

# AN13465

## S32K3xx Secure Boot

Rev. 1.0 — 2 January 2026

Application note

### Document information

| Information | Content                                                                                                                                                                                                   |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Keywords    | S32K3xx, secure boot                                                                                                                                                                                      |
| Abstract    | This application note provides a technical overview of the S32K3 security architecture, providing the background information needed to understand the use cases and processes described in this document. |



## 1 Overview

In this application note the secure boot process of S32K3xx is explained. In the document “startup” is the phase that is initiated after a reset at device level, “secure boot” is the process to ensure the integrity and authenticity of one or several application images being executed by one or several application CPU subsystems within the application domain. For a given application image, the secure boot process results in a PASS or FAIL response. A PASS response allows the application image to be executed by its targeted application CPU subsystem. A FAIL response triggers a sanction at device level.

HSE executes the secure boot. It is configured by (one of) the application CPU subsystem essentially to define where the application images should be fetched, how they should be verified, and what sanctions should apply in the event of a FAIL response to one or more images.

This document and related demo projects are valid for HSE-FW(FULL\_MEM) version 0.0.8.3 and RTD version 0.9.0 only.

For more details, refer to the device reference manual.

### 1.1 Chip reset and boot flow

[Figure 1](#) shows a high-level representation of the chip startup sequence. This sequence consists of several reset stages based on the occurrence of a particular reset event. The SBAF (Secure Boot Assist Flash) is the first code to run on HSE\_B secure core after reset, which completes necessary system initialization, parses the IVT (Image Vector Table), executes secure boot and starts the application core.



Figure 1. Chip reset and boot overview

## 1.2 The HSE interface

In [Figure 2](#), the Messaging Unit (MU) is the communication interface between the host and the HSE subsystem. It is used by the host to trigger service requests and receive service responses. It is used by the HSE to receive service requests, return service responses and provide several HSE status information relevant to the host.

The MU has two sides, referred to as MUA and MUB. One side (MUA) is under the exclusive control of the HSE, the other side (MUB) is controlled by the host. A value written in a transmit register (TRi) on one side can be read in the corresponding service register (RRi) on the other side. Similarly, select control registers on one side (e.g. FCR) interact with status registers on the other side (e.g. FSR).

Each of the MU instance available in the system has:

- A set of 32-bit readable and writable transmit registers (TRi), to provide the address of the service descriptors to process by the HSE
- A set of 32-bit read-only receive registers (RRi), to retrieve the responses to the service requests
- Two 32-bit read-only status registers (FSR and GSR), to log HSE status and system events
- Control and status registers to manage the access to the transmit and receive registers, and the related interrupt signals

The number of available MU instances and TRi / RRi registers is device (host) dependent.



Figure 2. Illustrating the Messaging Unit (MU) in S32K3

### 1.3 Data synchronization with the HSE core

It can be seen from the Figure 2 that the HSE service structure is passed between S32K3xx and HSE through MU, and HSE will execute the service according to the service ID and parameters (which can be values or addresses) in the structure.

For the data transferred between the dual cores, will be modified by at least one of the cores, when D-cache is enabled, the data synchronization issue will occur.

To solve this issue, users can choose to simply turn off the D-cache although will lose performance or put the data that may have data synchronization issue in a non-cacheable memory area.

For the global variables, there are two types: with initial value and without initial value. Through the precompiled directives(#pragma section) defined in MemMap file, assign the two type global variables to the non-cacheable data segment or non-cacheable bss segment as shown in the following figure.

```

#define CRYPTO_START_SEC_VAR_INIT UNSPECIFIED NO_CACHEABLE
#include "Crypto_MemMap.h"

uint32_t hashTestOutputLength[NUMBER_OF_ASYNC_REQ] = {BUFFER_SIZE,
                                                       BUFFER_SIZE, BUFFER_SIZE};

static uint32_t signRLen = ARRAY_SIZE(signR);
static uint32_t signSLen = ARRAY_SIZE(signS);

#define CRYPTO_STOP_SEC_VAR_INIT UNSPECIFIED NO_CACHEABLE
#include "Crypto_MemMap.h"

```

Figure 3. Assign the global variables into non-cacheable memory

For the temporary variables, as they are temporarily allocated on the stack, the Cortex-M7 stack can only be placed in the non-cacheable area shown in the following figure. By modifying the cache policy (through MPU module) of the stack area to solve this problem.

```

248     .int_sram_stack (NOLOAD) :
249     {
250         . = ALIGN(16);
251         __int_sram_stack_c0_start = ..;
252         . = ALIGN(16);
253         . += STACK_SIZE;
254         __int_sram_stack_c0_end = ..;
255
256         __int_sram_stack_c1_start = ..;
257         . = ALIGN(16);
258         . += STACK_SIZE;
259         __int_sram_stack_c1_end = ..;
260     } > int_sram_no_cacheable
261
293     __Stack_end_c0           = __int_sram_stack_c0_start;
294     __Stack_start_c0          = __int_sram_stack_c0_end;
295     __Stack_end_c1           = __int_sram_stack_c1_start;
296     __Stack_start_c1          = __int_sram_stack_c1_end;
297

```

Figure 4. Set Cortex-M7 core stack to non-cacheable area

If there is a memory management program, the user can also use a non-cacheable memory pool to allocate the space for the temporary variables.

## 1.4 Image Vector Table (IVT)

The image vector table (sometimes referred to as “boot header”) is shown in [Figure 5](#). It is the main entry point for the system to operate after reset.



Figure 5. Image Vector Table

It contains:

- The storage location of Apps(executable) and HSE firmware(encrypted), configuration location of LC and XRDC.
- The Boot Configuration Word (BCW) that configures the start-up behavior (BOOT\_SEQ); among other parameters, it defines BOOT\_TARGET.



Figure 6. Boot Configuration Word

The BOOT\_SEQ in Boot configuration (BCW) as shown in [Figure 6](#), needs to be set “1” to change boot flow and enable secure boot flow.

The IVT can hold an optional authentication tag that guarantees its integrity and authenticity. It is calculated by the HSE on demand from the host via one specific administration service (REF02 section 8.2) and verified by the HSE at start-up providing it is configured to do so (see IVT\_AUTH). The storage location of IVT is fixed by design.

## 1.5 AppBL

The contents of the AppBL (sometimes referred to as “App header”) are shown in the following figure.



Figure 7. AppBL structure

In the basic secure boot mode, the HSE can authenticate the AppBL header and content by using AES-GMAC algorithm and ADK/P SHA256 hash key. It also parses the AppBL header to determine the starting address and size of the AppBL code.

**Note:**

*The HSE does not need to parse or verify the AppBL header when using the advanced secure boot mode implemented by SMR and CR.*

*The user can write the start address and length of the AppBL directly to the SMR service structure to complete the configuration. For reducing the coupling between different projects, the starting address and length of the AppBL code can also be obtained from the AppBL header to configure the SMR.*

## 1.6 Secure boot modes

For application images, three mechanisms are available for configuring the secure boot and are shown in the following table.

Table 1. Secure boot modes

| Mode      | Key             | Scheme      | SMR use           | Number of protect regions | Proof location  |
|-----------|-----------------|-------------|-------------------|---------------------------|-----------------|
| BSB       | ADKP            | GMAC        | No                | 1                         | Application NVM |
| ASB       | Sym or Asym key | MAC or Sign | Yes               | Up to 8                   | Secure NVM      |
| SHE (ASB) | BOOT_MAC_KEY    | CMAC        | Yes (only SMR #0) | 1                         | Secure NVM      |

The following figure shows the procedures of configuring the three secure boot mode.



Figure 8. Three Secure Boot modes

### 1.6.1 Basic Secure Boot (BSB)

This secure boot mode is implemented based on the application header and ADKP, and the HSE firmware enables only one application core at a time. Application header length is of 64 bytes and application code address starts from application header start address + application header length.

To realize the basic secure boot, the suggested operation flow for host is shown in [Figure 8\(a\)](#).

### 1.6.2 Advanced Secure Boot (ASB)

In the advanced secure boot, the HSE firmware can boot multiple application cores which use Secure Memory Regions (SMR) entries that are linked with Core Reset (CR) entries configuration that together define application cores behavior. These configurations are done via HSE firmware services and are stored in internal data flash memory.

To realize the advanced secure boot, the host must implement the steps shown in [Figure 8\(b\)](#).

Pre-requisites that needs to be executed before secure boot are:

- The host shall be granted with Super User (SU) rights.
- LC should be CUST\_DEL and subsequent SMRs and CRs should be empty.

### 1.6.3 SHE Secure Boot (based on ASB)

Since HSE firmware also does the SHE based secure boot operation by using SMR/CR tables. This secure boot mode can be considered as a special use case of ASB, the only difference between them is that only SMR #0 and SHE keys shall be used to implement the SHE based secure boot.

To realize the SHE based secure boot mode, the sequence shown in [Figure 8\(c\)](#) must be implemented by the host.

## 2 Preparation

### 2.1 Installing HSE FW

Before using any services of the HSE, the user needs to install the HSE firmware. There is FULL\_MEM or AB\_SWAP firmware image which can be installed, depending upon the device configuration. The HSE FW installation is a one-time process and once HSE FW is in the system, it can only be updated and cannot be uninstalled.



Figure 9. HSE FW installation with IVT (FULL\_MEM)

Firmware feature flag “HSE FW feature flag” in the UTEST area must be enabled before installing the firmware. HSE FW can be installed in the system using two methods:

- Program the encrypted image of HSE FW at start location of code flash area i.e. 0x00400000 and give a reset. SBAF installs the HSE FW after reset.
- Program the address encrypted image of HSE FW in IVT and program the encrypted HSE FW image at the provided address. After programming, provide a reset.

In the delivery demo package, user need an HSE-FW installation project to install the HSE-FW, as shown in [Figure 9](#).

### 2.2 Format catalogs

The NVM and RAM key catalogs as shown in the following figure must be formatted before any keys can be provisioned, handled via the key catalog formatting service, defined by the structure `hseFormatKeyCatalogsSrv_t`. This service is only available to the host when LC is `CUST_DEL`.



