LPC55S28 USERKEK provisioning using blhost

TestNXP · ‎07-04-2023

Hello,

I am trying to set USERKEK with blhost. As mentioned in the user guide I set USERKEK with this commands:

blhost -p com4 -- key-provisioning enroll

blhost -p com4 -- key-provisioning set_user_key 11 userkey.bin

blhost -p com4 -- key-provisioning write_key_nonvolatile 0

I try to store a 128 Bit AES Key and thus userkey.bin should be 16 Bytes big. However, it is mentioned that userkey.bin should be a plain text binary. My key file contains for example:

Type userkey.bin

ABCDEFABCDEFABCDEFABCDEFABCDEFAB

This makes it 32 Bytes big (when trying to set a 32Byte key it is 64 Bytes big and can not be set using blhost). When setting USERKEK with this userkey.bin, the encrypted cipher differs from what I am expecting, which makes me believe that the used userkey.bin is in the wrong format. I also tried converting the hex key into binary, which did not work aswell.

I can not find any information about how to create a valid userkey.bin which can be imported correctly.

I hope you can help me. Thank in advance!

cheers

TestNXP · ‎07-10-2023

The keys binary has to be correctly formatted which can be done with nxpimage utils convert hex2bin tool of the SPSDK.

For example a txt file with the key as Hex number:

userkey.txt:

5468617473206d79204b756e67204675

results into

userkey.bin:

uF gnuK yM stahT

View solution in original post

TestNXP · ‎07-08-2023

In the example mentioned here:

https://spsdk.readthedocs.io/en/latest/examples/lpc55sxx_secure_fw_update.html

SBKEK is generated using

nxpimage sb21 get-sbkek

I checked the generated key and it seems to be a reversed binary of the hex string.

I found a tool under SPSDK for converting hex plain text into .bin file. I was not able to test this yet but it might be the solution to my problem.

I have to say that the description in blhost user guide and LPC55S2x user guide is very missleading as it says that a key in plain text binary form shall be provided.

TestNXP · ‎07-10-2023

The keys binary has to be correctly formatted which can be done with nxpimage utils convert hex2bin tool of the SPSDK.

For example a txt file with the key as Hex number:

userkey.txt:

5468617473206d79204b756e67204675

results into

userkey.bin:

uF gnuK yM stahT

Alice_Yang · ‎07-10-2023

Hello @TestNXP

Yes, you can use SPSDK tool, blhsot inside.

If you want to sue secure boot function, you can also consider the tool of "MCUXpresso Secure Provisioning Tool"

https://www.nxp.com/design/software/development-software/mcuxpresso-software-and-tools-/mcuxpresso-s...

It is based on the open-source Secure Provisioning SDK.

BR

Alice

Alice_Yang · ‎07-05-2023

Hello @TestNXP

key-provisioning is blhost command, about detail usage and example you can refer to <blhost User's Guider>, I also attach it for you.

4.2.23 key-provisioning <operation> [arguments…]
The key-provisioning command is a pack of several security related commands.
• enroll
Example: -- key-provisioning enroll
Enroll key provisioning feature. No argument for this operation.
• set_user_key <type><file>[,<size>]
Example: -- key-provisioning set_user_key 0xB userKey.bin

Send the user key specified by <type> to bootloader. <file> is the binary file containing user key plain text. If <size> is not specified,
the entire <file> will be sent, otherwise, blhost only sends the first <size> bytes.
• set_key <type> <size>
Example: -- key-provisioning set_key 0x1 0x100
Generate <size> bytes of the key specified by <type>.
• write_key_nonvolatile [memoryID]
Example: -- key-provisioning write_key_nonvolatile 0x110
Write the key to a nonvolatile memory.
• read_key_nonvolatile [memoryID]
Example: -- key-provisioning read_key_nonvolatile 0x110
Load the key from a nonvolatile memory to bootloader.
• write_key_store <file>[,<size>]
Send the key store to bootloader. <file> is the binary file containing key store. If <size> is not specified, the entire <file> will be
sent. Otherwise, only send the first <size> bytes.
• read_key_store <file>[,<size>]
Read the key store from bootloader to host(PC). <file> is the binary file to store the key store.
<type> and corresponding <size> are target specific values, and various on different devices. For details, see the ROM chapter
in the Reference Manual

BR

Alice

TestNXP · ‎07-06-2023

@Alice_Yang

As it seems the Key behind the generated and stored Key Code as USERKEK is simply all 0x00. Because I get the same result by encrypting my plain text with a AES-128 Key with all zeros. So when setting the user key with a plain text .bin file something seems to go wrong.

I also tried following:

blhost -p com4 key-provisioning set_user_key 11 "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" -s, --key-size 128

where XXX... is the key I want to store. This results in a different encrypted cipher, but still not in the one I might exspect.

TestNXP · ‎07-05-2023

Hello @Alice_Yang ,

as I mentioned in my question, the user guide is does not help me because it is said there that the file shall be a plain text .bin file. However a 32Byte Key in plain text results into a 64Bytes plain text binary. Trying to load a 64 Byte plain text .bin with "-- key-provisioning set_user_11 key userkey.bin" does replay the status "failure". Loading the key with "-- key-provisioning set_user_key 11 userkey.bin,32" does success, but the encrypted cipher differs from what I am exspecting with the provided key.

Do you have an example key .bin file? Or a working example with all the files to load a key into USERKEK?

Also in application I am getting the key by using

FFR_KeystoreGetKC(&flashInstance, keyCode0, kFFR_KeyTypeUser);

PUF_GetHwKey(PUF, keyCode0, sizeof(keyCode0), kPUF_KeySlot0, rand());

HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, NULL, 16);