FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

PUF AES : USERKEK is not acessible when SBKEK is set

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PUF AES : USERKEK is not acessible when SBKEK is set

‎05-30-2022 02:14 AM
870 Views
Aurelien_Grange
Contributor III

Hi,

I try to implement a customer identification test using USERKEK and AES engine.

I use blhost to program USERKEK (blhost 11 key) and all works fine (I can encrypt / decrypt using this key), but if I program an eval board (LPC55S06-EVK) with both USERKEK and SBKEK (blhost 3 key) it's stop working.

I do the following ;


m_handle.keyType = kHASHCRYPT_SecretKey;
status = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, keyAes, 32);
status = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, plaintext, ciphertext, 16);
 status = HASHCRYPT_AES_DecryptEcb(HASHCRYPT, &m_handle, ciphertext, output , 16);

When only USERKEK is written I can check that plaintext = output, but when I write both key (which are not the same) HASHCRYPT_AES_EncryptEcb return 1 and cyphertext is not correct (function fail on hashcrypt_check_need_key).

 

The source code tested was the same, i just make a new blhost enroll and provising both key.

Labels (1)
Labels
0 Kudos
Reply
3 Replies

‎06-20-2022 06:35 AM
827 Views
Aurelien_Grange
Contributor III

Hi Diego,

I have no more board so I can't make new test.

I nerver write AC in CMPA since I use blhost enroll/write-provisioning to store internal generated key.

 

In my first attempt I use a similar code to yours (whereas i use SBKEK) and it work well. i have some issues after when I try to store both SBKEK and USERKEK; Should i have to store both AC and USERKEK in CMPA? it is easier in production to use the same CMPA file but send différent key with blhost.

 

Yes i have send both sequantialy.

 

Does AC in PFR loosed If i first enroll/provisioning/write using blhost and then send default CMPA (without AC nor USERKEY)? I follow the stream from Secure Provisionning.

If you have in stock some µC (LPC55S06JBD64E) i need 7 to repair my bricked dev kit...

Have a good day.

Aurélien

0 Kudos
Reply

‎06-20-2022 10:10 PM
824 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @Aurelien_Grange 

Many thanks for your reply!

I have been testing having both USERKEK and SBKEK on the LPC55s69 ( the chip available from my side)

Both should be able to coexist, in other words  you can retrieve USERKEK while executing a Secure boot  (SB )application that uses SBKEK, or do not enable SB and have SBKEK stored.

Regarding :

Should I have to store both AC and USERKEK in CMPA?

You can, but it is preferred to use the Key Code Storage area of PFR.

Does AC in PFR loosed If i first enroll/provisioning/write using blhost and then send default CMPA (without AC nor USERKEY)?

      No, assuming that the AC is stored in the Key Code Storage. For example if you are using the USERKEK, clearing the CMPA should not affect the AC.

If you have in stock some µC (LPC55S06JBD64E) I need 7 to repair my bricked dev kit...

As I much I would like, I do not have the capability to do this. Please help me to contacting your  FAE to see for any sample.

For reference I will share the process I followed for this.

1 Word Secure Boot 4096.docx shows an example setup to enable secure boot (please note that it is not a oficial recommend setup and is based on AN12283 )

puf_hashcrypt_crypto_sbkek_pfr.c is based on puf_hashcrypt_crypto SDK example. This demo retrieves the USERKEK stored in PFR (and AC). Please note that the user key and a expected cypher from that key are embedded in the example. The program will restore user key to hashcript internal hardware bus. Then a cypher will be created by hashcrypt using that restored userkey. Finally that cypher will be compared to expected cypher.

Implementing USERKEK and Secure boot.docx Explains the steps that I implemented for testing Secure boot and use of user key.

I still would like to see if I could replicate the problems you are reporting or provide further feedback on your process. Let me know if there is anything else where I could comment on.

Many thanks

Diego

     

reference.zip
0 Kudos
Reply

‎06-16-2022 10:08 PM
838 Views
diego_charles
NXP TechSupport
NXP TechSupport

Hi @Aurelien_Grange 

 I hope that you are doing great! I got a couple of points here:

1 Please make sure to test on the latest LPC55s06 SDK version. This to get the latest driver updates on IAP FFR apis, etc. 

2 Are you able to get the same issue  if  you call the the PUF_SetUserKey function to set a new key?

I believe that you already stored in CMPA the AC and USERKEY keycode. I am leaving a pseudocode below where this is ommited.

 

result = PUF_SetUserKey(PUF, kPUF_KeyIndex_00, s_userKey256, 32, keyCode0, sizeof(keyCode0));

GetRandomData32(&random);
/* Reconstruct key from keyCode0 to HW bus for crypto module */
result = PUF_GetHwKey(PUF, keyCode0, sizeof(keyCode0), kPUF_KeySlot0, random);
HASHCRYPT_Init(HASHCRYPT);
hashcrypt_handle_t m_handle;

/* Encrypt plaintext via Hascrypt using HW secret key */
m_handle.keyType = kHASHCRYPT_SecretKey;
result = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, NULL, 32);
result = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, s_EcbPlain, cipher2, sizeof(s_EcbPlain));

 

3 I want to narrow down your issue. To do so, we would need to check the procedure you used, please help me to check below:

    1 Enroll puff and store AC and UserKEK. Which method did you used?

    2 Demo program. I recommend to base this on our SDK examples. Which reference you took?

    3  Enable Secure Boot.  Did you sequentially provision  both keys using BLHOST?

 

.\blhost\win\blhost.exe -V -p COM32,57600 -- key-provisioning set_user_key 3 ".\temp\tempSbkek.bin"

.\blhost\win\blhost.exe -V -p COM32,57600 -- key-provisioning set_user_key 11 ".\temp\UserKek.bin"

 

 

My apologies for the delay.

Diego

 

0 Kudos
Reply