Figure 10. The key catalog, group, slot

The basic secure boot mode uses ADKP as the “authentication key”, the ADKP is an OTP attribute and not a common key in the catalog.

- **Key catalog:** Keys are managed in three key catalogs, ROM, NVM, RAM. Each key catalog is identified by a unique identifier and holds a set of key groups. The ROM key catalog is defined by NXP, the structure of the NVM and RAM key catalogs is configured by the user.

The secure boot can only use non-volatile keys to verify the data, so the authentication key must be in the NVM catalog.

- **Key group:** In the catalog the user could define several key groups. It is a set of cryptographic keys of the same type.
- **Key slot:** A key slot is a memory container that holds a single key, with its value(s) and attributes. Each slot is identified by an index within the key group where it is declared.

The [Figure 11](#) shows the relationship of the key catalog, group, and slot. The key handle is access by, Key handle = *CONCAT* (0x00, catalog type, group index, slot index).

For more details, refer to HSE-RM [REF02].

## 2.3 Install keys

All cryptographic keys declared within the NVM and RAM key catalogs, except for the key type HSE\_KEY\_TYPE\_SHE, can be provisioned (i.e. initialized and updated) by the host via a key import service, defined by the structure *hseImportKeySrv\_t*.

The SHE keys are provisioned by the host via services *hseSheLoadKeySrv\_t* or *hseSheLoadPlainKeySrv\_t*.



Figure 11. Key import and export

The keys can be installed in plain or encrypted text as shown in the above figure, in the demo all keys are installed in plain text.

### 2.3.1 Key attributes Usage flags

The key usage flags (Bit field) shown in the following table, is a set of flags that define how a key can be used. In SMR table, the authentication key usage flag should be `HSE_KF_USAGE_VERIFY`, while `HSE_KF_USAGE_SIGN` flag must not be set.

Table 2. Key usage flags

| Enumerate                        | Influence on the key when set                                                                                                                                                   |
|----------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| <code>HSE_KF_USAGE_SIGN</code>   | For RSA/ECC keys: the key can be used for signature generation (only applicable to the private key part).<br>For AES/TDES/HMAC keys: the key can be used for MAC generation.    |
| <code>HSE_KF_USAGE_VERIFY</code> | For RSA/ECC keys: the key can be used for signature verification (only applicable to the public key part).<br>For AES/TDES/HMAC keys: the key can be used for MAC verification. |

### 2.3.2 Key attributes SMR verification map

The SMR verification map (bit field) as shown in the following table is a set of flags that defines what secure memory regions (SMR) must be verified before the key can be used. SMR verification map will take effect when the core reset table attributes “Sanctions on failed verification” is set to “`HSE_CR_SANCTION_DIS_INDIV_KEYS`”.

Table 3. SMR verification map for key usage

| Enumerate                 | Influence on the key when set                                                           |
|---------------------------|-----------------------------------------------------------------------------------------|
| <code>HSE_KF_SMR_0</code> | The key can be used only if the secure memory region #0 has been successfully verified. |
| <code>HSE_KF_SMR_1</code> | The key can be used only if the secure memory region #1 has been successfully verified. |
| ...                       | ...                                                                                     |
| <code>HSE_KF_SMR_7</code> | The key can be used only if the secure memory region #7 has been successfully verified. |

For example, a key can be used only when the secure memory regions #2 and #5 are successfully verified, the SMR verification map must be set to: `HSE_KF_SMR_2 | HSE_KF_SMR_5`.

## 2.4 Modify link file

To use the secure boot also needs to modify the link file to determine the locations of IVT, AppBL, Cfg and App flash code address. Also, some project configurations may need to change in the link file.



Figure 12. Link file map

The [Figure 12](#) shows the main contents and relation of Cfg and App link file. For the detail of IVT and AppBL, user can view the code directly and change the content if needed.

The App project binary file has been relocated and placed in the Cfg project link file, so both the App and Cfg project code will download to FLASH in just one-time operation.

After the debugger downloading, the code of both the Cfg and App projects is on the FLASH, the “BOOT\_SEQ” in Boot Configuration Word (BCW) is “0” (non-secure boot), so the Cfg project program will be executed when power on. The configuration of secure boot is done, “BOOT\_SEQ” need to change to “1” (secure boot), the App program will be executed after a reset.

### 2.4.1 IVT Cfg project

The following table is the content of Cfg project's IVT, it needs to place at the start of a flash block. It stores the address of Cfg project code address, App project code address, backup App project code address, and the Boot Configuration Word (BCW) which needs to change after secure boot configuration. Although the IVT only has 256 bytes size, it usually occupies one sector (for S32K344, erasing operation is done in sectors, and one sector is 8KB, 0x2000B).

```

unsigned int __attribute__((section(".int_ivt_0"))) ivt_flash[] =
{
/*00h*/    SBAF_BOOT_MARKER /* IVT marker */ ,
/*04h*/    (CM7_0_ENABLE << CM7_0_ENABLE_SHIFT) | (CM7_1_ENABLE << CM7_1_ENABLE_SHIFT) /* Boot configuration word */ ,
/*08h*/    RESERVED /* Reserved */ ,
/*C0h*/    CM7_0_VTOR_ADDR /* CM7_0 Start address */ ,
/*10h*/    RESERVED /* Reserved */ ,
/*14h*/    CM7_1_VTOR_ADDR /* CM7_1 Start address , lockstep only run CM7_0 */ ,
/*18h*/    RESERVED /* Reserved */ ,
/*1Ch*/    CM7_2_VTOR_ADDR /* CM7_2 Start address , lockstep only run CM7_0 */ ,
/*20h*/    XRD_C_CONFIG_ADDR /* XRD configuration pointer */ ,
/*24h*/    LF_CONFIG_ADDR /* Lifecycle configuration pointer */ ,
/*28h*/    HSE_FW_ADDR /* Reserved */ ,
/*2Ch*/    RESERVED /* Reserved */ ,
/*30h*/    SECURE_BOOT_APP_ADDR ,
/*34h*/    RESERVED ,
/*38h*/    SECURE_BOOT_BACKUP_ADDR ,
/*3Ch*/    RESERVED ,
/*f0h*/    IVT_GMAC ,
};

```

Figure 13. The content of Cfg project's IVT

#### 2.4.2 AppBL - App project

The following figure is the content of App project's AppBL, it stores the App code start address and code size, and some information which basic secure boot needed. The App code address needs alignment and usually place at the start of a sector.

```

const app_header_t __attribute__((section(".app_header"))) app_header =
{
    .hdrTag = 0xD5 ,
    .reserved1 = {0},
    .hdrVersion = 0x60 ,
    .pAppDestAddres = 0x00 ,
    .pAppStartEntry = 0x00504000U ,
    .codeLength = 0x00080000U ,
    .coreId = 0u ,
    .reserved2 = {0}
};

```

Figure 14. The content of App project's AppBL

### 3 Advance Secure Boot

This section describes how ensure both Advanced Secure Boot and SHE based Secure Boot modes which are implemented through SMR and CR tables. It comprehends with HSE memory verification services. The secure memory regions (SMR) managed by these services offer the possibility to apply different types of sanctions when secure boot is failing. It supports a wide variety of authentication schemes (MAC, RSA/ECC signature) to verify the application images and can accelerate the verification time at start-up by relying on authenticity checks performed by the HSE. The following image shows the execution process of the memory verification service based on SMR and CR tables.



Figure 15. Illustrating the memory verification service (SMR)

As shown in [Figure 15](#), a secure memory region (SMR) is defined by a start address and a size, associated to a proof of authenticity, either a MAC or an RSA/ECC signature, which authenticates the region's content. The host can define up to eight SMR clustered into the SMR table. It must also provide the proof of authenticity for each memory region content except for SMR #0.

For all SMR that have been defined, the HSE verifies the authenticity of memory contents:

- During the device start-up phase (after reset).
- While the application(s) is(are) running on the host side (during run-time).

The SMR verification results translate into sanctions imposed on the system by the HSE:

- Unsuccessful verification can keep the selected subsystems on the host side in reset state, those subsystems are referenced in the Core Reset (CR) table.
- Likewise, failing to verify certain SMR can render the selected keys within the HSE unusable, these restrictions are defined individually for each key via the SMR verification map.

### 3.1 Secure Memory Region (SMR)

#### 3.1.1 SMR table

The SMR table which stored in HSE secure data flash for devices with internal flash allows the host to define up to 8 memory regions and associate each one with an installation and a verification method. Each SMR entry in the SMR table holds a set of attributes listed in the following table.

Table 4. SMR verification map for key usage

| Attribute                    | Data field     | Description                                                                                                                                                                                                                                                                                                                                                   |
|------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Source address               | pSmrSrc        | A pointer to the secure memory region (SMR) to be verified in the application NVM area which HSE can directly read.                                                                                                                                                                                                                                           |
| Size                         | smrSize        | A 32-bit integer that provides the size in bytes of the secure memory region (SMR) to be verified.                                                                                                                                                                                                                                                            |
| Destination address          | pSmrDest       | A pointer where the secure memory region (SMR) is copied before verification.                                                                                                                                                                                                                                                                                 |
| Initial authentication proof | pInstAuthTag[] | Pointers to the initial value of a MAC or a RSA/ECC signature provided by the host, that can be used in the SMR verification process if the flag HSE_SMR_CFG_FLAG_INSTALL_AUTH is set.                                                                                                                                                                        |
| Authentication scheme        | authScheme     | The method used to authenticate the SMR including an authentication tag (i.e. Message Authentication Code (MAC)) or a public key signature scheme (i.e. RSA or ECC signature).                                                                                                                                                                                |
| Authentication key           | keyHandle      | The handle which pointed to the authentication key in the NVM key catalog, which must: <ul style="list-style-type: none"> <li>Refer to a non-empty key slot having its key usage flag HSE_KF_USAGE_VERIFY set, while HSE_KF_USAGE_SIGN must not be set.</li> <li>Refer to a key type that matches with the initial authentication scheme selected.</li> </ul> |
| Verification method          | verifMethod    | The verification method of the secure memory region (SMR) after its installation.                                                                                                                                                                                                                                                                             |
| Verification period          | checkPeriod    | A 32-bit integer that defines the scaled number of system clock cycles between two consecutive verification process.                                                                                                                                                                                                                                          |
| SMR configuration flags      | configFlags    | A binary OR combination of configuration flags between a memory interface and the authenticity proof used for verification.                                                                                                                                                                                                                                   |

### 3.1.1.1 Authentication strategy

The necessary preparations for the secure memory region (SMR) installation is to determine the authentication scheme, authentication key and initial authentication proof.



