ヘルプ
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Secure Boot using CSE on Multiple Blocks-S32R294

キャンセル
提案をオンにする
自動提案では、入力時に可能な一致が提案されるので検索結果を素早く絞り込むことができます。
次の結果を表示 
表示  限定  | 次の代わりに検索 
もしかして: 

Secure Boot using CSE on Multiple Blocks-S32R294

‎07-06-2022 01:56 AM
1,327件の閲覧回数
Venkat_Mod26
Contributor I

--> Hello community, 
I am using S32R294 for a  Project and trying to understand the implementation of Secure boot on multiple Blocks, We have CSE_SECURE_BOOT command that can verify MAC for one Block (say Boot ), what is the best way to Implement such MAC verifications for multiple Blocks ?

I have gone through a use case of Chain of trust method, which i feel is not a best way as we might be using fixed  keys during the Build time, are there any other ways ?

can't we use Generate_MAC to calculate a MAC on a Bin block and store it in any PFLASH ? followed by Verify _MAC to verify it ?  can we store the Generated MAC into any of the available Key slots and use it later for verification ?

 Thank you in Advance!

0 件の賞賛
返信
6 返答(返信)

‎12-27-2022 10:43 PM
1,128件の閲覧回数
xiatian
Contributor I

do you have example  for Generating  format 1 key image?

0 件の賞賛
返信

‎07-11-2022 04:59 AM
1,302件の閲覧回数
petervlna
NXP TechSupport
NXP TechSupport

Hello,

You are correct.

If you want to use multiple blocks then only the first block which is downloaded during secure boot is covered automatically.

You can use the GENERATE_MAC command to calculate the MAC for the other blocks and store it in flash as they have mentioned, this is really the only way to do a comparison using the VERIFY_MAC command. The MAC must be in plaintext for this comparison so it cannot be stored into a key slot.

Best regards,

Peter

0 件の賞賛
返信

‎07-11-2022 05:12 AM
1,301件の閲覧回数
Venkat_Mod26
Contributor I

Thank you @petervlna for the feedback,

So, it is clear that using Key Slot to store MAC is not a good option, But storing MACs in flash region again causes a problem to Secure Storage, correct ?

 

--> We need a way to handle MAC values securely,  any ideas on this ?

is OTAFD(On-the-Fly AES Decryption) a best option ? can we use OTAFD only to a small portion of Binary file(containing MACs) and store it in external flash encrypted, followed by decrypting the are only during MAC verification ?

 

Thank you!

0 件の賞賛
返信

‎07-13-2022 02:13 AM
1,283件の閲覧回数
petervlna
NXP TechSupport
NXP TechSupport

Hello,

You potentially could use the OTFAD, but for a small block of data like this it would be better to use the encryption function of the CSE to encrypt the MAC before writing to flash.

Then you can use the CSE to decrypt before doing the comparison.

You could use the ENC_ECB or ENC_CBC commands for the encryption.

Best regards,

Peter

 

返信

‎07-14-2022 02:18 AM
1,267件の閲覧回数
Venkat_Mod26
Contributor I

Thanks @petervlna, i think this is a good idea, let me check how well we could fit this solution in !
Will update here soon!

0 件の賞賛
返信

‎07-08-2022 04:36 AM
1,313件の閲覧回数
petervlna
NXP TechSupport
NXP TechSupport

Hello,

I have asked application team for help here.

I will reply once I have any news.

Best regards,

Peter

0 件の賞賛
返信