On using SECURE_BOOT and SECURE_SFLASH options

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
srka_2023246
Level 1
Level 1
First like given Welcome!

One of our client who is using CYW43907 based board, wishes to keep their firmware and

boot-loader in serial flash safe by placing them in encrypted. For this, we are planning to

use SECURE_BOOT and SECURE_SFLASH options. We have referred Application Note

AN214842. Finally we also need to use OTA2 also in secure mode.

Are these options widely used and proven already ?

Are we going to get enough support and information on this, if we get stuck ?

We are getting these doubts as we try to build  43xxx_Wi-Fi/tools/secureboot/aec_cbc_128 and

hmac_sha256 commands, they are not getting built with the makefile given.

Also when we use both SECURE_BOOT=1 and SECURE_SFLASH=1 options, simple scan application

itself failing.

In the above scenario, we wish to get some feed back on how easy or how safe to use these options.

How much info/help/support are we going to get?

Thanks,

Srini Karasala

0 Likes
4 Replies
PriyaM_16
Moderator
Moderator
Moderator
250 replies posted 100 replies posted 50 replies posted

Hello Srini,

I belive the scan application is failing. Are you not able to download or after download, you are not seeing any UART logs ?

0 Likes

Hi Riya,

Initially we are trying to test SECURE_BOOT and SECURE_SFLASH options

in SDK-6.0 version. But the following folder is missing, so we

could not able to build application with SECURE_SFLASH option.

SDK-6.2/43xxx_Wi-Fi/WICED/platform/MCU/BCM4390x/common/B1/rom_offload

By the way, we are using CYW943907WAE3 kit.

So we have copied rom_offload/ folder present in 6.2 to SDK-6.0.

After copying this, we could able to build snip.scan application with

SECURE_SFLASH option (alone, no SECURE_BOOT). It is running fine on 6.0.

But when we tried same application on SDK-6.2 with SECURE_SFLASH option,

it is not booting. No output is coming on to serial console. In 6.0

we could able to see scan results appearing continuously. We used

the following command on both 6.0 and 6.2. It works on 6.0 but not

on 6.2.

./make snip.scan-CYW943907WAE3 SECURE_SFLASH=1 download run

Note that we are not giving any keys. So default keys will have all zeros.

So it is working for us. We are able to see that filesystem, APP0 and

DCT are getting signed, encrypted and loaded.

Our client is using homekit application. So we need SECURE options

to work on SDK-6.2.

We also tried with CYW943907AEVAL1F board. Result is same, SECURE_SFLASH

option works on 6.0 but not on 6.2.

Thanks,

Srini

0 Likes

Hello,

SECURE_SFALSH in WICED 6.2 is is not working. We have created an internal ticket for the same. I will update the thread when the fix is available.

Are there any updates on this issue?  We have a product that we are ready to take to market but are hesitant without the ability to secure the flash.

0 Likes