Figure 16. SMR authentication scheme

- Scheme:** Multiple verification schemes shown in [Figure 16](#) include MAC and signature are supported to verify the SMR either during the installation or verification phase. The user needs to fill with the specific parameters for each of the different scheme. For example, when using the GMAC or rsaPss scheme, the user needs to manually configure the specific parameters as shown in the above figure.
- Key:** The authenticity key must be stored in the NVM key catalog and its authentication key usage flag should be HSE\_KF\_USAGE\_VERIFY, while HSE\_KF\_USAGE\_SIGN flag must not be set.

- **Proof:** The initial authenticity proof (pInstAuthTag[]) is an array of two pointers which point to the address of MAC or SIGN. If the HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH flag is set, it specifies the address(es) where the initial authentication TAG is located. If the HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH flag is cleared, this data field is not used (an internal reference authenticity proof is used).

It should be noted that for MAC and RSA signature authentication schemes, only pInstAuthTag[0] is used, while both pInstAuthTag[0] and pInstAuthTag[1] are used for ECDSA and EDDSA signatures(specified by (r,s), with “r” at index 0, and “s” at index 1).

The SMR verification based on the reference (Pre-Hash) authenticity proof calculated by the HSE is the default verification process, designed to be as fast as possible. The SMR verification based on the initial authenticity proof provided by the host can be enforced only when HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH is set in the configFlags data field.

### 3.1.1.2 Configuration flags

The following table gives some details about the effect of configFlags in different conditions.

Table 5. SMR configuration flags

| scheme | configFlags                   | effect on auth-proof                                              |
|--------|-------------------------------|-------------------------------------------------------------------|
| MAC    | 0                             | Pre-hash the data, then compute its MAC.                          |
|        | HSE_SMR_CFG_FLAG_INSTALL_AUTH | Compute pure MAC of the data.                                     |
| SHE    | 0                             | Return HSE_SRV_RSP_NOT_ALLOWED.                                   |
|        | HSE_SMR_CFG_FLAG_INSTALL_AUTH | Compute pure CMAC of the data, as HIS-SHE specification required. |
| SIGN   | 0                             | Pre-hash the data, then compute RSA/ECC private key signature.    |
|        | HSE_SMR_CFG_FLAG_INSTALL_AUTH | Not allowed, some error will occur if you set this value.         |

If the data field configFlags is set as HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH, the authentication scheme and proof provided during the installation phase will be also used during the verification phase.

If the data field configFlags is cleared, an internal hash digest (SHA2-256) and its MAC or SIGN will be computed by HSE during SMR installation, which will be calculated again during SMR verification.

Take CMAC as an example: If configFlags is set as HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH, HSE will use the pure CMAC algorithm to verify the App image. If configFlags is cleared, HSE will compute the hash digest (SHA256) of the App image firstly and then calculate the CMAC of this hash result.

Compared with SMR verification based on the App image, computing MAC or SIGN for the hash digest of the App image will reduce a lot of calculation, so when configFlags is cleared, SMR verification will be much faster than when configFlags is set as HSE\_SMR\_CFG\_FLAG\_INSTALL\_AUTH.

### 3.1.2 SHE based Secure Boot (SMR #0)

The SMR #0 is the only SMR that can be associated to the SHE AES key BOOT\_MAC\_KEY (**keyHandle**) as the SMR authentication key. In this case, the reference authentication tag is the CMAC (**authScheme**) value referred to as BOOT\_MAC which can be initialized and updated via the SHE key update protocol.

In addition, when host is granted with SU rights, BOOT\_MAC can be automatically calculated as described below.

On the first SMR #0 installation using BOOT\_MAC\_KEY, if BOOT\_MAC is empty (i.e. not initialized) and if BOOT\_MAC\_KEY has been provisioned, the reference authentication tag is calculated by the HSE and

saved in BOOT\_MAC. When installing SMR #0 use the BOOT\_MAC\_KEY while the BOOT\_MAC is already initialized, the BOOT\_MAC value must be updated through the SHE key update protocol prior to issuing the SMR installation service.

In all the cases, the data field **pInstAuthTag[]** is always discarded and should be set to NULL.

### 3.1.3 SMR installation

The host can request for SMR installation via the HSE service defined by the structure **hseSmrEntryInstallSrv\_t**, the SMR installation service mainly takes in following inputs as shown in the below table.

**Table 6. Parameters of structure hseSmrEntryInstallSrv\_t**

| Data field     | Description                                                                |
|----------------|----------------------------------------------------------------------------|
| entryIndex     | A SMR number between 0 and 7.                                              |
| pSmrEntry      | A set of attributes that holds the SMR entry as listed in above Table.     |
| accessMode     | Specifies the access mode (ONE-PASS, START, UPDATE, FINISH).               |
| streamId       | Specifies the stream to use for START, UPDATE, FINISH access modes.        |
| pSmrData       | The address where SMR data to be installed is located.                     |
| smrDataLength  | The length of the SMR data.                                                |
| pAuthTag       | The address where SMR Original authentication tag to be verify is located. |
| pAuthTagLength | The address of the length of the SMR authentication Tag.                   |

The first-time definition of a SMR entry can be performed when LC is set to CUST\_DEL. In addition, most of the data fields in the SMR entry can be modified only when the host is granted with SU rights.

The SMR installation via this service can be done in one-pass or streaming mode. The streaming mode is useful when the SMR content to install is not entirely available in the system memory when the installation starts (OTA use case). This service does not use a stream ID as HSE uses internal contexts when processing in streaming mode.

#### 3.1.3.1 One-pass installation mode

When the SMR content to install is fully available in Flash or RAM, the most convenient way to process it is to run the service in one-pass mode, in this case:

- The data field accessMode must be set to HSE\_ACCESS\_MODE\_ONE\_PASS.
- The data field pSmrData must be equal to pSmrSrc, this is the start address of the SMR content.
- The data field smrDataLength must be equal to smrSize, this is the entire size of the SMR.
- The data field \*pAuthTagLength[0] (respectively \*pAuthTagLength[1]) must be set with the size of the byte array pointed by the data field pAuthTag[0] (respectively pAuthTag[1]).

#### 3.1.3.2 Streaming installation mode

It is possible to process a SMR installation even if the entire content is not already programmed in Flash or RAM. A typical example for such use case is an image (code or data) that is too big to fit in the available application RAM entirely and is provided to the host in chunks via a communication interface. Each individual chunk is then programmed in Flash, in this case:

- The SMR number (entryIndex), configuration (pSmrEntry) and decryption initialization vector (cipher.pIV) must be provided only in the START call.

- For the START, UPDATE or FINISH calls, the data field pSmrData must point to the next SMR chunk to process and the data field smrDataLength is set with the size of that chunk. The minimum chunk size is 64 bytes.
- The START and FINISH calls are mandatory, the UPDATE call is optional.

The address (pAuthTag[]) and size (authTagLength[]) of the initial authenticity proof must only be provided during the FINISH call.

## 3.2 Core Reset (CR)

### 3.2.1 CR table

The Core Reset (CR) table allows the host to associate each CPU-driven subsystem available in a device with up to eight SMR. The sanctions are applied on those subsystems after the pre-boot and post-boot phases, depending on the SMR verification status. For the devices with internal flash user can install maximum two core reset entry. Each entry in the CR table holds a set of attributes listed in the following table.

**Table 7. CR table entry attributes**

| Attribute                        | Data field     | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|----------------------------------|----------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Core identifier                  | coreId         | A unique number that identifies a CPU-driven subsystem.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
| SMR verification map             | smrVerifMap    | A set of flags that define which SMR, indexed from 0 to 7 (bit #i for SMR #i), must be verified before or after releasing from reset the associated subsystem; cannot be 0.                                                                                                                                                                                                                                                                                                                                                                                       |
| Alternate SMR verification map   | altSmrVerifMap | A set of flags that define which SMR, indexed from 0 to 7 (bit #i for SMR #i), must be verified before releasing from reset the associated subsystem when one or more SMR specified in smrVerifMap failed the verification.                                                                                                                                                                                                                                                                                                                                       |
| Reset address                    | pPassReset     | A pointer to the first instruction executed by the associated subsystem: <ul style="list-style-type: none"> <li>After a successful verification of all SMR specified in the SMR verification map, for which the verification method is set to HSE_SMR_VERIF_PRE_BOOT_MASK.</li> <li>Or unconditionally if there are no SMR in the verification map to be verified during the preboot phase (i.e. smrVerifMap refers to SMR with HSE_SMR_VERIF_POST_BOOT_MASK verification method only).</li> <li>This address must lie within one of the verified SMR.</li> </ul> |
| Alternate reset address          | pAltReset      | A pointer to the first instruction executed by the associated subsystem if all the SMR defined in altSmrVerifMap pass the verification.                                                                                                                                                                                                                                                                                                                                                                                                                           |
| Sanctions on failed verification | crSanction     | The sanction that applies if the pre-boot or post-boot verification of one SMR fail.                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |

#### 3.2.1.1 Core identifier

Each CPU-driven subsystem is identified by a unique number (coreId). The following table lists the subsystems and their respective core identifiers in S32K344 devices.

**Table 8. Subsystem vs. core identifiers (coreId)**

| Core Identifier | S32K344 |
|-----------------|---------|
| 0               | M7_0    |
| 1               | M7_1    |

If a CPU subsystem is not listed in the Core Reset table, it is not released from reset by the HSE.

### 3.2.1.2 Verification map

The association of a CPU subsystem with a set of SMR is realized via the data fields smrVerifMap and altSmrVerifMap: when bit #i is set to 1, SMR #i is associated to that CPU subsystem. When the verification of all the associated SMR is done, the status of the CPU subsystems at the end of the pre-boot phase depends on several conditions as summarized in the following table.

