Other NXP ProductsのトピックRe: Secure Boot using CSE on Multiple Blocks-S32R294

Secure Boot using CSE on Multiple Blocks-S32R294

Venkat_Mod26 — Wed, 06 Jul 2022 08:56:36 GMT

--> Hello community,
I am using S32R294 for a Project and trying to understand the implementation of Secure boot on multiple Blocks, We have CSE_SECURE_BOOT command that can verify MAC for one Block (say Boot ), what is the best way to Implement such MAC verifications for multiple Blocks ?

I have gone through a use case of Chain of trust method, which i feel is not a best way as we might be using fixed keys during the Build time, are there any other ways ?

can't we use Generate_MAC to calculate a MAC on a Bin block and store it in any PFLASH ? followed by Verify _MAC to verify it ? can we store the Generated MAC into any of the available Key slots and use it later for verification ?

Thank you in Advance!

Re: Secure Boot using CSE on Multiple Blocks-S32R294

petervlna — Fri, 08 Jul 2022 11:36:18 GMT

Hello,

I have asked application team for help here.

I will reply once I have any news.

Best regards,

Peter

Re: Secure Boot using CSE on Multiple Blocks-S32R294

petervlna — Mon, 11 Jul 2022 11:59:12 GMT

Hello,

You are correct.

If you want to use multiple blocks then only the first block which is downloaded during secure boot is covered automatically.

You can use the GENERATE_MAC command to calculate the MAC for the other blocks and store it in flash as they have mentioned, this is really the only way to do a comparison using the VERIFY_MAC command. The MAC must be in plaintext for this comparison so it cannot be stored into a key slot.

Best regards,

Peter

Re: Secure Boot using CSE on Multiple Blocks-S32R294

Venkat_Mod26 — Mon, 11 Jul 2022 12:12:18 GMT

Thank you @petervlna for the feedback,

So, it is clear that using Key Slot to store MAC is not a good option, But storing MACs in flash region again causes a problem to Secure Storage, correct ?

--> We need a way to handle MAC values securely, any ideas on this ?

is OTAFD(On-the-Fly AES Decryption) a best option ? can we use OTAFD only to a small portion of Binary file(containing MACs) and store it in external flash encrypted, followed by decrypting the are only during MAC verification ?

Thank you!

Re: Secure Boot using CSE on Multiple Blocks-S32R294

petervlna — Wed, 13 Jul 2022 09:13:26 GMT

Hello,

You potentially could use the OTFAD, but for a small block of data like this it would be better to use the encryption function of the CSE to encrypt the MAC before writing to flash.

Then you can use the CSE to decrypt before doing the comparison.

You could use the ENC_ECB or ENC_CBC commands for the encryption.

Best regards,

Peter

Re: Secure Boot using CSE on Multiple Blocks-S32R294

Venkat_Mod26 — Thu, 14 Jul 2022 09:18:20 GMT

Thanks @petervlna, i think this is a good idea, let me check how well we could fit this solution in !
Will update here soon!

Re: Secure Boot using CSE on Multiple Blocks-S32R294

xiatian — Wed, 28 Dec 2022 05:43:08 GMT

do you have example for Generating format 1 key image?