- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
- Home
- :
- General Purpose Microcontrollers
- :
- LPC Microcontrollers
- :
- PUF AES : USERKEK is not acessible when SBKEK is set
PUF AES : USERKEK is not acessible when SBKEK is set
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
PUF AES : USERKEK is not acessible when SBKEK is set
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I try to implement a customer identification test using USERKEK and AES engine.
I use blhost to program USERKEK (blhost 11 key) and all works fine (I can encrypt / decrypt using this key), but if I program an eval board (LPC55S06-EVK) with both USERKEK and SBKEK (blhost 3 key) it's stop working.
I do the following ;
m_handle.keyType = kHASHCRYPT_SecretKey;
status = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, keyAes, 32);
status = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, plaintext, ciphertext, 16);
status = HASHCRYPT_AES_DecryptEcb(HASHCRYPT, &m_handle, ciphertext, output , 16);
When only USERKEK is written I can check that plaintext = output, but when I write both key (which are not the same) HASHCRYPT_AES_EncryptEcb return 1 and cyphertext is not correct (function fail on hashcrypt_check_need_key).
The source code tested was the same, i just make a new blhost enroll and provising both key.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Diego,
I have no more board so I can't make new test.
I nerver write AC in CMPA since I use blhost enroll/write-provisioning to store internal generated key.
In my first attempt I use a similar code to yours (whereas i use SBKEK) and it work well. i have some issues after when I try to store both SBKEK and USERKEK; Should i have to store both AC and USERKEK in CMPA? it is easier in production to use the same CMPA file but send différent key with blhost.
Yes i have send both sequantialy.
Does AC in PFR loosed If i first enroll/provisioning/write using blhost and then send default CMPA (without AC nor USERKEY)? I follow the stream from Secure Provisionning.
If you have in stock some µC (LPC55S06JBD64E) i need 7 to repair my bricked dev kit...
Have a good day.
Aurélien
diego_charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for your reply!
I have been testing having both USERKEK and SBKEK on the LPC55s69 ( the chip available from my side)
Both should be able to coexist, in other words you can retrieve USERKEK while executing a Secure boot (SB )application that uses SBKEK, or do not enable SB and have SBKEK stored.
Regarding :
Should I have to store both AC and USERKEK in CMPA?
You can, but it is preferred to use the Key Code Storage area of PFR.
Does AC in PFR loosed If i first enroll/provisioning/write using blhost and then send default CMPA (without AC nor USERKEY)?
No, assuming that the AC is stored in the Key Code Storage. For example if you are using the USERKEK, clearing the CMPA should not affect the AC.
If you have in stock some µC (LPC55S06JBD64E) I need 7 to repair my bricked dev kit...
As I much I would like, I do not have the capability to do this. Please help me to contacting your FAE to see for any sample.
For reference I will share the process I followed for this.
1 Word Secure Boot 4096.docx shows an example setup to enable secure boot (please note that it is not a oficial recommend setup and is based on AN12283 )
2 puf_hashcrypt_crypto_sbkek_pfr.c is based on puf_hashcrypt_crypto SDK example. This demo retrieves the USERKEK stored in PFR (and AC). Please note that the user key and a expected cypher from that key are embedded in the example. The program will restore user key to hashcript internal hardware bus. Then a cypher will be created by hashcrypt using that restored userkey. Finally that cypher will be compared to expected cypher.
3 Implementing USERKEK and Secure boot.docx Explains the steps that I implemented for testing Secure boot and use of user key.
I still would like to see if I could replicate the problems you are reporting or provide further feedback on your process. Let me know if there is anything else where I could comment on.
Many thanks
Diego
diego_charles
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I hope that you are doing great! I got a couple of points here:
1 Please make sure to test on the latest LPC55s06 SDK version. This to get the latest driver updates on IAP FFR apis, etc.
2 Are you able to get the same issue if you call the the PUF_SetUserKey function to set a new key?
I believe that you already stored in CMPA the AC and USERKEY keycode. I am leaving a pseudocode below where this is ommited.
result = PUF_SetUserKey(PUF, kPUF_KeyIndex_00, s_userKey256, 32, keyCode0, sizeof(keyCode0));
GetRandomData32(&random);
/* Reconstruct key from keyCode0 to HW bus for crypto module */
result = PUF_GetHwKey(PUF, keyCode0, sizeof(keyCode0), kPUF_KeySlot0, random);
HASHCRYPT_Init(HASHCRYPT);
hashcrypt_handle_t m_handle;
/* Encrypt plaintext via Hascrypt using HW secret key */
m_handle.keyType = kHASHCRYPT_SecretKey;
result = HASHCRYPT_AES_SetKey(HASHCRYPT, &m_handle, NULL, 32);
result = HASHCRYPT_AES_EncryptEcb(HASHCRYPT, &m_handle, s_EcbPlain, cipher2, sizeof(s_EcbPlain));
3 I want to narrow down your issue. To do so, we would need to check the procedure you used, please help me to check below:
1 Enroll puff and store AC and UserKEK. Which method did you used?
2 Demo program. I recommend to base this on our SDK examples. Which reference you took?
3 Enable Secure Boot. Did you sequentially provision both keys using BLHOST?
.\blhost\win\blhost.exe -V -p COM32,57600 -- key-provisioning set_user_key 3 ".\temp\tempSbkek.bin"
.\blhost\win\blhost.exe -V -p COM32,57600 -- key-provisioning set_user_key 11 ".\temp\UserKek.bin"
My apologies for the delay.
Diego
