AES issue using PUF key (SBKEK or USERKEK) on LPC55s06

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AES issue using PUF key (SBKEK or USERKEK) on LPC55s06

9,221 Views
Aurelien_Grange
Contributor III

Hi,

I would like to create an uart authentication using SBKEK or USERKEK.

I use blhost to send aes key.

I follow AN12324 and keep only code needed.

From AN12324_SW the function "GetKey" seems to work (using  keystore = 5 (CMPA) and keyIdx = 1 (SBKEK) or 2(USERKEK)). All PUF functions return success.

Function HASHCRYPT_AES_EncryptEcb fail on hashcrypt_check_need_key due to HASHCRYPT_STATUS_NEEDKEY_MASK bit set.

1) How does it work? Have you got some exemple?
2) I am a bit confused, the code from AN12324 initialise HashCrypt after getting PUF KEY. Is it the correct order? (I also try to initialise HashCrypt at begin but it not work).

I join a part of code (I cut some sensible code, and some part are ugly (i have to very quickly qualify this function)) and the code is tested using debug mode.

Labels (1)
0 Kudos
Reply
10 Replies

9,182 Views
Aurelien_Grange
Contributor III

Does it is possible to have both USERKEK and SBKEK?

Does the Activation Code is generated each time we send a key (in this case the first key sended is loose if the activation code is not backup) or does the activation code is the same after each reset/PowerUp

0 Kudos
Reply

9,136 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

you can set both SBKEK and USERKEY in PFR keystore. You met problem but I can't reproduce your issue.

Please let me detail steps of how to reproduce the issue. include

- SDK and IDE version.

- if blhost is used.

- How to revise demo code to reproduce?

AC code is generated after successful enroll. after set key, we can get a keycode (KC), then we use KC to getkey.

AC will not change when power on or reset. 

Thanks,

Jun Zhang

 

0 Kudos
Reply

9,132 Views
Aurelien_Grange
Contributor III

Hi,

SDK is 2.10.1
IDE is V11.4.1

FIrst time when i set only SBKEK, I use MCUXpresso Secure Provisionning (V3.1) and after I use blhost (from SPSDK) V1.6.3

 

I am all write whit AC code, but when only SBKEK is used I can Encrypt/Decrypt and check it's OK (in debug mode woth breakpoint and manual check).

 

I can't send you all code but only the part of interest

0 Kudos
Reply

9,125 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Sorry but we can't test with separating files.

Please do necessary revise on NXP demo code and tell us steps thus we can test it on our side directly.

0 Kudos
Reply

9,123 Views
Aurelien_Grange
Contributor III

Hi,

I can't do it since I have no more dev kit (all are bricked due to test on SecureBoot).

0 Kudos
Reply

9,188 Views
Aurelien_Grange
Contributor III

Does it is possible to overwrite USERKEK (blhost 11)? Does it works

0 Kudos
Reply

9,207 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Hi

I wonder how I can reproduce your issue.

Do you use nxp demo board or custom board?

Do you use AN12324_SW directly or you revise it for your application?

How can we reproduce your issue with demo board?

Thanks,

Jun Zhang

0 Kudos
Reply

9,204 Views
Aurelien_Grange
Contributor III

Hi,

apologize me,

All works fineI, I made a stupid error, I check using sbkek.bin (as i use same key for for both to test), but bytes are in reversed order. If I revert all byte order it works fine.

Sorry.

Have a good days.

0 Kudos
Reply

9,201 Views
ZhangJennie
NXP TechSupport
NXP TechSupport

Hi

No problem. Thanks for the sharing.

Have a nice day,

Jun Zhang

0 Kudos
Reply

9,190 Views
Aurelien_Grange
Contributor III

Hi,

I come back because the code tested using only USERKEK (blhost 11 key) works fine, but if I program an eval board with both USERKEK and SBKEK (blhost 3 key) it's stop working.

I do the following ;


m_handle.keyType = kHASHCRYPT_SecretKey;
status = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, keyAes, 32);
status = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, plaintext, ciphertext, 16);
 status = HASHCRYPT_AES_DecryptEcb(HASHCRYPT, &m_handle, ciphertext, output , 16);

When only USERKEK is written I can check that plaintext = output, but when I write both key (which are not equal) HASHCRYPT_AES_EncryptEcb return 1 and cyphertext is not correct (function fail on hashcrypt_check_need_key).

 

The code tested was the same, i just make a new blhost enroll and provising both key.

0 Kudos
Reply