FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Secure Boot using CSE on Multiple Blocks-S32R294

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Secure Boot using CSE on Multiple Blocks-S32R294

‎07-06-2022 01:56 AM
1,260 Views
Venkat_Mod26
Contributor I

--> Hello community, 
I am using S32R294 for a  Project and trying to understand the implementation of Secure boot on multiple Blocks, We have CSE_SECURE_BOOT command that can verify MAC for one Block (say Boot ), what is the best way to Implement such MAC verifications for multiple Blocks ?

I have gone through a use case of Chain of trust method, which i feel is not a best way as we might be using fixed  keys during the Build time, are there any other ways ?

can't we use Generate_MAC to calculate a MAC on a Bin block and store it in any PFLASH ? followed by Verify _MAC to verify it ?  can we store the Generated MAC into any of the available Key slots and use it later for verification ?

 Thank you in Advance!

0 Kudos
Reply
6 Replies

‎12-27-2022 10:43 PM
1,061 Views
xiatian
Contributor I

do you have example  for Generating  format 1 key image?

0 Kudos
Reply

‎07-11-2022 04:59 AM
1,235 Views
petervlna
NXP TechSupport
NXP TechSupport

Hello,

You are correct.

If you want to use multiple blocks then only the first block which is downloaded during secure boot is covered automatically.

You can use the GENERATE_MAC command to calculate the MAC for the other blocks and store it in flash as they have mentioned, this is really the only way to do a comparison using the VERIFY_MAC command. The MAC must be in plaintext for this comparison so it cannot be stored into a key slot.

Best regards,

Peter

0 Kudos
Reply

‎07-11-2022 05:12 AM
1,234 Views
Venkat_Mod26
Contributor I

Thank you @petervlna for the feedback,

So, it is clear that using Key Slot to store MAC is not a good option, But storing MACs in flash region again causes a problem to Secure Storage, correct ?

 

--> We need a way to handle MAC values securely,  any ideas on this ?

is OTAFD(On-the-Fly AES Decryption) a best option ? can we use OTAFD only to a small portion of Binary file(containing MACs) and store it in external flash encrypted, followed by decrypting the are only during MAC verification ?

 

Thank you!

0 Kudos
Reply

‎07-13-2022 02:13 AM
1,216 Views
petervlna
NXP TechSupport
NXP TechSupport

Hello,

You potentially could use the OTFAD, but for a small block of data like this it would be better to use the encryption function of the CSE to encrypt the MAC before writing to flash.

Then you can use the CSE to decrypt before doing the comparison.

You could use the ENC_ECB or ENC_CBC commands for the encryption.

Best regards,

Peter

 

Reply

‎07-14-2022 02:18 AM
1,200 Views
Venkat_Mod26
Contributor I

Thanks @petervlna, i think this is a good idea, let me check how well we could fit this solution in !
Will update here soon!

0 Kudos
Reply

‎07-08-2022 04:36 AM
1,246 Views
petervlna
NXP TechSupport
NXP TechSupport

Hello,

I have asked application team for help here.

I will reply once I have any news.

Best regards,

Peter

0 Kudos
Reply