S32K3xx Secure Debug Support
NXP has released a new, scalable S32K3xx device family that features an advanced "secure debug mechanism" based on secret keys to protect user applications throughout the development phase. PEmicro debug tools, which are deeply integrated with NXP's S32 Design Studio and other IDEs, include Python scripts to enable and use the "secure debug" feature.
Overview
NXP's S32K3xx devices can be set to a state where the user must perform password authentication or challenge and response authentication on the debugger at the beginning of a standard S32DS debug session. These secure debug modes prevent unauthorized debug access by requiring the correct credentials to authenticate the debugger before proceeding with a secure debug session. A new authentication process is always required after a destructive reset or power-on reset.
To obtain secure debug access for a secure device in password mode, the debugger must be authenticated with a password. To securely debug a device in Challenge & Response mode, the user must register an Application Debug Key/Password (ADKP) on an NXP smart card prior to debugger authentication.
PEmicro provides scripts to facilitate authentication of a debugger in password mode and also to assist in registering an existing key on an NXP smart card for secure debugging in challenge & response mode.
The following scripts can be downloaded from the PEmicro support file package located in the NXP\S32K3xx folder. The scripts from PEmicro require Python 3.5 or later to run.
- authenticate_password_mode.py
- register_adkp.py
- authenticate_challenge_response_mode.py
Before running any of the scripts, the PEmicro interface (e.g., Multilink or Cyclone) must be connected to the target's debug header and the S32K3xx device must be powered up and freshly powered off and on. It is worth noting that the authentication state is lost each time the part goes through a destructive reset, so the scripts for authentication must be run after each power cycle event.
Authenticate a debugger for secure password mode
PEmicro's authenticate_password_mode.py script authenticates a debugger to communicate securely with a device in password mode so that it can be securely debugged (see Figure 1). The inputs for authenticate_password_mode.py are: hardwareid: the IP address, name, serial number, or port name of the debug hardware (e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or USB1 for USB Multilink interfaces) password: the pre-configured 16-byte hexadecimal password required to authenticate the device (e.g. -password=0123456789ABCDEF0123456789ABCDEF)
Key registration and authentication of a debugger in secure challenge & Response mode
The key must first be registered on an NXP smart card. The smart card can be connected to a PC via a PC/SC compatible smart card reader (usually with a USB connector). After registration, the key must be used in a Challenge & Response query to be authenticated to enter secure debug mode.
Registration of a key
PEmicro's register_adkp.py script registers an existing packaged Application Debug Key/Password (ADKP) on the NXP smart card for use with certain S32K3xx devices with Enhanced Challenge & Response security (see Figure 2 for details). For more information on creating an ADKP, see the NXP documentation and support.
The inputs for register_adkp.py are:
hardwareid: IP address, name, serial number or port name of the debug hardware
(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB multilink interfaces)
wrapped_adkp: the 256-byte hexadecimal wrapped ADKP value
(eg -wrapped_adkp=0123456789ABCDEF...)
user_pwd: the password that authenticates the smart card user
(e.g. -user_pwd=pwd123)
Authenticating a Debugger for the Challenge & Response mode
The script “authenticate_challenge_reponse_mode.py” by PEmicro authenticates a debugger for secure communication with a dedicated device in Challenge & Response mode (see Figure 3). The Register ADKP step must be completed before authentication takes place.
The inputs for authenticate_challenge_reponse_mode.py are:
• hardwareid: IP address, name, serial number, or port name of the debug hardware
(e.g. -hardwareid=10.0.4.17 for Ethernet Cyclone or =USB1 for USB Multilink interfaces)
• user_pwd: the password that authenticates the smart card user
(eg -user_pwd=pwd123)
Secure Authenticated Debugging
Once the debugger has been authenticated, the developer can securely debug the device on S32 Design Studio or any 3rd party IDE with the PEmicro plugin.
HSE-enabled FLASH programming algorithms (e.g. nxp_s32k344_1x32x980k_hse_enabled.arp) must be selected when debugging or programming certain devices with enhanced security, since the available flash on a S32K3xx device is very limited ;t tailored for HSE firmware when the part is deployed in a security-enhanced mode. Please note that an S32K3xx device with HSE firmware installed does not necessarily require secure debugger authentication. When installing HSE, the device is initially in the CUST_DEL life cycle, for which debug access is open. Secure debugging is only required as the lifecycle progresses.
When a project is built under S32DS IDE, the PEmicro plugin automatically uses the FLASH programming driver to support programming of the entire P and D FLASH areas of devices – provided that the HSE and AB Swap memory modes are disabled. To switch to a FLASH programming algorithm that supports devices with an HSE firmware footprint, the user must: Open the PEmicro debug configuration and from the drop-down box select Flash Algorithm ; Select:
→ Open Advanced Options dialog → nxp_s32k344_1x32x980k_hse_enabled.arp
or the user can select “Use Alternative Algorithm” Check (Use alternative algorithm) and search for an HSE-capable FLASH algorithm from the latest PEmicro plugin (see Figures 4 and 5).
PEmicro's FLASH programming drivers can be found at the following location in the S32DS layout:
S32DS installation: directory}\eclipse\plugins\com.pemicro.debug.gdbjtag.pne_5.xxxxx\win32\gdi\P&E\supportFiles_ARM\NXP\S32K3xx
The device remains accessible in safe debugging until the next destructive reset or power cycle. At this point, the part must be authenticated again.
PEmicro's programming & Debugging Tools
PEmicro develops and produces debug and ISP programming tools for a variety of microcontroller architectures. The portfolio is divided into two device series, the Cyclone series and the Multilink series. The Cyclone Series are high-volume, in-system programmers that provide secure internal storage of program images, power to the target device, manual and automated programming capabilities, serialization, dynamic data programming, and a offer a user-friendly touchscreen interface.
By using the Multilink series, the user can use the background debug mode to stop the normal processor execution and control the processor from a PC. The user can then directly control the execution of the target processor, read/write registers and memory values, view the debug code on the processor, and program internal or external FLASH memory devices.