...
3.4 Factory Bootloader
One SDK bootloading follows a three-state modelbootloader flow supports three privilege states:
- Factory state (STATE_FACTORY) – most priviledged Factory mode; . MCU runs factory bootloader in S mode; . Both secure and non-secure code/data accessible.Unsealed state can be read and written. Factory mode can only be entered from unsealed state with factory command and factory password known only to Renesas. Factory state is always exits to seal state with a self-reset.
- Unsealed (STATE_UNSEALED) – user-controlled previledged mode, MCU Unsealed state is only entered from the sealed state with unsealed command and customer password. Unsealed state runs in NS mode ; secure code/data inaccessible.and supports additional commands
- Sealed state (STATE_SEALED) – user-controlled non-previledged mode.
3.4.1 Top-level pseudo code
Factory bootloader is the first firmware element that runs after MCU reset, and it runs in Trust Zone secure mode. The code block below shows the bootloader pseudo code. The code logic enforces the following behaviors:
- If the device is in factory state, processing of factory command set is enabled and runs in secure mode.
- If the device is in factory state, any reset of POR event will cause the device to revert back to seal state or unsealed state depending on how the user code
- If the device is in unsealed state or sealed state, command processing is passed onto the NS application by calling NS_entry().
- If the device
If the device is sealed, NS_entry() is immediately called. Note that g_dev_state is a SRAM variable. If the device is unsealed prior to POR (e.g., gf_dev_state == STATE_UNSEALED) then bootloader will fall into a communication loop until it receives the CMD_RESET command which will cause the MCU to reset and restart the bootloader, except this time it will immediately call the NS_entry() function.
While the communication loop is unsealed, the user can command the device to enter the factory state (STATE_FACTORY) through passphrase authentication. This will unlock additional privileged commands in the process_cmd() that will only be avaialble if the device is in factory state.
- Sealed state is where application runs. After reset, factory bootloader quickly check if it should enter the factory state; if not it will immediately transition to sealed state and jumps to the application.
3.4.1 Top-level pseudo code
| Code Block | ||||
|---|---|---|---|---|
| ||||
void factory_bootloader | ||||
| Code Block | ||||
void bootloader_start() { uint8_t cmd; uint8_t param[MAX_PARAM_SZ] = {0}; gs_dev_state = gsf_dev_state; if (gs_dev_state == STATE_FACTORY) { flash_write(&gfsgsf_dev_state, STATE_SEALED); while (true) { bool rc = read_cmd(&cmd, param); if (rc == OK) { if (cmd == CMD_RESET) { sys_reset(); } else { rc = process_factory_cmd(cmd, param); } } print_error(rc, cmd, param); error(rc); } } NS_entry(); } |
The NS_entry() is the non-secure entry function. Customer may optionally to implement customer bootloader() in NS_entry() or before the application code is called:
| Code Block | ||
|---|---|---|
| ||
void NS_entry() { application(); } void application() { // Initialize, setup ISR or threads application_setup(); // Comm loop while (true) { uint8_t rc = read_cmd(&cmd, ¶m); if (rc == OK) { if (state == STATE_UNSEALED) { rc = process_unsealed_cmds(cmd, param); } else { if ((cmd == CMD_UNSEAL) && (0 == strcmp(param, customer_password)) { state = STATE_UNSEALED; } else { rc = process_sealed_cmds(cmd, param); } } } NS_entry(); } print_error(rc); } } |
3.4.2 Updating firmware
Firmware update involves writing new code and data to secure and nonsecure flash memories using the host CMD_FLASH_WR command. The host PC shall parse an Intel HEX file into series of commands each follow by the checksum. The Trust Zone memory boundaries are then configured by writing to the the IDAU registers.
...