NXP has released a new, scalable S32K3xx device family, featuring an advanced secure debug mechanism, based on secret keys, to protect user applications throughout the development phase. PEmicro debug tools, which are deeply integrated with NXP’s S32 Design Studio and other IDEs, include Python scripts to enable and use the secure debug feature.
Topics Covered
Overview
NXP's S32K3xx devices may be advanced into a state that requires the user to execute a Password authentication or a Challenge & Response authentication on the debugger at the beginning of a standard S32DS debug session. These secure debug modes prevent unauthorized debug access by requiring the proper credentials to authenticate the debugger before proceeding with a secure debug session. A new authentication procedure is always required following a destructive reset or power on reset.
In order to gain secure debug access for a secure device in Password mode, the debugger must be authenticated with a password. For secure debug of a device in Challenge & Response mode, the user must register an Application Debug Key/Password (ADKP) on a NXP smart card prior to the debugger authentication.
PEmicro provides scripts to facilitate authentication of a debugger in Password mode, and also to assist in registering an existing key on a NXP smart card for secure debug in Challenge & Response mode.
The following scripts can be downloaded in the PEmicro support files package which is located in the NXP\S32K3xx folder. PEmicro's scripts require Python 3.5 or later to run.
- authenticate_password_mode.py
- register_adkp.py
- authenticate_challenge_response_mode.py
Before running any of the scripts, the PEmicro interface (e.g. Multilink or Cyclone) must be connected to the target's debug header and the S32K3xx device must be powered and freshly power cycled. It is worth noting that the authentication state is lost every time the part goes through a destructive reset, so the scripts to authenticate must be run after every power cycle event.
Authenticating a Debugger for Secure Password Mode
PEmicro's authenticate_password_mode.py script authenticates a debugger for secure communication with a device in Password mode so that it can be securely debugged (please refer to Figure 1).
The inputs for authenticate_password_mode.py are:
- hardwareid: the debug hardware IP address, name, serial number, or port name
(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or USB1 for USB Multilink interfaces)
- password: the 16 byte hexadecimal preconfigured password needed to authenticate the device
(e.g. -password=0123456789ABCDEF0123456789ABCDEF)
Figure 1: Example of calling the authenticate_password_mode.py script on the command line
Key Registration and Authenticating a Debugger in Secure Challenge & Response Mode
The key must first be registered to an NXP smart card. The smart card can be connected to a PC via a PC/SC compatible smart card reader (usually coming with a USB connection). After registration, to enter secure debug mode, the key must be authenticated in a challenge & response query.
Ordering Volkano-Enabled JCOP Smart Cards
JCOP4 smart cards pre-loaded with NXP’s volkano applet can be ordered at ID Performance, in a minimum quantity of 5. The price for 5 cards is subject to change, but as of writing is 95€ excl. VAT (incl. shipping to France). Outside of France additional shipping charges will apply. There is a 4-step order procedure:
- Email contact@id-performance.net with the Subject “Purchase Order/NXP S32 debug entry authenticator.” In the body of the email, specify the following:
- Order qty. (multiples of 5 only)
- Shipment address
- Delivery contact (name, phone, email)
- Billing address
- Performance ID will email a commercial offer with order details and price
- Email your acceptance in response to the commercial order
- The smart cards will be shipped to the address that you specified, and an invoice will be emailed.
Registering a Key
PEmicro's register_adkp.py script registers an existing wrapped Application Debug Key/Password (ADKP) onto the NXP smart card for use with designated S32K3xx devices with advanced challenge & response security (please refer to Figure 2 for details). Please refer to NXP documentation and support for more information on how to create an ADKP.
The inputs for register_adkp.py are:
- hardwareid: the debug hardware IP address, name, serial number, or port name
(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB Multilink interfaces)
- wrapped_adkp: the 256 byte hexadecimal wrapped ADKP value
(e.g. -wrapped_adkp=0123456789ABCDEF...)
- user_pwd: the password that authenticates the smart card user
(e.g. -user_pwd=pwd123)
Figure 2. Example of calling the register_adkp.py script on the command line
Authenticating a Debugger for Challenge & Response Mode
PEmicro's authenticate_challenge_reponse_mode.py script authenticates a debugger for secure communication with a dedicated device in Challenge & Response mode (please refer to Figure 3). The Register ADKP step must be completed before authentication takes place.
The inputs for authenticate_challenge_reponse_mode.py are:
• hardwareid: the debug hardware IP address, name, serial number, or port name
(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB Multilink interfaces)
• user_pwd:the password that authenticates the smart card user
(e.g. -user_pwd=pwd123)
Figure 3: Example of calling the authenticate_challenge_response_mode.py script on the command line
Secure Authenticated Debug
After the debugger has been authenticated, the developer can securely debug the device under S32 Design Studio or any third-party IDEs with the PEmicro plug-in. Note: the device will remain accessible in secure debug only until the next hard reset or power cycle. By default, a hard reset is toggled during debug entry which would clear the authentication. To prevent this, specify the "SECUREDEBUG" device in the software (eg. "S32K344-SECUREDEBUG" instead of "S32K344").
HSE-enabled FLASH programming algorithms (e.g., nxp_s32k344_1x32x980k_hse_enabled.arp) must be selected when debugging or programming designated devices with advanced security, because the available flash on an S32K3xx device is trimmed to accommodate HSE firmware when the part is provisioned into one of advanced security modes. Please note that an S32K3xx device with HSE firmware installed does not necessarily need secure debugger authentication. When installing HSE, the device is initially in lifecycle CUST_DEL, which has debug access open. It is not until advancing the life cycle that secure debug is required.
When a project is created under S32DS IDE, the PEmicro plugin will automatically default to the FLASH programming driver to support programming of full device P and D FLASH ranges - assuming that HSE and AB Swap memory modes are disabled. In order to switch to a FLASH programming algorithm that supports devices with an HSE firmware footprint, the user needs to: open the PEmicro debug configuration and, from the Flash Algorithm Selection drop down box, select:
→ open Advanced Options Dialog → nxp_s32k344_1x32x980k_hse_enabled.arp
or the user can check “Use Alternative Algorithm” and browse to select an HSE-enabled FLASH algorithm from the latest PEmicro plugin (please refer to Figures 4 and 5).
Figure 4: PEmicro Debug Configuration
Figure 5: PEmicro Advanced Options
PEmicro’s FLASH programming drivers can be found at the following location within the S32DS layout:
S32DS Installation: Directory}\eclipse\plugins\com.pemicro.debug.gdbjtag.pne_5.xxxxx\win32\gdi\P&E\supportFiles_ARM\NXP\S32K3xx
The device will remain accessible in secure debug until the next destructive reset or power cycle, at which point the part will need to be authenticated again.