**Table 9. Status of the CPU subsystem (all SMR verified in pre-boot phase)**

| Conditions                           | Status                                                                                                                     |
|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
| pPassReset within a verified SMR     | Release from reset at address pPassReset.                                                                                  |
| pPassReset not within a verified SMR | Verify altSmrVerifMap if configured, otherwise the sanction is the same as if one SMR failed the verification (see below). |
| pAltReset within a verified SMR      | Release from reset at address pAltReset.                                                                                   |
| pAltReset not within a verified SMR  | Same as if one SMR failed the verification (see below).                                                                    |

The reset address provided in the data fields pPassReset and pAltReset can be an address within the on-chip Flash. The address pPassReset must lie within one of the SMR listed in smrVerifMap. Similarly, the address pAltReset must lie within one of the SMR listed in altSmrVerifMap.

### 3.2.2 Sanctions

The sanction taken by the HSE for a CR entry associated with SMR that failed verification depends on the phase when it is applied (i.e. pre-boot or post-boot).

#### 3.2.2.1 Pre-boot sanctions

The below following table summarizes the conditions and HSE behavior in terms of sanctions applied in the pre-boot and booting phases. If the sanction is HSE\_CR\_SANCTION\_DIS\_ALL\_KEYS, disable all keys; otherwise, key usage is individually disabled via the smrFlags key attribute.

**Table 10. Sanction on a subsystem (at least one SMR in primary map not verified in pre-boot phase)**

| crSanction (xxx = HSE_CR_SANCTION)     | Conditions                                                                          | Sanction on subsystem                       |
|----------------------------------------|-------------------------------------------------------------------------------------|---------------------------------------------|
| xxx_KEEP_CORE_IN_RESET                 | altSmrVerifMap == 0<br>OR<br>at least one SMR listed in altSmrVerifMap NOT verified | Keep in reset.                              |
| xxx_RESET_SOC                          | OR<br>pAltReset == 0<br>OR<br>pAltReset NOT within a verified SMR                   | Reset the device (all subsystems impacted). |
| xxx_DIS_ALL_KEYS<br>xxx_DIS_INDIV_KEYS |                                                                                     | Keep in reset and disable key Usage.        |

#### 3.2.2.2 Post-boot sanctions

The below Table 11 summarizes the conditions and HSE behavior in terms of sanctions applied in the post-boot phase.

**Table 11. Sanction on a subsystem (at least one SMR not verified in post-boot phase)**

| SMR verification status | crSanction (xxx = HSE_CR_SANCTION) | Sanction on subsystem      |
|-------------------------|------------------------------------|----------------------------|
| All SMR verified        | N/A                                | None (continue operation). |

Table 11. Sanction on a subsystem (at least one SMR not verified in post-boot phase)...continued

| SMR verification status       | crSanction (xxx = HSE_CR_SANCTION) | Sanction on subsystem                                              |
|-------------------------------|------------------------------------|--------------------------------------------------------------------|
| At least one SMR not verified | xxx_KEEP_CORE_IN_RESET             | None (continue operation).                                         |
|                               | xxx_RESET_SOC                      | Reset the device (all subsystems impacted).                        |
|                               | xxx_DIS_ALL_KEYS                   | Disable all key usage.                                             |
|                               | xxx_DIS_INDIV_KEYS                 | Disable the usage of selected keys via the key attribute smrFlags. |

### 3.2.3 CR installation

The host can request for installing an entry in the Core Reset (CR) table via the service defined by the structure `hseSmrCrEntryInstallSrv_t`. The CR table entry installation service mainly takes in the following inputs as shown in the below table.

Table 12. Parameters of structure `hseSmrCrEntryInstallSrv_t`

| Data field                | Description                                                                        |
|---------------------------|------------------------------------------------------------------------------------|
| <code>crEntryIndex</code> | A CR entry number between 0 and <code>(HSE_NUM_OF_CORE_RESET_ENTRIES - 1)</code> . |
| <code>pCrEntry</code>     | A set of attributes that holds the CR table entry as listed in above Table.        |

The first-time definition of a CR entry can be performed when LC is set to `CUST_DEL`. Once defined, a CR entry can be updated only when all the associated SMR have been successfully verified first. In addition, to modify any of the values in a CR entry already defined, the host must be granted with SU rights. In addition, it's noted that at least one SMR should be linked to the CR entry via `pCrEntry.preBootSmrMap` or `pCrEntry.postBootSmrMap`.

## 3.3 SMR verification

### 3.3.1 One-time automatic SMR verification

When `BOOT_SEQ` equals 1 in IVT, HSE uses the configuration in SMR and CR tables to boot the application cores securely. As such, the SMR linked with the CR table are automatically verified once by the HSE during startup.

The automatic verification at start-up splits in three phases:

- The pre-boot phase, during which the SMR are verified before any CPU subsystem in the host is released from reset; this is the first phase after start-up.
- The boot phase, during which the SMR are verified after the first CPU subsystem in the host has been released from reset (when allowed); this is the second phase after start-up.
- The post-boot phase, during which the SMR are verified after all CPU subsystems in the host have been released from reset (when allowed); this is the third phase after start-up.

The end of the pre-boot and boot phases can be monitored via the `HSE_STATUS_BOOT_OK` status flag and the end of the post-boot phase can be monitored via the status flag `HSE_STATUS_INIT_OK` as illustrated in the following figure.



Figure 17. Pre-boot / post-boot phases (BOOT\_SEQ = 1)

### 3.3.1.1 Pre-boot phase

During the pre-boot phase, HSE parses the CR table from the smallest entry index to the highest. For each CR entry, SMR linked via pCrEntry.preBootSmrMap data field are verified first. If any of these SMR fails verification, HSE verifies the SMR specified by pCrEntry.altPreBootSmrMap data field is configured.

If all the SMR are verified successful from either of the pre-boot SMR maps, HSE may release from reset the CPU subsystem in the host depending on the core reset release strategy.

If both pre-boot SMR maps (including altPre-boot) have at least one SMR for which the verification fails, HSE applies the sanction configured for that CR entry.

### 3.3.1.2 Boot phase and core reset release strategies

While the CR table is parsed in the pre-boot phase, HSE releases the associated CPU from reset according to the core reset release strategy, configurable via **hseAttrCoreResetRelease\_t** attribute:

- ALL\_AT\_ONCE, by which HSE parses first the entire CR table and verifies all the associated pre-boot SMR entries and then releases from reset **all** CPU subsystems configured that passed the verification.
- ONE\_BY\_ONE, by which HSE releases from reset each CPU subsystem **one by one**, after the associated CR entry and pre-boot SMR entries have been verified successfully.

The pre-boot phase ends when the first CPU subsystem is released from reset.

The end of both pre-boot and boot phases which implies all configured CPU subsystems being booted is signaled by the HSE via the status flag HSE\_STATUS\_BOOT\_OK.

### 3.3.1.3 Post-boot phase

After all configured application CPU subsystems are released from reset and the booting phase is over, HSE reiterates through the CR table and for each entry, it verifies the associated SMR linked via pCrEntry.postBootSmrMap data field.

If any of the SMR verified during the post-boot phase fails verification, HSE applies the configured sanction for the associated CR entry. In this case, HSE\_CR\_SANTCION\_KEEP\_CORE\_IN\_RESET is not applicable (i.e. HSE can't keep an booted application CPU in RESET phase).

### 3.3.1.4 Secure boot flow

The following figure details the SMR verification processes during pre-boot and post-boot phases and the sanctions taken by the HSE at the end of each phase.

The red and blue lines represent the boot flow of the pure PRE\_BOOT and POST\_BOOT modes respectively.



Figure 18. SMR verifications and sanctions for the Advanced Secure Boot mode

### 3.3.2 On-demand SMR verification

When the verification method is set to RUN\_TIME, a SMR is unverified until the host triggers the verification via the service defined by the structure `hseSmrVerifySrv_t` or until HSE triggers the verification automatically if the data field `checkPeriod` is set to a value different from 0.

This service takes only one data field (`entryIndex`) that specifies the index of the SMR to verify.

This service can also be used to verify any SMR during run-time, irrespective of its verification method defined in the SMR table. However, when the SMR to verify is in external Flash, it must be ensured that no concurrent programming operation is triggered by the host while the verification takes place.

### 3.3.3 Recurrent automatic SMR verification

When its data field `pSmrEntry.checkPeriod` is set to a value different from 0, a SMR is automatically verified recurrently by the HSE during run-time, i.e. during normal operating conditions, once the pre-boot and post-boot phases are over.

The verification recurrence is defined by several system clock cycles, each unit corresponding to 10ms at maximum frequency. For example, if `smrEntry.checkPeriod` = 200, a verification process is triggered every 2s for a system clock frequency of 400 MHz, 4s at 200 Mhz etc.

It can be configured for any SMR that is loaded in RAM and for which the internal proof of authenticity generated by HSE is used for verification (i.e. `HSE_SMR_CFG_FLAG_INSTALL_AUTH` is not set).

### 3.3.4 SHE secure boot mode (only use SMR #0)

The SMR #0 is the only SMR that can be associated to the SHE AES key BOOT\_MAC\_KEY as the SMR authentication key. In this case, the reference authentication tag is the CMAC value referred to as BOOT\_MAC.

If BOOT\_SEQ = 1, authentication process started as mention in [One-time automatic SMR verification](#). The reference authentication tag is calculated by the HSE and compared with saved BOOT\_MAC. If BOOT\_SEQ = 0, authentication process started as mention in [On-demand SMR verification](#).

The [Figure 19](#) shows the SMR verification process of the SHE based secure boot mode which also uses SMR and CR tables.



**Figure 19. SMR verifications for the SHE based Secure Boot mode**

### 3.3.5 HSE status

By reading the values of bits 16 to 31 of FSR register in MU\_0 to get the status of HSE as below [Table 13](#).

There are several secure boot related bits which needs to be noted:

- Bits #26: HSE\_STATUS\_BOOT\_OK; set to 1 when all the secure boot conditions (pre-boot phase) defined in the HSE successfully pass.
- Bits #24: HSE\_STATUS\_INIT\_OK; set to 1 when the post-boot phase is successful.
- Bits #17 to #20: in the HSE status relate to the SHE secure boot are not valid when using advanced secure boot.
- Bits #22: set to “1” when a host(S32K3xx) debug session is active and set to “0” when debugger disconnected.

