32K3XX_0_2_1_0/hse_full_mem/hse/bin/s32k3x4_hse_fw_0.5.0_2.1.0_pb220625.bin.pink.
•If the operation is SBAF Update, add the SBAF pink image; for example, C:/NXP/HSE_FW_S32K3XX_0_2_1_0/hse_full_mem/sbaf/bin/s32k3x4_Secure_Baf_0.5.0_0.10.0_pb220428.bin.pink.
|
Click OK to start the operation. |
The log window can be used to track operation execution.
Additional resources
The following documentation can be found in the DEMO_APP and HSE_FW folders provided by NXP:
•Demo application readme file in e.g., HSE_S32K3x4\HSE_DEMOAPP_S32K3XX_0_2_1_0
oHSE_DEMOAPP_S32K3XX_0_2_1_0_ReadMe.pdf
•HSE Firmware Release notes in e.g., HSE_S32K3x4
oHSE_FW_S32K3XX_0_2_1_0_ReleaseNotes.pdf
•HSE Service API Reference Manual in e.g., HSE_S32K3x4\HSE_FW_S32K3XX_0_2_1_0\docs
oS32K3X4_HSE_Service_API_Reference_Manual.pdf
