[Security] The I/F used by the secure boot trust chain

Gideon · ‎09-26-2023

Dear NXPs：

My Flash layout is as shown below：

My trust chain is like this：

1.CSEc boot ROM verifies the bootmanaer image, and executes bootmanaer after verification.

2.The bootmanager verifies the bootloader and executes the bootloader after completion.

3.The bootloader verifies the application and executes the application after completion.

My question is during step 2 and step 3, should I use the 0x02-ENC-CBC (AN5401) I/F of the CSEC component to calculate the CMAC values of the bootloader and application image?

Gideon · ‎09-27-2023

Dear NXPs：

Taking the Application area as an example, use the CMD_GENERATE_MAC interface to calculate the CMAC value of the Application and automatically save it in CSEc. Use the CMD_VERIFY_MAC interface and the interface parameter is the CMAC value calculated on the PC (CMAC in the purple area) for verification, right?

View solution in original post

lukaszadrapa · ‎09-27-2023

Hi @Gideon

CMD_ENC_CBC command is for encryption. You need to generate and verify CMAC, so you should use commands CMD_GENERATE_MAC and CMD_VERIFY_MAC.

Regards,

Lukas

Gideon · ‎09-27-2023

Dear NXPs：

Taking the Application area as an example, use the CMD_GENERATE_MAC interface to calculate the CMAC value of the Application and automatically save it in CSEc. Use the CMD_VERIFY_MAC interface and the interface parameter is the CMAC value calculated on the PC (CMAC in the purple area) for verification, right?

lukaszadrapa · ‎09-28-2023

Not sure if I can understand: "automatically save it in CSEc" - CMAC is not automatically saved to CSEc when using CMD_GENERATE_MAC.

"Use the CMD_VERIFY_MAC interface and the interface parameter is the CMAC value calculated on the PC (CMAC in the purple area) for
verification, right?"
- Yes, that's correct.

Regards,

Lukas

[Security] The I/F used by the secure boot trust chain

[Security] The I/F used by the secure boot trust chain

S32 SDK for S32K1