I studies and tried the lockbox example without overlays. I ran it on BF518-EZ-KIT lite.
I saw that after authenticating of the secure_function there is a call to log_authentication_results function. This second function isn't authenticated, therefor can create a security breach, as it runs in secure mode but can be changed by attacker.
Generally speaking, the example shows how a single function can be authenticated but not a full application (or even two function application).
Can someone explain the security breach in the example app? and how can I authenticate a full application?