Debugging

Secure debugging of NXP S32K3 MCUs in IAR Embedded Workbench

  • By IAR
  • 5 min read
<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Secure debugging of NXP S32K3 MCUs in IAR Embedded Workbench</span>

As automotive electronics become more intelligent, designers must meet stringent functional‑safety targets while also protecting systems from unauthorized access. A key part of this security strategy is a secure debug mechanism that limits access to the device’s debug port.

NXP’s S32K3 series MCUs address this need with a Hardware Security Engine (HSE) and a multi‑level lifecycle management scheme that control access to debug interfaces throughout the product lifecycle.

This article explains how to perform secure debugging on an S32K3 device using IAR Embedded Workbench for Arm, part of the IAR embedded development platform.

Lifecycle states and debug privileges

Each S32K3 MCU tracks its lifecycle (LC) internally, with states such as CUST_DEL, OEM_PROD, IN_FIELD and PRE_FA. The lifecycle moves forward only, there is no way to revert to an earlier stage. During early phases (e.g., manufacturing and development), debug features and HSE interfaces are accessible. Once the device moves beyond CUST_DEL, debug access should be restricted. In these later stages the device can be marked “Trusted,” meaning a secure authentication must be passed before the debug port will open.

20250813-1

20250813-2

Secure debug authentication modes

When the debug port is locked, the debugger must authenticate. NXP offers two modes:

  1. Static Authentication:
    The debugger supplies a pre‑programmed 128‑bit Application Debug Key/Password (ADKP) after each reset. If it matches the value stored in the device, the debug interface is unlocked. 
  2. Dynamic Authentication:
    After each reset, the device generates a challenge. The debugger performs a cryptographic computation on this data and returns a response. Only the correct response will unlock the port. 

Both modes are configured via the HSE while the MCU is still in the CUST_DEL phase, using the HSE_DEBUG_AUTH_MODE_ATR_ID service. You can choose a key that is either independent of the MCU’s unique ID (“without UID diversification”) or derived from it (“with UID diversification”).

20250813-3

20250813-4

Locking the debug port

  1. Program the ADKP: The 128‑bit Application Debug Key/Password (ADKP) is an OTP attribute managed by the Hardware Security Engine (HSE). Lock the debug port by programming the ADKP, either by running custom code that burns the key directly or by configuring it through the HSE.

    20250813-5
  2. Advance the lifecycle: Move the MCU’s lifecycle beyond the CUST_DEL phase (e.g., to OEM_PROD or IN_FIELD). The debug port will then be protected based on the ADKP configuration. Always set the ADKP before transitioning to the next lifecycle stage.
Please consult the NXP documentation for the exact procedure.

Secure Debug Assist Firmware (SDAF) tool

NXP provides Secure Debug Assist Firmware (SDAF) to help implement both static and dynamic authentication in IAR Embedded Workbench. SDAF performs tasks such as:

  • Deriving an ADKP from the MCU’s UID.
  • Encapsulating the ADKP (with RSA‑2048).
  • Registering the encapsulation key in a local database.

20250813-6

SDAF works alongside IAR’s debug scripts to automate the authentication process. It is included in NXP’s S32 Design Studio installation, consult NXP for additonal details.

Secure debugging (static authentication) procedure

Development environment: IAR Embedded Workbench for Arm v9.60.4 + I-jet debug probe
20250813-7
1.  Prepare the target:
a) Debug the NXP S32K3 MCU with its port locked
b) Get the UID: In the debugger options, set --macro_param vlk_path="C:/NXP/S32DS.3.5/S32DS/tools/S32Debugger/Debugger/Server/CCS/bin" and attempt to start debugging. The session will fail due to authentication, but the UID will be printed in the Debug log. (Only required when using UID diversification.)

20250813-new



c) Get ADKP: Obtain the 128‑bit Application Debug Key/Password (ADKP) from your security administrator. In this example, the key is 0x00112233445566778899AABBCCDDEEFF

2. Derive a UID‑based key (only for UID diversification): With administrator privileges, run the SDAF tool’s volkano_utils.exe derive_adkp command to derive a UID‑dependent ADKP from the chip’s UID.)

3. Enter the key in the debugger options:
a) Without UID diversification: use the original ADKP (e.g. 0x00112233445566778899AABBCCDDEEFF).
b) With UID diversification: use the derived ADKP from Step 2 (e.g. 0xB61A47A672A895E0F384EA32EBD99626 ).

20250813-10

4. Start debugging: When connecting, the script calls _ExecDeviceCoreConnect() → _authentication() → _key() to write the key into the appropriate registers.

5. Verify debug access: After writing the key, _authentication() checks whether JTAG debugging is open. If it is, debugging continues, otherwise the session terminates.

Summary

This guide shows how to perform secure debugging of NXP S32K3 MCUs using IAR Embedded Workbench, focusing on static authentication. Dynamic authentication is supported as well. For further details, explore the references below, visit IAR comprehensive development solutions or request a demo with our technical experts.

 

References:
1. NXP S32K3xx Reference Manual
2. NXP S32K3xx Lifecycle Management
3. K312 No HSE secure debug operation
4. IAR Embedded Workbench for Arm C-SPY® Debugging Guide

site-footer-cta

Get started today.
Our worldwide sales team is here to guide you.