S32K中的主题 Re: CSEC - CMAC verify issue with various message sizes

CSEC - CMAC verify issue with various message sizes

Vojtech — Fri, 01 Sep 2023 06:52:42 GMT

Hello,

I face a problem with CMAC verification, if message has some specific lengths (verification fails when message length is equal to red lines):

Pls see attached pdf for details.

Do I something wrong, or should be there done some fix in "Csec_Ip.c" ?

Thanks

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Thu, 07 Sep 2023 10:34:30 GMT

Hi @Vojtech,

Your issue occurred because you configured "Func form at" equal 0 for writing all of pages. This is a solution for your situation:

With the writing first page, you need to configure "Func form at" equal 0, and from next pages, you have to configure "Func form at" equal 1 to it was saved consecutive with the previous pages in the flash memory.

If you configure "Func form at" equal 0 for next pages then those pages will don't be saved don't consecutive with previous page in the flash memory and cause your issue.

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

Vojtech — Fri, 08 Sep 2023 06:27:19 GMT

Hello Dan,

thanks for quick response !

I use csec driver from "Csec_Ip.c". I use copy version (not pointer version) of cmac verification function Csec_Ip_VerifyMac(). As can be seen on below printscreen so I want to verify 656/8=82 bytes (just an example).

From Csec_Ip_VerifyMac() is then called Csec_Ip_StartVerifMACCmd() -> Csec_Ip_WriteCommandHeader()

In Csec_Ip_WriteCommandHeader() is this:

Definition CSEC_IP_FUNC_FORMAT_COPY (which is 0) is fixed here and I am not able to change it to 1.

"Func form at" equal to 1 is used in pointer version of Csec_Ip_VerifyMacAddrMode():

But I am not using API call Csec_Ip_VerifyMacAddrMode().

So how should I change "Func form at" equal to 1 if it is internal definition of the "Csec_Ip.c" ?

Thank you

Vojtech

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Tue, 12 Sep 2023 02:26:37 GMT

Hello @Vojtech,

Could you send me your demo project? I'm going to check from my site.

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Tue, 26 Sep 2023 11:48:29 GMT

Hello @Vojtech,

Sorry because I have a bit confusion. You need to use "CallSeq = 0x01: 2nd through nth Function Call"

instead of use "CallSeq = 0x0".

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

Vojtech — Mon, 09 Oct 2023 13:08:48 GMT

Hello Dan,

I have not found any function in CSEc API for changing value of CallSeq variable.

Actually CSEc driver should care about CallSeq by itself I think:

CMAC verification fails even if there is requested to verify 81-96 bytes, where page2-page7 should be sufficient (CallSeq = 0x01 is enough). What do you think about my proposed correction of CSEc driver as I wrote in attached pdf in initial question?

I can explain in the call if needed.

Thank you

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Wed, 11 Oct 2023 11:58:04 GMT

Hello @Vojtech,

Follow to " CMD_VERIFY_MAC" in reference manual, we have:

In your situation, n = 1 and MESSAGE_LENGTH must be 128 bytes => you only have data from page 0 => page 6th. So, you have to fill all of data of page 7th equal to 0 to enough 128 bytes (7 pages data + 1 page with padding value).

For example:

You got issue because you wrote 7 pages instead of 8 pages - enough 128 byte (7 pages data + 1 page with padding value).

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

Vojtech — Thu, 12 Oct 2023 10:53:54 GMT

Hello Dan,

I am using NXP CSEc driver:

So I can use only non-static functions from Csec_Ip.c source file (only functions from API as printscreened in previous post). So I should not anyhow directly solve filling of PRAM interface (this is done internally by NXP CSEc driver).

I just use this function for CMAC verification (I just provide as input arguments: message buffer, message size in bits, key etc.):

When I changed the code in this NXP CSEc driver (as described in the pdf attached to original post), so everything seems to work fine - but it is RTD source file, so it should not be changed by me. I can show in a call if needed. Or do I miss something?

Thanks

Vojtech

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Tue, 17 Oct 2023 07:18:14 GMT

Hello @Vojtech,

Sorry because my late response.

I saw your issue when I test cmac verify with 82 bytes. I created a ticket(SECRDR-1922) for this issue.

The development team will help me analyze this issue. I'm going to inform you when they analyze it completely.

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Tue, 07 Nov 2023 08:15:03 GMT

Hello @Vojtech,

The development team confirmed this is a bug. It will be fixed on the releases in the future.

Best regards,

Dan

Re: CSEC - CMAC verify issue with various message sizes

Vojtech — Tue, 16 Apr 2024 06:13:35 GMT

Hello Dan @DanNguyenDuy ,

was this issue already corrected in any release? Or would you know in what release it will be corrected?

Thank you

Vojtech

Re: CSEC - CMAC verify issue with various message sizes

DanNguyenDuy — Tue, 16 Apr 2024 06:18:40 GMT

Hello @Vojtech,

This issue was fixed on the S32K1XX_S32M24x_2.0.0_P03 release.

Best regards,

Dan