Generation of offline CMAC of application code for secure boot implementation

baseerahmadpiracha · ‎03-26-2023

Hi everybody,

I am trying to generate offline CMAC of application code for secure boot implementation. I have tried to use openssl but I was not able to generate CMAC using command line. Is there any tool that can generate CMAC and signatures of the application code. Also I have studied Chain of trust document AN4235 but it was not helpful. Please help

lukaszadrapa · ‎03-27-2023

Hi @baseerahmadpiracha

I can recommend two options only:

1. Use CSEc to calculate the BOOT_MAC. Take a look at example 4_secure_boot_add_BOOT_MAC_manual which shows how to calculate the BOOT_MAC "manually":

https://www.nxp.com/webapp/Download?colCode=AN5401&location=null

https://www.nxp.com/webapp/Download?colCode=AN5401SW&location=null

2. Use mentioned OpenSSL. If some support is needed (we do not provide support for this): https://www.openssl.org/support/

Regards,

Lukas

baseerahmadpiracha · ‎03-28-2023

Hi @lukaszadrapa

If I use 1st option to generate BOOT_MAC I have few questions.

1. I will use this code "example 4_secure_boot_add_BOOT_MAC_manual" to generate BOOT_MAC of my code. If my application code is stored in p-flash which I downloaded through bootloader, where will "example 4_secure_boot_add_BOOT_MAC_manual" application run?

2. Once I calculate BOOT_MAC do I have to reset microcontroller to verify the BOOT_MAC?

lukaszadrapa · ‎03-28-2023

Hi @baseerahmadpiracha

project 4_secure_boot_add_BOOT_MAC_manual is supposed to be executed from RAM memory using a debugger. It is expected that the flash already contains application which should be protected by secure boot.

And yes, BOOT_MAC will be checked by CSEc after next reset.

Regards,

Lukas