Table 13. HSE global status bits in FSR

| Bit | Description                                                                                                                                                              |
|-----|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 31  | RFU                                                                                                                                                                      |
| 30  | RFU                                                                                                                                                                      |
| 29  | RFU                                                                                                                                                                      |
| 28  | HSE_STATUS_OEM_SUPER_USER; when set to 1, indicates that SU rights are granted to OWNER_OEM                                                                              |
| 27  | HSE_STATUS_CUST_SUPER_USER; when set to 1, indicates that SU rights are granted to OWNER_CUST                                                                            |
| 26  | HSE_STATUS_BOOT_OK; set to 1 when all the secure boot conditions (pre-boot phase) defined in the HSE successfully pass                                                   |
| 25  | HSE_STATUS_INSTALL_OK; set to 1 once the key catalogs have been successfully formatted; when cleared to 0, indicates to the host that the key catalogs must be formatted |
| 24  | HSE_STATUS_INIT_OK; set to 1 when the HSE initialization is completed; when cleared to 0, no service request can be made to the HSE (MU disabled)                        |
| 23  | HSE_STATUS_HSE_DEBUGGER_ACTIVE; set to 1 when a HSE debug session is active                                                                                              |
| 22  | HSE_STATUS_HOST_DEBUGGER_ACTIVE; set to 1 when a host debug session is active                                                                                            |
| 21  | HSE_STATUS_RNG_INIT_OK; set to 1 when the RNG initialization is complete; when cleared to 0, any services using random number is unavailable to the host                 |
| 20  | HSE_SHE_STATUS_SECURE_BOOT_OK; set to 1 when SMR #0 successfully verified against BOOT_MAC                                                                               |
| 19  | HSE_SHE_STATUS_SECURE_BOOT_FINISHED; set to 1 when SMR #0 was not successfully verified                                                                                  |
| 18  | HSE_SHE_STATUS_SECURE_BOOT_INIT; set to 1 when SMR #0 has been installed and authenticated with BOOT_MAC_KEY                                                             |
| 17  | HSE_SHE_STATUS_SECURE_BOOT; set to 1 when SMR #0 has been installed and BOOT_SEQ equals 1                                                                                |
| 16  | RFU                                                                                                                                                                      |

### 3.3.6 SMR core status

HSE system attribute service "HSE\_SMR\_CORE\_BOOT\_STATUS" request the SMR verification status and core boot status as shown in [Table 14](#), from the HSE.

The structure "hseAttrSmrCoreStatus\_t" of this service is provides following information:

- SMR verification status corresponding to the entries present in SMR table (refer to smrStatus[]).
- Provides Core Boot status (refer to coreBootStatus[]).
- In case BSB is performed, it provides the Core Boot status and the location of loaded application (primary/ backup, refer to coreBootStatus[]).

Table 14. SMR verification status and core boot status

| Type     | Name          | Description                                                                            |
|----------|---------------|----------------------------------------------------------------------------------------|
| uint32_t | smrStatus[2U] | 0-31 bit will represent 32 SMR table entries (applicable when SMR is present/enabled). |

Table 14. SMR verification status and core boot status...continued

| Type     | Name               | Description                                                                                                                                                                                                                                                                                                                                                  |
|----------|--------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|          |                    | <ul style="list-style-type: none"> <li>smrStatus[0].bit : 0 - SMR Not Verified</li> <li>smrStatus[0].bit : 1 - SMR Verified</li> <li>smrStatus[1].bit : 0 - SMR verification fail</li> <li>smrStatus[1].bit : 1 - SMR verification pass</li> </ul>                                                                                                           |
| uint32_t | coreBootStatus[2U] | 0-31 bit will represent CORE-ID (0-31). <ul style="list-style-type: none"> <li>coreBootStatus[0].bit : 1 - Core booted</li> <li>coreBootStatus[0].bit : 0 - Core Not booted</li> <li>coreBootStatus[1].bit : 1 - Core booted with pass/primary reset address</li> <li>coreBootStatus[1].bit : 0 - Core booted with alternate/backup reset address</li> </ul> |

### 3.4 PLL and FXOSC configuration for secure boot

Before enabling secure boot, the system clock must be configured correctly. The FXOSC must be enabled and stable before PLL configuration.

Table 15. Recommended PLL settings for secure boot

| Device  | PLL VCO | PLL_PHI1_CLK | DCF Value (PLLDIG.<br>PLLQDIV_1[DIV]) |
|---------|---------|--------------|---------------------------------------|
| S32K344 | 960 MHz | 240 MHz      | 0001b                                 |
| S32K358 | 960 MHz | 160 MHz      | 0010b                                 |
| S32K38x | 960 MHz | 320 MHz      | 0000b                                 |

Ensure HSE clock remains within 24–120 MHz range. Exceeding this may cause HSE M0 core to fail and trigger firmware erase via SBAF.

## 4 Basic Secure Boot

The basic secure boot is a simplified boot scheme, not like the advance secure boot base on secure memory region(SMR). BSB can boot only one core (the booted core can start other cores) and based on the Boot Data Sign service defined by the structure *hseBootDataImageSignSrv\_t*.

Also, the BSB cannot use any sanction, if verification failed the core goes into recovery mode and no program will be executed.

### 4.1 Application debug key/password (ADKP)

The ADKP is an HSE OTP (one-time program) attribute, not like a normal NVM key can be erased. It is used to calculate the GMAC is a 256-bit AES key resulting from SHA256 operation over the user-defined application debug key/password (ADKP) as illustrated in the below [Figure 20\(a\)](#). Before using the “Boot Data Sign/verify” service or debug protect must set the ADK/P first.

The debug key/password (ADK/P) is a 128-bit value than can be configured using `HSE_APP_DEBUG_KEY_ATTR_ID` attribute. ADK/P can be written only once (UTEST attribute), and the operation is allowed only in CUST\_DEL Life Cycle.

ADKP can be optionally diversified with the device UID before being provisioned in the HSE as shown in the part (b) of the following figure. Hence, it makes the IVT / CFG authentication key device specific.



Figure 20. Provisioning a device-dependent password / debug key

## 4.2 Configuration

The host(S32K344) can request for the calculation of an authentication tag (GMAC) over the host system images via the service defined by the structure `hseBootDataImageSignSrv_t`.

This service is available to host only when it is granted with Super User (SU) rights (LC can be CUST\_DEL, OEM\_PROD or IN\_FIELD) and the ADK/P is written.

Before sending the service request to HSE, user needs to make sure the `header_tag` of the AppBL is correct or error will happen.

The Boot Data Sign Service needs a buffer to store the HSE outputs. The resulting GMAC (the authentication tag), also the AppBL start address need to be provided.

After the service has been executed, the GMAC needs to write appended to the end of AppBL according to the `codelength` in AppBL, as shown in the following figure.



Figure 21. Illustrating non-secure boot and basic secure boot

To ensure the configuration above is completed and successful, the “Boot Data Verify” service defined by the structure `hseBootDataImageVerifySrv_t` can be called, the AppBL address needs to be provided.

Users needs to pay attention to that, the starting address of the application must be properly aligned (128byte alignment is required in S32K3xx), otherwise it will not run normally and there is a 64-byte App header before the App code. The user can set the linkfile of the App in this way, the App Header can set 0x005040C0 as the starting address. After 64byte, the starting address of the App Code is 0x00504100. The compiled bin file starts with the App Header and needs to be written to FLASH Address 0x005040C0.

#### 4.2.1 Recovery from secure boot failure

In case of secure boot failure (for example, flash corruption during dealer update), configure `altPreBootSmrMap` in CR table to boot a Flash Writer application.

Recommended CR configuration:

- `altSmrVerifyMap` → SMR index of Flash Writer
- `pAltReset` → Reset address of Flash Writer
- `crSanction` → `HSE_CR_SANCTION_KEEP_CORE_IN_RESET`

This allows recovery without bricking the ECU.

## 5 Enabling Secure Boot

### 5.1 Add mADKP diversification

To enhance device-specific authentication, ADKP can be diversified using the device UID. This is mandatory for failure analysis and secure IVT authentication.

Enable diversification by setting `HSE_EXTEND_CUST_SECURITY_POLICY_ATTR_ID` with `enableADKm = 1`. Then provision the master ADKP using `HSE_APP_DEBUG_KEY_ATTR_ID`.

## 5.2 Set BOOT\_SEQ

To enable the secure boot, the bit filed **BOOT\_SEQ** of the BCW in the IVT must set to "1" to change from the default startup flow to the secure startup flow.



Figure 22. Boot Configuration Word

The data field **BOOT\_SEQ**, effects on the boot sequence flow:

- When 0: releases the host from reset, then runs the HSE firmware
- When 1: keeps the host on reset and runs the HSE firmware first, must be set to run a pre-boot verification

## 5.3 Offline MAC Tag calculation

GMAC tags for IVT, AppBL, and SMR can be calculated offline on PC if the authentication key (for example, ADKP) is known.

This enables pre-programming during manufacturing and avoids runtime tag generation.

## 5.4 Update IVT

The IVT content stored in Flash needs to be updated, it is recommended to having a backup IVT to ensure that the program can be running in case of data corruption of another IVT.

The IVT start address can be selected among one of the values provided in the following table. At reset, the HSE searches for the first valid IVT header tag starting from the lowest address.

Table 16. SMR verification status and core boot status

| Device  | Possible start addresses (FULL_MEM)                                | Possible start addresses (AB_SWAP)     |
|---------|--------------------------------------------------------------------|----------------------------------------|
| S32K344 | 0x00400000<br>0x00500000<br>0x00600000<br>0x00700000<br>0x10000000 | 0x00400000<br>0x00500000<br>0x10000000 |

This step can be done after the secure boot configuration is complete and successful, but it can also be done before installing the SMRs and protect the IVT by the SMR like any other memory region.

