NXP's scalable S32K3xx device family features an advanced "secure debug" mechanism, and is based on secret keys in order to protect user applications throughout the development phase. PEmicro debug tools, which are deeply integrated with NXP’s S32 Design Studio for S32 Platform and other IDEs, include Python scripts to enable use of the secure debug feature. This article will walk the user through that process.

Topics Covered

• S32K3xx Secure Debug Overview
• Authenticating a Debugger for Secure Password Mode
• Key Registration and Authenticating a Debugger in Secure Challenge & Response Mode (requires Smart Card & Reader)
  • Ordering Volkano-Enabled JCOP Smart Cards
  • Registering A Key
  • Authenticating a Debugger for Challenge & Response Mode
• Secure Authenticated Debug

Overview

NXP's S32K3xx devices may be advanced into a state that requires the user to execute a Password authentication or a Challenge & Response authentication on the debugger at the beginning of a standard S32DS debug session. These secure debug modes prevent unauthorized debug access by requiring the proper credentials to authenticate the debugger before proceeding with a secure debug session. A new authentication procedure is always required following a destructive reset or power on reset. 

The two authentications are quite different. In order to gain secure debug access for a secure device in Password mode, the debugger must be authenticated with a password. For secure debug of a device in Challenge & Response mode, the user must register an Application Debug Key/Password (ADKP) on a NXP smart card prior to the debugger authentication.

PEmicro provides scripts to facilitate authentication of a debugger in Password mode, and also to assist in registering an existing key on a NXP smart card for secure debug in Challenge & Response mode.

The following scripts can be downloaded in the PEmicro support files package which is located in the NXP\S32K3xx folder. PEmicro's scripts require Python 3.5 or later to run. 

• authenticate_password_mode.py
• register_adkp.py
• authenticate_challenge_response_mode.py

Before running any of the scripts, the PEmicro interface (e.g. Multilink or Cyclone) must be connected to the target's debug header and the S32K3xx device must be powered and freshly power cycled. It is worth noting that the authentication state is lost every time the part goes through a destructive reset, so the scripts to authenticate must be run after every power cycle event.   

Authenticating a Debugger for Secure Password Mode

PEmicro's authenticate_password_mode.py script authenticates a debugger for secure communication with a device in Password mode so that it can be securely debugged (please refer to Figure 1).

The inputs for authenticate_password_mode.py are:

• hardwareid: the debug hardware IP address, name, serial number, or port name 

(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or USB1 for USB Multilink interfaces)

• password: the 16 byte hexadecimal preconfigured password needed to authenticate the device 

(e.g. -password=0123456789ABCDEF0123456789ABCDEF)

Figure 1: Example of calling the authenticate_password_mode.py script on the command line

Key Registration and Authenticating a Debugger in Secure Challenge & Response Mode

The key must first be registered to an NXP smart card. The smart card can be connected to a PC via a PC/SC compatible smart card reader (usually coming with a USB connection).  After registration, to enter secure debug mode, the key must be authenticated in a challenge & response query. 

Ordering Volkano-Enabled JCOP Smart Cards

JCOP4 smart cards pre-loaded with NXP’s volkano applet can be ordered from ID Performance. Purchase orders may be sent to contact@id-performance.net. Cards must be ordered in multiples of 5, and orders should include the delivery contact name/phone/email, shipping address, and billing address. ID Performance will reply to your purchase order with a commercial offer, which they will ship and invoice upon your acceptance.

Registering a Key

PEmicro's register_adkp.py script registers an existing wrapped Application Debug Key/Password (ADKP) onto the NXP smart card for use with designated S32K3xx devices with advanced challenge & response security (please refer to Figure 2 for details). Please refer to NXP documentation and support for more information on how to create an ADKP.

The inputs for register_adkp.py are:

• hardwareid: the debug hardware IP address, name, serial number, or port name 

(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB Multilink interfaces) 

• wrapped_adkp: the 256 byte hexadecimal wrapped ADKP value 

(e.g. -wrapped_adkp=0123456789ABCDEF...)

• user_pwd: the password that authenticates the smart card user 

(e.g. -user_pwd=pwd123)

Figure 2. Example of calling the register_adkp.py script on the command line

Authenticating a Debugger for Challenge & Response Mode

PEmicro's authenticate_challenge_response_mode.py script authenticates a debugger for secure communication with a dedicated device in Challenge & Response mode (please refer to Figure 3). The Register ADKP step must be completed before authentication takes place.

The inputs for authenticate_challenge_response_mode.py are:

• hardwareid: the debug hardware IP address, name, serial number, or port name 

(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB Multilink interfaces)

• user_pwd:the password that authenticates the smart card user  

(e.g. -user_pwd=pwd123)

Figure 3: Example of calling the authenticate_challenge_response_mode.py script on the command line

Secure Authenticated Debug

After the debugger has been authenticated, the developer can securely debug the device under S32 Design Studio or any third-party IDEs with the PEmicro plug-in. Note: The device will remain accessible in secure debug only until the next hard reset or power cycle. By default, a hard reset is toggled during debug entry, which would clear the authentication. To prevent this, specify the "SECUREDEBUG" device in the software (e.g. "S32K344-SECUREDEBUG" instead of "S32K344").

Figure 4: Select Target Device dialog

HSE-enabled FLASH programming algorithms (e.g., nxp_s32k344_1x32x980k_hse_enabled.arp) must be selected when debugging or programming designated devices with advanced security, because the available flash on an S32K3xx device is trimmed to accommodate HSE firmware when the part is provisioned into one of advanced security modes. Please note that an S32K3xx device with HSE firmware installed does not necessarily need secure debugger authentication. When installing HSE, the device is initially in lifecycle CUST_DEL, which has debug access open. It is not until advancing the life cycle that secure debug is required.

When a project is created under S32DS IDE, the PEmicro plugin will automatically default to the FLASH programming driver to support programming of full device P and D FLASH ranges - assuming that HSE and AB Swap memory modes are disabled. In order to switch to a FLASH programming algorithm that supports devices with an HSE firmware footprint, the user needs to: 

1) open the PEmicro debug configuration 

2) from the Flash Algorithm Selection drop down box, select:

    → open Advanced Options Dialog →  nxp_s32k344_1x32x980k_hse_enabled.arp 

or the user can check “Use Alternative Algorithm” and browse to select an HSE-enabled FLASH algorithm from the latest PEmicro plugin (please refer to Figures 4 and 5).

Figure 5: PEmicro Debug Configuration

Figure 6: PEmicro Advanced Options

PEmicro's FLASH programming drivers can be found at the following location within the S32DS layout:

{S32DS Installation:Directory}\eclipse\plugins\com.pemicro.debug.gdbjtag.pne_5.xxxxx\win32\gdi\P&E\supportFiles_ARM\NXP\S32K3xx

The device will remain accessible in secure debug until the next destructive reset or power cycle, at which point the part will need to be authenticated again.