Together with NXP, the Embedded Systems Academy (Esacademy) developed a secure CAN FD bootloader based on the CANcrypt security protocols.
The bootloader is available to users of the LPC546xx as free download. It is a “secondary bootloader”, meaning that it only provides security for the added bootloading channel, in this case the CAN FD interface. Someone with physical access to the LPC546xx will always be able to use the primary, on-chip bootloader to re-flash the device with any code.
The security system of the bootloader uses two security levels, each based on a symmetric key (default 128 bit, up to 1024 bit optional). On the CAN FD communication level, the CANcrypt protocol is used to ensure that only an authorized communication partner can activate the bootloader, erase the flash memory and send a new code to the LPC546xx. The CANcrypt connection key used for this level is generated by the system builder or integrator that initially assembles the entire system.
On the file transfer level, the file containing the new code to be loaded is encrypted using an encryption and authentication method based on a code protection key that gets programmed into the LPC546xx at the same time when the bootloader is installed (typically at manufacturer end-of-line assembly and test).
These two levels ensure a separation of the security features between manufacturer and system integrator/builder or service technician. Only an authorized technician will be able to connect his diagnostic device or software to the bootloader. But at this security level alone it will not be possible to generate authorized firmware, that requires an additional key only known to the manufacturer.
The version for free download is a binary only and will use a pre-selected cipher algorithms, fixed default configuration for parameters like CAN FD bit rates, CAN IDs, and timings and timeouts used. The full source code is available from Embedded Systems Academy, giving users control over all configurations and cipher algorithms used.