The IVT can use **BOOT\_DATA\_SIGN** service to protect the IVT content against unauthorized changes, it works like the BSB mode, the authentication tag is computed and appended to the end of the IVT. To enable IVT authentication, the one-time programmable HSE system attribute **IVT\_AUTH** must be set to 1.

## 6 Secure boot on AB swap

### 6.1 Partition swapping service

The OTA feature is enabled if the user has installed the HSE firmware AB\_SWAP. This operation is irreversible, the device which has installed AB\_SWAP firmware can no longer install full\_mem firmware, and vice versa.

The FLASH space of S32K3xx will be equally divided into two partitions, active and passive. It can be switched by executing service “HSE\_SRV\_ID\_ACTIVATE\_PASSIVE\_BLOCK”, after reset, the active and passive partitions will be swapped.

The user can program the passive partition by the S32K3 FLASH controller or debugger like the device with full\_mem installed, but the passive partition cannot execute the program code.

For more details, please refer to the HSE reference manual chapter 12 [REF02].

### 6.2 DCM status registers

The host (application) can read the DCM status register (DCMSTAT) to identify which partition is active and which partition is passive. For more information refer to the following table.

Table 17. DCM status register (DCMSTAT)

| Bit Number | Function | Description                                                                                                          |
|------------|----------|----------------------------------------------------------------------------------------------------------------------|
| 31-18      |          | Reserved                                                                                                             |
| 17         | DCMOTAR  | AB_SWAP Active Region (valid only when the value of the DCMDONE field is 1)<br>0b – Low address<br>1b – High address |
| 16         | DCMOTAA  | AB_SWAP Active State (valid only when the value of the DCMDONE field is 1)<br>0b – Inactive<br>1b – Active           |
| 15-0       |          | Refer to S32K3-RM for more details.                                                                                  |

### 6.3 IVT authentication with GMAC

To prevent unauthorized modification of IVT, enable IVT authentication using GMAC.

Following are the steps:

1. Set IVT\_AUTH = 1 using HSE\_ENABLE\_BOOT\_AUTH\_ATTR\_ID.
2. Use hseBootDataImageSignSrv\_t to compute GMAC over IVT.
3. Append the 16-byte GMAC tag to the IVT.

The GMAC key is derived from ADKP; GMAC\_Key = SHA256(ADKP).

This ensures integrity of the boot configuration and prevents disabling secure boot.

### 6.4 Timing recommendations for BOOT\_SEQ and lifecycle

Do not set BOOT\_SEQ = 1 or advance lifecycle unless:

- HSE firmware is installed and keys are provisioned.
- IVT authentication is enabled.

- SMR and CR tables are configured. Power loss during these steps may brick the ECU. Ensure stable power and backup mechanisms.

## 6.5 Implement secure boot

To implement secure boot on the OTA enabled device, the users need to know that the SMR table is uniquely stored in the S32K3 HSE secure NVM, and the area protected by each SMR and its auth-tag will also point to a unique address.

Therefore, it is recommended to store the auth-tag in the same fixed address regardless of the active or passive partition, otherwise you need to reinstall the SMR to avoid secure boot failure.



Figure 23. Illustrating secure boot configuration on AB swap device

Figure 23 shows how to implement secure boot on the OTA enabled device in the demo:

1. After downloading the demo program code(Cfg\_v1 and App\_v1) on the active partition, the active region is “low address(block 0,1 )”, the S32K3xx will run the secure boot configuration program.
2. Detect that no valid program exists in the passive partition, copy the same data as the active partition to the passive partition, which is Cfg\_v1 and App\_v1 program code.
3. Install the SMR to configure secure boot, write the AuthTag\_v2 of the passive partition to the fixed location before App\_v2.
4. Perform AB swap, after functional reset, the active region is “high address(block 2,3)”, run Cfg\_v2.
5. Like Cfg\_v1 did in step3, Cfg\_v2 will compute the authentication tag of App\_v1 in the passive area and write it into the AuthTag\_v1 area.
6. After the authentication tags on both sides have been written, modify the BOOT\_SEQ to “1” in the active (block 0) and passive (block 2) IVT at the same time to enable secure boot flow. Since the start address in the SMR has been set to the App code address, the device will run the App program directly instead of the Cfg program.

Perform AB swap, after functional reset, the active region is “low address(block 0,1)”, run App\_v1

## 7 Setup and test

### 7.1 Import project

First, the user needs to import the secure boot Cfg and App projects into S32 Design Studio as shown in the following figure. The demo project is based on RTD-LLD driver pack (V 0.9.0).



Figure 24. Import project

The demo package needs the HSE firmware (V0.0.8.3) interface files and encrypted pink image, the user needs to copy it to project folder “HSE” as shown in the following figure.



Figure 25. Copy HSE interface header file

## 7.2 Driver configuration

The demo is developed and tested on S32K3 White Board, and the user can change the configurations of ConfigTools (CT) to adapt to any board as necessary. The following figure shows that the Pins, Clocks, Peripherals..., which can be changed in ConfigTools.



Figure 26. Config tools

In the Pins option as shown in [Figure 27](#), user can change the pin-map according to their requirements.

| Routed Pins for BOARD_InitPins |            |           |          |               |               |           |                 |                      |                   |                     |             |               |                        |                 |
|--------------------------------|------------|-----------|----------|---------------|---------------|-----------|-----------------|----------------------|-------------------|---------------------|-------------|---------------|------------------------|-----------------|
| #                              | Peripheral | Signal    | Route to | Label         | Identifier    | Direction | Slew Rate       | Output Buffer Enable | Safe Mode Control | Input Buffer Enable | Pull Select | Pullup Enable | Input Inversion Select | Pad keep enable |
| T13                            | SIUL2      | irq_16    | PTC20    | SW2/USER_BTN1 | Not Specified | Input     | Fastest setting | Disabled             | Disable           | Enabled             | Pulldown    | Disabled      | Don't invert           | Disabled        |
| R13                            | SIUL2      | irq_17    | PTC21    | SW3/USER_BTN2 | Not Specified | Input     | Fastest setting | Disabled             | Disable           | Enabled             | Pulldown    | Disabled      | Don't invert           | Disabled        |
| D10                            | SIUL2      | gpio_168  | PTF8     | Q2/LED1       | Not Specified | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pulldown    | Disabled      | Don't invert           | Disabled        |
| B15                            | SIUL2      | gpio_169  | PTF9     | Q3/LED2       | Not Specified | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pulldown    | Disabled      | Don't invert           | Disabled        |
| B17                            | SIUL2      | gpio_170  | PTF10    | Q4/LED3       | Not Specified | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pulldown    | Disabled      | Don't invert           | Disabled        |
| H11                            | SIUL2      | gpio_171  | PTF11    | Q5/LED4       | Not Specified | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pulldown    | Disabled      | Don't invert           | Disabled        |
| M2                             | LPUART_0   | Ipuart_tx | PTA27    | LPUART_0_TX   | LPUART_0_TX   | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pulldown    | Disabled      | Don't invert           | Disabled        |
| N2                             | LPUART_0   | Ipuart_rx | PTA28    | LPUART_0_RX   | LPUART_0_RX   | Input     | Fastest setting | Disabled             | Disable           | Enabled             | Pulldown    | Disabled      | Don't invert           | Disabled        |
| A9                             | SIUL2      | gpio_13   | PTA13    | IO_TOGGLE     | IO_TOGGLE     | Output    | Fastest setting | Enabled              | Disable           | Disabled            | Pullup      | Enabled       | Don't invert           | Disabled        |

Figure 27. Pin map

When the hardware configuration above is completed, users can click “Update Code” option to generate the RTD configuration file based on ConfigTools.

## 7.3 Test steps

### 7.3.1 Build project

The first step is to build (Debug\_FLASH) the two projects above, as described in the previous chapter. The App project binary file needs to be relocated in the link file of the Cfg project, it means that the App project should be built before the Cfg project.

After building, connect the uart output@9600bps and download program to S32K344 white board.

### 7.3.2 Run secure boot Cfg project program

The uart outputs the information of the program running status as shown in [Figure 28](#).

The secure boot Cfg project runs firstly, outputs the information of “HseStatus” and “smrCoreStatus” and executes the secure boot configuration.

### 7.3.3 Run secure boot App project program

Once the configuration of the Cfg project is completed, press “reset” button to reset the MCU. Then the secure boot App project runs and the output information of “HseStatus” and “smrCoreStatus” as shown in [Figure 28](#). The user can judge whether the verification is successful according to the changes of these parameters.

Finally, some crypto functions related to the keys installed in the secure boot Cfg project will be executed to test that the keys are available. It proves that the secure boot has passed, and the sanctions have not been placed.



Figure 28. Verification status

### 7.3.4 Erase NVM

When the above tests are completed, the user can press SW2 button to erase all the keys and secure boot configurations in the HSE NVM.

## 7.4 Addition

### 7.4.1 Program ADKP

The ADKP is an HSE OTP (one-time program) attribute, it will not be installed as other NVM keys in the Cfg project. User needs to manually program to test the basic secure boot.

### 7.4.2 Sanction in core reset table

The sanction is set to “HSE\_CR\_SANCTION\_DIS\_ALL\_KEYS” by default. User needs to be careful when changing it, or the core or SoC may stay in reset.

### 7.4.3 Inject error in App project (use Post\_BooT)

User can test whether the secure boot is functional by modifying the data in the flash area protected by the SMR after the secure boot configuration is completed.

The "Post\_Boot" secure boot mode should be used, and SMR "verifMethod" needs to be set as "HSE\_SMR\_VERIF\_POST\_BOOT\_MASK" accordingly.

If the "Pre\_Boot" secure boot mode is used, the verification failure will cause the MCU to enter the recovery mode and cannot run any user programs.

After restarting, the MCU runs the APP program and perform the crypto function. As the protected flash memory data has been modified, the secure boot verification will fail, which results in all keys being disabled and the crypto program will not execute normally.

### 7.4.4 Choose the appropriate FLASH download algorithm

When using the PE micro debugger for program downloading and debugging, users need to select the appropriate FLASH algorithm according to the type of HSE firmware installed as the [Figure 29](#), otherwise it will cause download errors.



