Parameters:
• The candidate image is written in the secure image secondary slot.
Actions:
• At each product reset TOE (TFM_SBSFU_Boot application) checks if a new image is pre-loaded by a
non‑secure application or the standalone external loader application in the secure image secondary slot.
The new secure image must be programmed at the beginning of the secure Image secondary slot and
must comply with the image format (image header, image payload, and image TLV) as defined by the TF
M_SBSFU_Boot application. When compiling TFM_Appli secure project delivered in the software package,
the TFM_Appli secure signed binary with the right format is automatically generated (TFM_Appli\Binar
y\tfm_s_enc_sign.bin for encrypted image). When a new image is detected, the TFM_SBSFU_Boot
application launches the update procedure of the secure Image (that verifies the data before updating the
firmware).
Errors:
• The candidate image is not installed in the secure image primary slot in the case of the following errors:
– Version dependency failure: The version of the secure image is non‑consistent with the version of the
non‑secure image.
• The candidate image is not installed in the secure Image primary slot and is erased from the secure Image
secondary slot in the case of the following errors:
– Image size not consistent
– Flash reading errors (double ECC errors)
– Version check failure: The image version is lower than the previous valid image installed.
– Image signature failure: image not authentic
• The candidate image is not installed in the secure image primary slot and TOE is resetting:
– Flash writing or erasing error may be reported by the Flash driver used by the application to write data
in the secure Image primary slot area.
Non‑secure image secondary slot interface
The non
‑
secure image secondary slot is used to implement the remote firmware update functionality of the
non‑secure image by triggering the bootloader image upgrade process. It is a memory area where a new
candidate of the non‑secure image is placed by writing into it, using the non‑secure application either via a
physical interface or either via a wireless interface or using the standalone external loader application via a
physical interface. After any product reset, if magic 16 bytes are present at the slot area end location, the TOE
attempts to interpret the data as a candidate image and applies it to the non
‑
secure image primary slot in case it
is correctly verified. If a candidate image is analyzed as not valid (authenticity and integrity) then image data are
deleted from the non
‑
secure image secondary slot.
Method of use:
• The non
‑
secure Image secondary slot region is located at the address FLASH_AREA_3_OFFSET in the de
fined in TFM\Linker\flash_layout.h file, as described in Figure 3. To use the non
‑
secure Image
secondary slot, data must be written in the correct image format in the non
‑
secure image secondary slot
area and the Magic 16 bytes must be written in the slot area end location, as described in Figure 4.
Parameters:
• The candidate image is written in the non
‑
secure image secondary slot.
Actions:
• At each product reset TOE (TFM_SBSFU_Boot application) checks if a new image is pre‑loaded by a
non‑secure application or the standalone external loader application in the secure image secondary slot.
The new non‑secure image must be programmed at the beginning of the non
‑
secure image secondary slot
and must comply with the image format (image header, image payload, and image TLV) as defined by the
TFM_SBSFU_Boot application. When compiling TFM_Appli non‑secure project delivered in the software
package, the TFM_Appli non‑secure signed binary with the right format is automatically generated (TF
M_Appli\Binary\tfm_ns_enc_sign.bin for encrypted image). When a new image is detected, the
TFM_SBSFU_Boot application launches the update procedure of the non‑secure image that verifies the data
before updating the firmware.
Errors:
UM2852
Operational guidance for the integrator role
UM2852 - Rev 1
page 17/27
To Next Page
Loading...
Need help?
General
