AES issue using PUF key (SBKEK or USERKEK) on LPC55s06

Aurelien_Grange · ‎05-20-2022

Hi,

I would like to create an uart authentication using SBKEK or USERKEK.

I use blhost to send aes key.

I follow AN12324 and keep only code needed.

From AN12324_SW the function "GetKey" seems to work (using keystore = 5 (CMPA) and keyIdx = 1 (SBKEK) or 2(USERKEK)). All PUF functions return success.

Function HASHCRYPT_AES_EncryptEcb fail on hashcrypt_check_need_key due to HASHCRYPT_STATUS_NEEDKEY_MASK bit set.

1) How does it work? Have you got some exemple?
2) I am a bit confused, the code from AN12324 initialise HashCrypt after getting PUF KEY. Is it the correct order? (I also try to initialise HashCrypt at begin but it not work).

I join a part of code (I cut some sensible code, and some part are ugly (i have to very quickly qualify this function)) and the code is tested using debug mode.

Aurelien_Grange · ‎05-26-2022

Does it is possible to have both USERKEK and SBKEK?

Does the Activation Code is generated each time we send a key (in this case the first key sended is loose if the activation code is not backup) or does the activation code is the same after each reset/PowerUp

ZhangJennie · ‎06-15-2022

you can set both SBKEK and USERKEY in PFR keystore. You met problem but I can't reproduce your issue.

Please let me detail steps of how to reproduce the issue. include

- SDK and IDE version.

- if blhost is used.

- How to revise demo code to reproduce?

AC code is generated after successful enroll. after set key, we can get a keycode (KC), then we use KC to getkey.

AC will not change when power on or reset.

Thanks,

Jun Zhang

Aurelien_Grange · ‎06-15-2022

Hi,

SDK is 2.10.1
IDE is V11.4.1

FIrst time when i set only SBKEK, I use MCUXpresso Secure Provisionning (V3.1) and after I use blhost (from SPSDK) V1.6.3

I am all write whit AC code, but when only SBKEK is used I can Encrypt/Decrypt and check it's OK (in debug mode woth breakpoint and manual check).

I can't send you all code but only the part of interest

ZhangJennie · ‎06-16-2022

Sorry but we can't test with separating files.

Please do necessary revise on NXP demo code and tell us steps thus we can test it on our side directly.

Aurelien_Grange · ‎06-16-2022

Hi,

I can't do it since I have no more dev kit (all are bricked due to test on SecureBoot).

Aurelien_Grange · ‎05-25-2022

Does it is possible to overwrite USERKEK (blhost 11)? Does it works

ZhangJennie · ‎05-23-2022

Hi

I wonder how I can reproduce your issue.

Do you use nxp demo board or custom board?

Do you use AN12324_SW directly or you revise it for your application?

How can we reproduce your issue with demo board?

Thanks,

Jun Zhang

Aurelien_Grange · ‎05-23-2022

Hi,

apologize me,

All works fineI, I made a stupid error, I check using sbkek.bin (as i use same key for for both to test), but bytes are in reversed order. If I revert all byte order it works fine.

Sorry.

Have a good days.

ZhangJennie · ‎05-23-2022

Hi

No problem. Thanks for the sharing.

Have a nice day,

Jun Zhang

Aurelien_Grange · ‎05-25-2022

Hi,

I come back because the code tested using only USERKEK (blhost 11 key) works fine, but if I program an eval board with both USERKEK and SBKEK (blhost 3 key) it's stop working.

I do the following ;

m_handle.keyType = kHASHCRYPT_SecretKey;
status = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, keyAes, 32);
status = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, plaintext, ciphertext, 16);
status = HASHCRYPT_AES_DecryptEcb(HASHCRYPT, &m_handle, ciphertext, output , 16);

When only USERKEK is written I can check that plaintext = output, but when I write both key (which are not equal) HASHCRYPT_AES_EncryptEcb return 1 and cyphertext is not correct (function fail on hashcrypt_check_need_key).

The code tested was the same, i just make a new blhost enroll and provising both key.

AES issue using PUF key (SBKEK or USERKEK) on LPC55s06

AES issue using PUF key (SBKEK or USERKEK) on LPC55s06

LPC55xx