• State TI Thinks Resolved
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 455 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

MSPM0G1507: MSPM0G1507 or similar MCU to have monotonically increase counter

Tiger Wang
Prodigy 155 points
Part Number: MSPM0G1507
Other Parts Discussed in Thread: MSPM0G3507

Tool/software:

Hi Ti engineers,

We are using MCUBoot for bootloader. And we are required for following feature combination:

We wish to use MCUBOOT_SWAP_USING_MOVE along with MCUBOOT_DOWNGRADE_PREVENTION.

However, based on mcuboot documentation, that is not supported. (software anti-rollback doesn't work with move, Only with MCUBOOT_OVERWRITE_ONLY.

As I know, the MCUBOOT_DIRECT_XIP works fine with anti-rollback. Since it always pick up the valid highest version to execute.

Do you have any suggestion that solve our pain?

I saw that the mcuboot document mentioned MCUBOOT_HW_ROLLBACK_PROT. I read related sections, but seems current Ti chip has no way to securely implement monotonically increase counter.

Really appreciate your help!

  • 0
    TI__Expert 8425 points

    Hi Tiger,

    Could you please tell what SDK version you are using and which example or document you are refer to? So I could take a look and understand better of your requirement.

    Best Regards,

    Pengfei

  • 0 in reply to Pengfei Xie
    Prodigy 155 points

    mspm0_sdk_2_02_00_05 I saw no difference between the latest one.

    We are using MSPM0G3507 example project as reference. My ask actually relate to MCUBOOT. I asked Chatgpt, they said that I need to change the implementation of boot_go() function with similar to following (hasn't verified, may error)

    int boot_go(struct boot_loader_state *state, struct boot_rsp *rsp)
{
    int swap_type;

    swap_type = boot_validated_swap_type(state);

    if (swap_type == BOOT_SWAP_TYPE_NONE) {
        // Compare versions before deciding to swap
        const struct image_version *primary_ver, *secondary_ver;
        primary_ver = &state->imgs[BOOT_CURR_IMG(state)][BOOT_PRIMARY_SLOT].hdr.ih_ver;
        secondary_ver = &state->imgs[BOOT_CURR_IMG(state)][BOOT_SECONDARY_SLOT].hdr.ih_ver;

        if (boot_version_cmp(secondary_ver, primary_ver) > 0) {
            BOOT_LOG_INF("Secondary image is newer. Proceeding with swap.");
            swap_type = BOOT_SWAP_TYPE_TEST;
        } else {
            BOOT_LOG_INF("Primary image is up-to-date. No swap needed.");
        }
    }

    // Existing swap logic...
}

    About MCUBOOT_HW_ROLLBACK_PROT, I referred: https://docs.mcuboot.com/design.html#hw-downgrade-prevention

    But seems current M0G doesn't come with any OTP (ont time program) area or similar approach.

  • 0 in reply to Tiger Wang
    TI__Expert 8425 points

    Hi Tiger,

    I need some time to take a deep view of the this document, and I will give the feedback by this week.

    Best Regards,

    Pengfei

  • 0 in reply to Pengfei Xie
    TI__Mastermind 25620 points

    Hi Tiger,

    The MSPM0G3507 part doesn't easily support features of the downgrade prevention and swapping mechanisms. The current MCU boot restrictions you listed in the first post are correct.

    You can do an effective one time programming by using the security features on the device but that is closer to OTP on the whole device, not a single section.

    Our G3519 part has more features with Dual-bank which easily enables the booting features you're requesting and includes the monotonic counter. With the G3519 you can have 2 images and update and swap the images which will maintain the addressing via hardware.

    Regards,
    Luke