Figure 29. Choose the FLASH download algorithm for PE micro

### 7.4.5 HSE clock limitations

The HSE Firmware is operational when HSE clock is between 24MHz and 120MHz. If the clock exceeds the range, it may cause the HSE M0 core to fail to start normally, or even a continuous watchdog reset and cause SBAF to erase the HSE firmware. For more details, please refer to the HSE reference manual chapter 14.2.5 [REF02].

## 8 Performance

Performance data is based on measuring the timing of the reset-pin (PTA5\_MCU\_RESETB) and toggle-pin (PTA13\_GPIO).



Figure 30. Measure secure boot performance

Toggle Pin is controlled by software and toggles at the timing of Cortex-CM7® Core released (Pre\_BOOT) or SMR verification completed (Post\_Boot). As shown in [Figure 30](#), the toggle pin after the “PRE\_BOOT” (pre-boot-phase) and “POST\_BOOT”(post-boot-phase).

For comparison, the time for Non-Secure Boot mode is 20.6 milliseconds.

The pre-boot performance data in milliseconds are measured when HSE\_B is at 48 MHz, as shown in the following table.

Table 18. Performance of secure boot (Pre-boot)

| Algo<br>Size | CMAC-128 (ASB or SHE) |          | HMAC-128 |          | GMAC-128 |          | RSA-2048 |          | ECC-256  |          |
|--------------|-----------------------|----------|----------|----------|----------|----------|----------|----------|----------|----------|
|              | Normal                | Pre-Hash | Normal   | Pre-Hash | Normal   | Pre-Hash | Pre-Hash | Pre-Hash | Pre-Hash | Pre-Hash |
| 64KB         | 37.48                 | 27.89    | 28.04    | 27.60    | 29.18    | 27.84    | 27.94    | 27.90    |          |          |
| 128KB        | 48.20                 | 29.28    | 29.40    | 28.99    | 32.36    | 29.25    | 29.30    | 29.30    |          |          |
| 256KB        | 69.94                 | 32.10    | 32.24    | 31.75    | 38.18    | 32.05    | 31.88    | 31.82    |          |          |
| 512KB        | 113.7                 | 37.70    | 37.85    | 37.75    | 49.55    | 37.45    | 37.76    | 37.78    |          |          |

The post-boot performance data in milliseconds are shown in the following table.

Table 19. Performance of secure boot (Post-boot)

| Algo Size | Release CM7 core* | CMAC-128 (ASB or SHE) |          | HMAC-128 |          | GMAC-128 |          | RSA-2048 | ECC -256 |
|-----------|-------------------|-----------------------|----------|----------|----------|----------|----------|----------|----------|
|           |                   | Normal                | Pre-Hash | Normal   | Pre-Hash | Normal   | Pre-Hash | Pre-Hash | Pre-Hash |
| 64KB      | 26.10             | 11.36                 | 1.79     | 1.94     | 1.50     | 3.08     | 1.74     | 1.84     | 1.80     |
| 128KB     |                   | 22.28                 | 3.18     | 3.30     | 2.89     | 6.26     | 3.15     | 3.20     | 3.20     |
| 256KB     |                   | 44.16                 | 6.00     | 6.14     | 5.65     | 12.08    | 5.95     | 5.78     | 5.72     |
| 512KB     |                   | 87.96                 | 11.62    | 11.75    | 11.62    | 23.45    | 11.62    | 11.80    | 11.62    |

## 9 Reference

- HSE Service API Reference Manual (Rev.0 DRAFT J, 09/2020)
- HSE Firmware Reference Manual (Rev.0 DRAFT K, 11/2020)
- S32K3xx Reference Manual (Rev. 2 Draft B, 02/2021)
- SHE – Secure Hardware Extension Functional Specification (Version 1.1 01/04/2009)

## 10 Note about the source code in the document

The example code shown in this document has the following copyright and BSD-3-Clause license:

Copyright 2026 NXP Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

## 11 Revision history

Table 20. Revision history

| Document ID   | Release date    | Description     |
|---------------|-----------------|-----------------|
| AN13465 v.1.0 | 02 January 2026 | Initial release |

## Legal information

### Definitions

**Draft** — A draft status on a document indicates that the content is still under internal review and subject to formal approval, which may result in modifications or additions. NXP Semiconductors does not give any representations or warranties as to the accuracy or completeness of information included in a draft version of a document and shall have no liability for the consequences of use of such information.

### Disclaimers

**Limited warranty and liability** — Information in this document is believed to be accurate and reliable. However, NXP Semiconductors does not give any representations or warranties, expressed or implied, as to the accuracy or completeness of such information and shall have no liability for the consequences of use of such information. NXP Semiconductors takes no responsibility for the content in this document if provided by an information source outside of NXP Semiconductors.

In no event shall NXP Semiconductors be liable for any indirect, incidental, punitive, special or consequential damages (including - without limitation - lost profits, lost savings, business interruption, costs related to the removal or replacement of any products or rework charges) whether or not such damages are based on tort (including negligence), warranty, breach of contract or any other legal theory.

Notwithstanding any damages that customer might incur for any reason whatsoever, NXP Semiconductors' aggregate and cumulative liability towards customer for the products described herein shall be limited in accordance with the Terms and conditions of commercial sale of NXP Semiconductors.

**Right to make changes** — NXP Semiconductors reserves the right to make changes to information published in this document, including without limitation specifications and product descriptions, at any time and without notice. This document supersedes and replaces all information supplied prior to the publication hereof.

**Suitability for use** — NXP Semiconductors products are not designed, authorized or warranted to be suitable for use in life support, life-critical or safety-critical systems or equipment, nor in applications where failure or malfunction of an NXP Semiconductors product can reasonably be expected to result in personal injury, death or severe property or environmental damage. NXP Semiconductors and its suppliers accept no liability for inclusion and/or use of NXP Semiconductors products in such equipment or applications and therefore such inclusion and/or use is at the customer's own risk.

**Applications** — Applications that are described herein for any of these products are for illustrative purposes only. NXP Semiconductors makes no representation or warranty that such applications will be suitable for the specified use without further testing or modification.

Customers are responsible for the design and operation of their applications and products using NXP Semiconductors products, and NXP Semiconductors accepts no liability for any assistance with applications or customer product design. It is customer's sole responsibility to determine whether the NXP Semiconductors product is suitable and fit for the customer's applications and products planned, as well as for the planned application and use of customer's third party customer(s). Customers should provide appropriate design and operating safeguards to minimize the risks associated with their applications and products.

NXP Semiconductors does not accept any liability related to any default, damage, costs or problem which is based on any weakness or default in the customer's applications or products, or the application or use by customer's third party customer(s). Customer is responsible for doing all necessary testing for the customer's applications and products using NXP Semiconductors products in order to avoid a default of the applications and the products or of the application or use by customer's third party customer(s). NXP does not accept any liability in this respect.

**Terms and conditions of commercial sale** — NXP Semiconductors products are sold subject to the general terms and conditions of commercial sale, as published at <https://www.nxp.com/profile/terms>, unless otherwise agreed in a valid written individual agreement. In case an individual agreement is concluded only the terms and conditions of the respective agreement shall apply. NXP Semiconductors hereby expressly objects to applying the customer's general terms and conditions with regard to the purchase of NXP Semiconductors products by customer.

**Export control** — This document as well as the item(s) described herein may be subject to export control regulations. Export might require a prior authorization from competent authorities.

**Suitability for use in non-automotive qualified products** — Unless this document expressly states that this specific NXP Semiconductors product is automotive qualified, the product is not suitable for automotive use. It is neither qualified nor tested in accordance with automotive testing or application requirements. NXP Semiconductors accepts no liability for inclusion and/or use of non-automotive qualified products in automotive equipment or applications.

In the event that customer uses the product for design-in and use in automotive applications to automotive specifications and standards, customer (a) shall use the product without NXP Semiconductors' warranty of the product for such automotive applications, use and specifications, and (b) whenever customer uses the product for automotive applications beyond NXP Semiconductors' specifications such use shall be solely at customer's own risk, and (c) customer fully indemnifies NXP Semiconductors for any liability, damages or failed product claims resulting from customer design and use of the product for automotive applications beyond NXP Semiconductors' standard warranty and NXP Semiconductors' product specifications.

**HTML publications** — An HTML version, if available, of this document is provided as a courtesy. Definitive information is contained in the applicable document in PDF format. If there is a discrepancy between the HTML document and the PDF document, the PDF document has priority.

**Translations** — A non-English (translated) version of a document, including the legal information in that document, is for reference only. The English version shall prevail in case of any discrepancy between the translated and English versions.

**Security** — Customer understands that all NXP products may be subject to unidentified vulnerabilities or may support established security standards or specifications with known limitations. Customer is responsible for the design and operation of its applications and products throughout their lifecycles to reduce the effect of these vulnerabilities on customer's applications and products. Customer's responsibility also extends to other open and/or proprietary technologies supported by NXP products for use in customer's applications. NXP accepts no liability for any vulnerability. Customer should regularly check security updates from NXP and follow up appropriately. Customer shall select products with security features that best meet rules, regulations, and standards of the intended application and make the ultimate design decisions regarding its products and is solely responsible for compliance with all legal, regulatory, and security related requirements concerning its products, regardless of any information or support that may be provided by NXP.

NXP has a Product Security Incident Response Team (PSIRT) (reachable at [PSIRT@nxp.com](mailto:PSIRT@nxp.com)) that manages the investigation, reporting, and solution release to security vulnerabilities of NXP products.

**NXP B.V.** — NXP B.V. is not an operating company and it does not distribute or sell products.

### Trademarks

Notice: All referenced brands, product names, service names, and trademarks are the property of their respective owners.

