4 Replies Latest reply on Jan 18, 2019 2:00 PM by user_1720028

    On using SECURE_BOOT and SECURE_SFLASH options


      One of our client who is using CYW43907 based board, wishes to keep their firmware and

      boot-loader in serial flash safe by placing them in encrypted. For this, we are planning to

      use SECURE_BOOT and SECURE_SFLASH options. We have referred Application Note

      AN214842. Finally we also need to use OTA2 also in secure mode.


      Are these options widely used and proven already ?

      Are we going to get enough support and information on this, if we get stuck ?


      We are getting these doubts as we try to build  43xxx_Wi-Fi/tools/secureboot/aec_cbc_128 and

      hmac_sha256 commands, they are not getting built with the makefile given.

      Also when we use both SECURE_BOOT=1 and SECURE_SFLASH=1 options, simple scan application

      itself failing.


      In the above scenario, we wish to get some feed back on how easy or how safe to use these options.

      How much info/help/support are we going to get?



      Srini Karasala

        • 1. Re: On using SECURE_BOOT and SECURE_SFLASH options

          Hello Srini,

          I belive the scan application is failing. Are you not able to download or after download, you are not seeing any UART logs ?

          • 2. Re: On using SECURE_BOOT and SECURE_SFLASH options

            Hi Riya,


            Initially we are trying to test SECURE_BOOT and SECURE_SFLASH options

            in SDK-6.0 version. But the following folder is missing, so we

            could not able to build application with SECURE_SFLASH option.




            By the way, we are using CYW943907WAE3 kit.


            So we have copied rom_offload/ folder present in 6.2 to SDK-6.0.

            After copying this, we could able to build snip.scan application with

            SECURE_SFLASH option (alone, no SECURE_BOOT). It is running fine on 6.0.


            But when we tried same application on SDK-6.2 with SECURE_SFLASH option,

            it is not booting. No output is coming on to serial console. In 6.0

            we could able to see scan results appearing continuously. We used

            the following command on both 6.0 and 6.2. It works on 6.0 but not

            on 6.2.


            ./make snip.scan-CYW943907WAE3 SECURE_SFLASH=1 download run


            Note that we are not giving any keys. So default keys will have all zeros.

            So it is working for us. We are able to see that filesystem, APP0 and

            DCT are getting signed, encrypted and loaded.


            Our client is using homekit application. So we need SECURE options

            to work on SDK-6.2.


            We also tried with CYW943907AEVAL1F board. Result is same, SECURE_SFLASH

            option works on 6.0 but not on 6.2.




            • 3. Re: On using SECURE_BOOT and SECURE_SFLASH options


              SECURE_SFALSH in WICED 6.2 is is not working. We have created an internal ticket for the same. I will update the thread when the fix is available.

              1 of 1 people found this helpful
              • 4. Re: On using SECURE_BOOT and SECURE_SFLASH options

                Are there any updates on this issue?  We have a product that we are ready to take to market but are hesitant without the ability to secure the flash.