Secure Encrypted Ethernet Communication using FRDM-A-S32K344

 Find the code in Application Code Hub as Secure Encrypted Ethernet End Nodes

This project implements a configurable secure encrypted Ethernet communication node that can operate in three different modes—Transmit (TX), Receive (RX) and Intruder —selected at build time using compile‑time macros. Depending on which macro is enabled during compilation, the firmware conditionally includes only the logic required for that mode.

/* Macro for NODE selection: Select TX_BOARD, RX_BOARD or INTRUDER_BOARD and
 * flash its corresponding profile */
#define TX_BOARD            (1u) /* TX_BOARD is selected */
#define RX_BOARD            (0u)
#define INTRUDER_BOARD      (0u)

TX Node Mode (TX_BOARD) - In this mode, the device encrypts an image and transmits Ethernet frames when the transmission button is pressed. If the encrypt button is pressed, the Ethernet frames will contain the encrypted image. If the encrypt button is not pressed, the Ethernet frames will contain the base image.

RX Node Mode (RX_BOARD) - The device listens for incoming Ethernet frames and processes the data to display the received image in the LCD display. When the encrypt button is pressed the decryption is enabled.

Intruder Node Mode (INTRUDER_BOARD) - The device listens for incoming Ethernet frames and processes the data to display the received image in the LCD display. Intruder does not have access to decryption.

This project has the option to define if the on-board push buttons are used or external user push buttons connected to PTE24 and PTE25.

/* Macro for BUTTON selection: Select INTERNAL_BUTTONS or EXTERNAL_BUTTONS and
 * flash its corresponding profile.*/
#define INTERNAL_BUTTONS    (1u) // SW2   = Encryption, SW3   = Transmission
#define EXTERNAL_BUTTONS    (0u) // PTE24 = Encryption, PTE25 = Transmission

Application Description

The application runs on an NXP S32K344 MCU and demonstrates a complete image encryption, transmission, reception, and optional encryption pipeline.

The code encrypts an image using the HSE, transmits it over Ethernet, receives encrypted data, decrypts it using HSE, and displays it. The summarized functionality is the next:

• LCD Display Handling: Initializes an LCD via LPSPI1 and displays an embedded bitmap image
• AES-128 Encryption/Decryption (ECB mode): Uses Crypto_43_HSE AUTOSAR Crypto Driver, offloads all crypto operations to the Hardware Security Engine (HSE), splits an image into 64‑byte blocks, encrypts each block with AES‑128 ECB
• Ethernet Transmission (GMAC): Encapsulates encrypted image data into Ethernet frames, Sends frames over GMAC0 and receives incoming frames and reconstructs the encrypted image
• User Interaction via Buttons: SW3 starts transmission and SW2 grants encryption

Algorithm

1. The main function initialize all pin routing, peripherals and LCD over SPI.
2. Performs setup for Crypto Driver and HSE by loading a key and mark it as valid.
3. (TX) The image stored as a bitmap in ImageDataAuto[] is split into blocks of 64 bytes in order to perform the encryption and store the encrypted output in EncryptedImage[] for secure Ethernet transmission.
4. (TX) Ethernet frame is built manually and is broken into frames of 1024 bytes.
5. (TX) Transmission starts when the transmit button is pressed. When all image data is sent then the transmission resets.
6. (RX) Incoming Ethernet frames are processed in the emac_rx_callback(…) where the payload bytes are extracted and appended into the EncryptedImage[] array.
7. (RX) Once all the image bytes arrives a flag is activated to show the image in the infinite loop.
8. (Intruder) The intruder board can sniff the image sent as long as the Encrypted Button is not pressed.
9. (Intruder) If the Encrypted Button is pressed, intruder board will receive the encrypted array and not be able to decrypt.

Crypto Driver and HSE

This project makes extensive use of the AUTOSAR Crypto Stack, specifically the Crypto_43_HSE driver and the HSE embedded hardware module as the accelerator performing all AES operations. Some of the key functions and features to understand are:

• Initialization of HSE Key Catalog: This configures the RAM and NVM key catalogs where the HSE stores key metadata.

  RetVal = Crypto_43_HSE_Exts_FormatKeyCatalogs();

• Loading AES-128 Key into the HSE: The key is transferred into the HSEs secure storage.

  Crypto_43_HSE_KeyElementSet(APP_AES128_KEY_ID,KEY_MATERIAL_ELEMENT_ID_U32, App_au8Aes128EcbKey_1, APP_AES128_KEY_SIZE);

• Key Validation: Makes the key available to subsequent crypto jobs.

  Crypto_43_HSE_KeySetValid(APP_AES128_KEY_ID);

• AES-128 ECB Job Execution: The CPU does not perform AES operations. The request is passed to the HSE firmware, which executes AES‑128 ECB using its hardware crypto accelerators. Encryption and decryption are performed using their corresponding jobs:
  

  Crypto_43_HSE_ProcessJob(APP_SYMMETRIC_CDO_ID, &App_JobAes128EcbEncrypt);

  Crypto_43_HSE_ProcessJob(APP_SYMMETRIC_CDO_ID, &App_JobAes128EcbDecrypt);

• HSE-compatible non-cacheable buffers: HSE accesses memory via DMA and cannot read cache-only memory regions. The code places all data buffers exchanged with HSE in special sections defined by:

  #define CRYPTO_43_HSE_START_SEC_VAR_INIT_8_NO_CACHEABLE

Boards: FRDM-A-S32K344

Categories: Communication, Security

Peripherals: Siul2, Crypto 43 HSE, ETH 43 GMAC

Toolchains: S32 Design Studio IDE

1. Software and Tools

1.1 FRDM Automotive Bundle for S32K3

The demo was developed using the FRDM Automotive Bundle for S32K3. To download and install the complete software and tools ecosystem, use the following link: S32K3 FRDM Automotive Board Installation Package.