**NXP** — wordmark and logo are trademarks of NXP B.V.

## Tables

|          |                                                                                                |    |          |                                                                                  |    |
|----------|------------------------------------------------------------------------------------------------|----|----------|----------------------------------------------------------------------------------|----|
| Tab. 1.  | Secure boot modes .....                                                                        | 7  | Tab. 11. | Sanction on a subsystem (at least one SMR not verified in post-boot phase) ..... | 19 |
| Tab. 2.  | Key usage flags .....                                                                          | 11 | Tab. 12. | Parameters of structure hseSmrCrEntryInstallSrv_t .....                          | 20 |
| Tab. 3.  | SMR verification map for key usage .....                                                       | 11 | Tab. 13. | HSE global status bits in FSR .....                                              | 24 |
| Tab. 4.  | SMR verification map for key usage .....                                                       | 15 | Tab. 14. | SMR verification status and core boot status .....                               | 24 |
| Tab. 5.  | SMR configuration flags .....                                                                  | 16 | Tab. 15. | Recommended PLL settings for secure boot .....                                   | 25 |
| Tab. 6.  | Parameters of structure hseSmrEntryInstallSrv_t .....                                          | 17 | Tab. 16. | SMR verification status and core boot status .....                               | 28 |
| Tab. 7.  | CR table entry attributes .....                                                                | 18 | Tab. 17. | DCM status register (DCMSTAT) .....                                              | 29 |
| Tab. 8.  | Subsystem vs. core identifiers (coreId) .....                                                  | 18 | Tab. 18. | Performance of secure boot (Pre-boot) .....                                      | 35 |
| Tab. 9.  | Status of the CPU subsystem (all SMR verified in pre-boot phase) .....                         | 19 | Tab. 19. | Performance of secure boot (Post-boot) .....                                     | 36 |
| Tab. 10. | Sanction on a subsystem (at least one SMR in primary map not verified in pre-boot phase) ..... | 19 | Tab. 20. | Revision history .....                                                           | 36 |

## Figures

|          |                                                             |    |          |                                                                         |    |
|----------|-------------------------------------------------------------|----|----------|-------------------------------------------------------------------------|----|
| Fig. 1.  | Chip reset and boot overview .....                          | 3  | Fig. 17. | Pre-boot / post-boot phases (BOOT_SEQ = 1) .....                        | 21 |
| Fig. 2.  | Illustrating the Messaging Unit (MU) in S32K3 .....         | 4  | Fig. 18. | SMR verifications and sanctions for the Advanced Secure Boot mode ..... | 22 |
| Fig. 3.  | Assign the global variables into non-cacheable memory ..... | 4  | Fig. 19. | SMR verifications for the SHE based Secure Boot mode .....              | 23 |
| Fig. 4.  | Set Cortex-M7 core stack to non-cacheable area .....        | 5  | Fig. 20. | Provisioning a device-dependent password / debug key .....              | 26 |
| Fig. 5.  | Image Vector Table .....                                    | 5  | Fig. 21. | Illustrating non-secure boot and basic secure boot .....                | 27 |
| Fig. 6.  | Boot Configuration Word .....                               | 6  | Fig. 22. | Boot Configuration Word .....                                           | 28 |
| Fig. 7.  | AppBL structure .....                                       | 7  | Fig. 23. | Illustrating secure boot configuration on AB swap device .....          | 30 |
| Fig. 8.  | Three Secure Boot modes .....                               | 8  | Fig. 24. | Import project .....                                                    | 31 |
| Fig. 9.  | HSE FW installation with IVT (FULL_MEM) .....               | 9  | Fig. 25. | Copy HSE interface header file .....                                    | 32 |
| Fig. 10. | The key catalog, group, slot .....                          | 10 | Fig. 26. | Config tools .....                                                      | 32 |
| Fig. 11. | Key import and export .....                                 | 11 | Fig. 27. | Pin map .....                                                           | 32 |
| Fig. 12. | Link file map .....                                         | 12 | Fig. 28. | Verification status .....                                               | 33 |
| Fig. 13. | The content of Cfg project's IVT .....                      | 13 | Fig. 29. | Choose the FLASH download algorithm for PE micro .....                  | 34 |
| Fig. 14. | The content of App project's AppBL .....                    | 13 | Fig. 30. | Measure secure boot performance .....                                   | 35 |
| Fig. 15. | Illustrating the memory verification service (SMR) .....    | 14 |          |                                                                         |    |
| Fig. 16. | SMR authentication scheme .....                             | 15 |          |                                                                         |    |

## Contents

|          |                                                    |           |              |                                                         |           |
|----------|----------------------------------------------------|-----------|--------------|---------------------------------------------------------|-----------|
| <b>1</b> | <b>Overview .....</b>                              | <b>2</b>  | <b>4.2.1</b> | Recovery from secure boot failure .....                 | <b>27</b> |
| 1.1      | Chip reset and boot flow .....                     | 2         | <b>5</b>     | <b>Enabling Secure Boot .....</b>                       | <b>27</b> |
| 1.2      | The HSE interface .....                            | 3         | 5.1          | Add mADKP diversification .....                         | 27        |
| 1.3      | Data synchronization with the HSE core .....       | 4         | 5.2          | Set BOOT_SEQ .....                                      | 28        |
| 1.4      | Image Vector Table (IVT) .....                     | 5         | 5.3          | Offline MAC Tag calculation .....                       | 28        |
| 1.5      | AppBL .....                                        | 6         | 5.4          | Update IVT .....                                        | 28        |
| 1.6      | Secure boot modes .....                            | 7         | <b>6</b>     | <b>Secure boot on AB swap .....</b>                     | <b>29</b> |
| 1.6.1    | Basic Secure Boot (BSB) .....                      | 8         | 6.1          | Partition swapping service .....                        | 29        |
| 1.6.2    | Advanced Secure Boot (ASB) .....                   | 8         | 6.2          | DCM status registers .....                              | 29        |
| 1.6.3    | SHE Secure Boot (based on ASB) .....               | 8         | 6.3          | IVT authentication with GMAC .....                      | 29        |
| <b>2</b> | <b>Preparation .....</b>                           | <b>9</b>  | 6.4          | Timing recommendations for BOOT_SEQ and lifecycle ..... | 29        |
| 2.1      | Installing HSE FW .....                            | 9         | 7            | Implement secure boot .....                             | 30        |
| 2.2      | Format catalogs .....                              | 9         | 6.5          | <b>Setup and test .....</b>                             | <b>31</b> |
| 2.3      | Install keys .....                                 | 10        | 7.1          | Import project .....                                    | 31        |
| 2.3.1    | Key attributes Usage flags .....                   | 11        | 7.2          | Driver configuration .....                              | 32        |
| 2.3.2    | Key attributes SMR verification map .....          | 11        | 7.3          | Test steps .....                                        | 33        |
| 2.4      | Modify link file .....                             | 12        | 7.3.1        | Build project .....                                     | 33        |
| 2.4.1    | IVT Cfg project .....                              | 12        | 7.3.2        | Run secure boot Cfg project program .....               | 33        |
| 2.4.2    | AppBL - App project .....                          | 13        | 7.3.3        | Run secure boot App project program .....               | 33        |
| <b>3</b> | <b>Advance Secure Boot .....</b>                   | <b>13</b> | 7.3.4        | Erase NVM .....                                         | 33        |
| 3.1      | Secure Memory Region (SMR) .....                   | 14        | 7.4          | Addition .....                                          | 34        |
| 3.1.1    | SMR table .....                                    | 14        | 7.4.1        | Program ADKP .....                                      | 34        |
| 3.1.1.1  | Authentication strategy .....                      | 15        | 7.4.2        | Sanction in core reset table .....                      | 34        |
| 3.1.1.2  | Configuration flags .....                          | 16        | 7.4.3        | Inject error in App project (use Post_BooT) .....       | 34        |
| 3.1.2    | SHE based Secure Boot (SMR #0) .....               | 16        | 7.4.4        | Choose the appropriate FLASH download algorithm .....   | 34        |
| 3.1.3    | SMR installation .....                             | 17        | 7.4.5        | HSE clock limitations .....                             | 34        |
| 3.1.3.1  | One-pass installation mode .....                   | 17        | <b>8</b>     | <b>Performance .....</b>                                | <b>35</b> |
| 3.1.3.2  | Streaming installation mode .....                  | 17        | <b>9</b>     | <b>Reference .....</b>                                  | <b>36</b> |
| 3.2      | Core Reset (CR) .....                              | 18        | <b>10</b>    | <b>Note about the source code in the document .....</b> | <b>36</b> |
| 3.2.1    | CR table .....                                     | 18        | <b>11</b>    | <b>Revision history .....</b>                           | <b>36</b> |
| 3.2.1.1  | Core identifier .....                              | 18        |              | <b>Legal information .....</b>                          | <b>37</b> |
| 3.2.1.2  | Verification map .....                             | 19        |              |                                                         |           |
| 3.2.2    | Sanctions .....                                    | 19        |              |                                                         |           |
| 3.2.2.1  | Pre-boot sanctions .....                           | 19        |              |                                                         |           |
| 3.2.2.2  | Post-boot sanctions .....                          | 19        |              |                                                         |           |
| 3.2.3    | CR installation .....                              | 20        |              |                                                         |           |
| 3.3      | SMR verification .....                             | 20        |              |                                                         |           |
| 3.3.1    | One-time automatic SMR verification .....          | 20        |              |                                                         |           |
| 3.3.1.1  | Pre-boot phase .....                               | 21        |              |                                                         |           |
| 3.3.1.2  | Boot phase and core reset release strategies ..... | 21        |              |                                                         |           |
| 3.3.1.3  | Post-boot phase .....                              | 21        |              |                                                         |           |
| 3.3.1.4  | Secure boot flow .....                             | 22        |              |                                                         |           |
| 3.3.2    | On-demand SMR verification .....                   | 22        |              |                                                         |           |
| 3.3.3    | Recurrent automatic SMR verification .....         | 22        |              |                                                         |           |
| 3.3.4    | SHE secure boot mode (only use SMR #0) .....       | 23        |              |                                                         |           |
| 3.3.5    | HSE status .....                                   | 23        |              |                                                         |           |
| 3.3.6    | SMR core status .....                              | 24        |              |                                                         |           |
| 3.4      | PLL and FXOSC configuration for secure boot .....  | 25        |              |                                                         |           |
| <b>4</b> | <b>Basic Secure Boot .....</b>                     | <b>25</b> |              |                                                         |           |
| 4.1      | Application debug key/password (ADKP) .....        | 25        |              |                                                         |           |
| 4.2      | Configuration .....                                | 26        |              |                                                         |           |

Please be aware that important notices concerning this document and the product(s) described herein, have been included in section 'Legal information'.