1.2 Security Real-Time Drivers Crypto

As the application uses cryptography and the Hardware Security Engine (HSE) peripheral, it is necessary to download the Security Real-time drivers Crypto 7.0.0 QLP02 and the S32K344 HSE Standard Firmware to the bundle by following the next steps:

1. Click on the Software Library tab.
   
2. Select S32K3 checkbox in the Devices tab to filter the results.
   
3. Type Security Real-Time Drivers Crypto in the search bar and click in the checkbox to select it. Confirm that the version is 7.0.0_QLP02.
   
4. Type S32K344 HSE Standard Firmware in the search bar and click in the checkbox to select it. Confirm that the version is RTM 0.2.55.0.
   
5. Click on Generate Bundle Installer button and confirm that the package contains all the drivers as shown.
   

2. Hardware

2.1 Required Hardware

• Personal Computer
• Type-C USB cable
• Switch Gigabit Ethernet GS108
• 3 * Ethernet cable
• 3 * 2.8" TFT touch shield for Arduino
• 3 * FRDM-A-S32K344

2.2 Debugger Connector

• Connect the PEmicro debugger to the Cortex Debug connector
• Connect debugger USB to PC
• Power the FRDM-A-S32K344 using the USB-C cable or connect USB C cable directly to the board for power supply and debug capabilities

3. Setup

3.1 Import the Project into S32 Design Studio IDE

1. Open S32 Design Studio IDE, in the Dashboard Panel, choose Import project from Application Code Hub.
   

2. Found the demo you need by searching the name directly. Open the project, click the GitHub link, S32 Design Studio IDE will automatically retrieve project attributes then click Next>.

3. Select main branch and then click Next>.
   

4. Select your local path for the repo in Destination->Directory: window. The S32 Design Studio IDE will clone the repo into this path, click Next>.
   

5. Select Import existing Eclipse projects then click Next>.
   

6. Select the project in this repo (only one project in this repo) then click Finish.
   

3.2 Connect Hardware

Before connecting the display to the board it is necessary to solder 3 SMD pads to enable SPI transmission. The pads correspond to SI, SO and SCK marked in the silkscreen as 11, 12 and 13 respectivelly (yellow circle in the image). To connect the display to the board, follow the next image to make sure the pins in the board marked by red coincide with the pins in the display marked by red.

3.3 Generating, Building and Running the Example

1. Import the HSE using FRDM-A-S32K344 project from Application Code Hub following the steps above. In Project Explorer, right-click the project and select Update Code and Build Project and then go to Debug. The project must be executed twice in order to enable the HSE in the board.Note: This is a mandatory step to compile the Secure Encrypted Ethernet Communication project.
2. In Project Explorer, right-click the project and select Update Code and Build Project. This will generate the configuration (Pins, Clocks, Peripherals), update the source code and build the project using the active configuration (e.g. Debug_FLASH). Make sure the build completes successfully and the *.elf file is generated without errors.
   
   Press Yes in the SDK Component Management pop-up window to continue. If a error appears related to the NXP GCC 10.2 not installed, right click on it and select Quick Fix.

   Note: This is a mandatory step to compile the Secure Encrypted Ethernet Communication project.

3. To generate the other executables, the macros must be modified to use the other node mode. In the app_cfg.h file within the src folder. Change the macro definition from: 
   #define TX_BOARD (1u) to #define TX_BOARD (0u) and 
   #define RX_BOARD (0u) to #define RX_BOARD (1u).
   
   To set the intruder, repeat previous steps but set TX_BOARD and RX_BOARD to (0u) and INTRUDER_BOARD to (1u) in the macro definition for the intruder board.

4. Then clean project and build again to generate the RX node executable.

5. Go to Debug and select Debug Configurations. Select GDB PEMicro Interface Debugging:
   

   Use the controls to control the program flow.

Note: The GDB PEMicro Interface Debugging configuration uses default ports 6224 and 7224. In example are provided 2 debug configurations, one with default ports and another one with custom ports to support debugging of 2 boards simultaneously on the same PC. You must change the C/C++ Application path in the debug configuration to point to the generated *.elf file, one for TX node and one for RX node. In one launch configuration, select one board (for example USB1) and in the second launch configuration, select the other board (for example USB2).

4. Results

When one board is connected as transmitter, one as receiver and other as intruder, using three ETH cables to the Switch, the image on the transmitter board will appear in the display, on the receiver and intruder board, the image will appear when the transmit button is pressed in the transmitter. If the encrypt button is pressed in both transmitter and receiver, the image will show complete but encrypted in the intruder.

Questions regarding the content/correctness of this example can be entered as Issues within this GitHub repository or directly in the commentary section.

Warning: For more general technical questions regarding NXP Microcontrollers and the difference in expected functionality, enter your questions on the NXP Community Forum